Some Thoughts on the Stratfor Hack

January 8, 2012

Valley of Fire State Park, Nevada, October 4, 2011 (for incongruous photo policy explanation, see here, note 3)

It's two weeks since hackers aligned with Anonymous and Antisec announced that they'd got inside the computers of the Texas company Stratfor, and published details of more than 800,000 of the firm's past and present clients. I'd be interested in this story anyway, but as one of those whose data were made public, I've been paying quite a bit of attention. And even as the details pile up and more folks weigh in with their thoughts, I'm far from convinced we're even close to understanding what's gone on here, or why.

The latest piece of coverage is a report in the Guardian by the paper's New York correspondent, Ed Pilkington, and their security editor, Richard Norton-Taylor. As of 8pm GMT today (Sunday), it's the top story on the website, suggesting it may well be the main front page lead in tomorrow's print edition. On the face of it, the revelations merit this kind of prominence: hundreds of Stratfor's customers were members of the British military and government, and their email addresses, credit card details and passwords are now in the public domain. 

The story draws on research from John Bumgarner, of the non-profit US Cyber Consequences Unit, who has been publishing statistics on user account domains and passwords from the Statfor hack on his Twitter feed since just after Christmas. It was Bumgarner who first noticed sundry US political luminaries in the data dump (Dan Quayle, Henry Kissinger, former CIA director Jim Woolsey) and as early as New Year's Eve his research had given a sense of the scale of the possible damage: while he only found three email addresses from the domain, there were more than 19,000 either from or, in Bumgarner's words, "linked to" the US Department of Defense, over 300 from the Oak Ridge, Sandia and Idaho laboratories which do critical work for American security and defence, and over 1600 addresses linked to the Department of Homeland Security. Further, Bumgarner's analysis of the passwords used indicated that many were particularly weak. The conclusion that has to be drawn is that if any of those staffers in sensitive defence or security jobs have used the same weak passwords on other, more important, accounts, the potential exists for a massive cascade of information security failures across the entire US defence and security infrastructure. And, as Pilkington and Norton-Taylor suggest, the same could be true in the UK.

Yet the further we get from the release of the data, the less we seem to know about what really happened. The company - which is still offline, and suffered even further ignominy when a Rick-rolling email pretending to come from founder George Friedman was circulated to subscribers late last week - still hasn't responded to the hackers' claims that they stored their customers' credit card information in an unencrypted form. This is the kind of elementary lapse in basic security you wouldn't expect even the lowliest online retailer to commit: and, as has been suggested elsewhere, if this is true (and the silence from the company in the face of such apparently damning and undeniably extensive evidence is deafening), they may well find they have breached Texas law. Why on earth they stored the CVV data at all remains unknown. Stratfor have provided an object lesson in how not to run an online business, and their customers have every right to be angry at the way they and their data have been treated. 

But the hackers, too, have left plenty of questions unanswered. The targeting of Stratfor still looks bizarre: while the company liked to bill itself as an "intelligence" source, its basic product - email and online newsletters - put it more in the category of a newswire. In the social media echo chamber, the idea that Stratfor is a security company, advising its clients on how to protect their data, has become predominant - yet Barrett Brown, the writer currently working on a book about Anonymous and who has been authorised by the hackers to speak on their behalf, is among those who have pointed out that this isn't what Stratfor does (or should that be "did"?). If, as some of the writings published under the Anonymous and Antisec banners in the last fortnight suggest, the fact that members of the militaries, security and law-enforcement agencies and governments on Stratfor's customer lists made the company fair game, there will be numerous businesses anxiously performing thorough audits of their data security systems right now. While defence contractors and government departments would surely have already taken Antisec/Anon's "Expect us" promise/threat to heart, purveyors of information to the globe's political, business and military power brokers may not have felt they needed to do so to quite the same degree. But if I was running the Wall Street Journal, The Economist or Jane's, I'd be spending most of my time right now making sure that my customer information was behind something stronger than Stratfor's digital version of a rusty lock on a rickety gate. Whether or not it was the intention, Antisec's antipathy to the information security industry makes it deeply ironic that fear of similar operations looks set to drive ever more companies to invest increasing sums in, at the very least, securing their clients' billing details.

There is, of course, another angle. Various voices speaking under the mantle of Anonymous have said that Stratfor is not as "innocent" as it made out. If information to back up those claims exists, it will be in the 5m-plus emails the hackers obtained from Stratfor's servers: these were trailed as being published around the turn of the year, but have yet to appear. The delay may well have very prosaic explanations: the possibility of editing the emails has been floated (a lose-lose choice for the company, surely, who can either concentrate on placating angry clients whose sensitive data are published, or suffer the ultimate humiliation of having to effectively barter for favours from their attackers), which will take considerable time. And there have been other Antisec operations taking place since the Stratfor breach, many in response to the December 31st passing of the US National Defense Authorization Act, and its astonishing provisions for indefinite detention of American citizens by the military. 

Indeed, the most interesting information published from hacking attacks of late has nothing to do with Stratfor. A group called Lords of Dharamraja claim to have hacked the Indian security service, and published a document that appears to suggest that Apple, BlackBerry maker RiM, and Nokia have agreed to install covert "back doors" on their products, apparently as part of a project to perform covert surveillance of a US congressional commission. The LoD's subsequent publication of source code for Norton was quite widely reported, yet these revelations remain relatively unheralded. If these documents are genuine, and the information they contain is accurate, this story is huge.

Meanwhile, buried towards the end of their celebratory 'zine published last week, Antisec include the text of an advisory briefing email on hacktivism apparently distributed by the FBI. If genuine, its conclusion probably renders all other discussion null and void:

"There is no clear agreement between Congress, the White House, Pentagon, Central Intelligence Agency, Department of Homeland Security, and other stakeholders regarding where responsibilities lie with regard to various networks, and which department should respond to cyberattack scenarios."

Or, to put it another way: the internet is over. 

I'll be returning to the Stratfor story over the coming days. Please get in touch if you have any information you think I might find useful or interesting.


I don't get how the government's inability to decide which department must address cyber attacks means, "The internet is over." I thought maybe some new uncrackable technology would prevent cyberattacks, and then, when citizens are all having their heads grafted onto dog bodies, Anonymous could say, "I told you so."

posted by: steve billinghurst: 9 Jan, 2012 20:12:05

Thanks Steve.

I was guilty of hyperbole in the quest for a decent pay-off line. Apologies. The point I was trying (and failing) to make is really that if those organisations can't even agree among themselves whose job it is to protect the internet, the chances of the it being a safe medium for doing anything that requires a modicum of privacy and security appear to be poor.



posted by: Angus Batey: 9 Jan, 2012 20:25:38

Click here to add your comment.

Comments will be subject to approval and should not be defamatory, obscene, racist, in breach of copyright, or contrary to law. Neither Angus Batey nor the site host is reponsible for any views expressed here.





photo gallery


mailing list