Stratfor refunds clients.Concerns on subcontractors in the security chain

Pierluigi Paganini June 29, 2012

Last Christmas the Stratfor Global Intelligence was hacked by Anonymous who disclosed company website and also the full client list of over 4000 individuals and corporations. The hacker gained access to a subscriber list stored on stratfor.com, and that list contained unencrypted credit card data.

Stratfor is an organization that gathers open source intelligence which markets publications for forecasting purposes, due of the confidentiality of information leaked the company will spend around $1.75 million to compensate its customers who have taken revenge with a class action.

The hacktivists of Anonymous during the attack leaked more over 200 GB of confidential data accessing to the database of the Stratfor.

Anonymous exposed two lists of credit card details belonging to people who have subscribed to Stratfor services, the first one containing 3956 card details and the second one 13191 card details.

Included in this list important names like Goldman Sachs, the Rockefeller Foundation and, MF Global.

Most interesting part of leaked data is composed by millions of emails that were published on the Web this year by Julian Assange’s WikiLeaks.

The data revealed uncomfortable truths, secret relationships between government’s exponents, private companies and a network of informers all around the world.

Of course many analysts have dissected the huge quantity of data searching for news compromising, it was revealed for example that within the stolen emails were communications between Stratfor analysts and law enforcement officers, exposing that the company’s employees had contact the police to share information on the Occupy Wall Street movement.

The funny news is that after the hack within data leaked has been found personal datails related to around 4,000 Stratfor clients such as Bank of America, the US Defense Department and others, who had paid an identity protection service from CSID, a leading provider of global identity protection.

US District Judge Denis Hurley written an order that establish that Stratfor will have to compensate clients who subscribed to the company’s updates prior to the Christmas Eve hack.

Stratfor does not have to admit any “wrongdoing, fault, violation of law or liability of any kind,” but will have to provide one month of free service to plaintiffs — a value of $29.08 — and offer an electronic copy of its publication The Blue Book, which regularly retails for $12.99. The entire settlement is expected to set the company back around $1.75 million.

In an order written by US District Judge Denis Hurley earlier this month, Stratfor will have to indemnify its clients damaged by the data breach.

The order reports that Stratfor does not have to admit any “wrongdoing, fault, violation of law or liability of any kind,” but will have to provide one month of free service to plaintiffs — a value of $29.08 — and offer an electronic copy of its publication The Blue Book, which regularly retails for $12.99.

The entire settlement is expected to set the company back around $1.75 million.

Personally I think the judgment is too light, there are evident liability of Stratfor, primarily the absence of encryption mechanisms for the storage of the confidential information. Another consideration on the hack, that does not bode well for the company, is the responsibility of having publicly exposed the network resources that contain valuable information, resources that are evidently not been adequately protected.

Obviously I think that the judgment has been weighted on the basis of reliable information that I ignore, without doubts the damage caused by the revelation of sensitive information is certainly much higher amounts of compensation.

Is it consider the event as isolated or is there any danger of relapse?

Of course no, government contractors and intelligence agencies are preferential targets for group of hacktivists due the sensible information that manage. The first categories, the government contractors, is characterized by another important factor that make it an excellent target for a cyber attack, usually they manage the same information of their government’s clients but the mechanisms of protection of data are often absent or inadequate.

The case of HBGary Federal was emblematic, Aaron Barr, CEO of the company declared in 2010 to have collected information regarding Anonymous and its members.

Barr claimed to have used intelligence techniques to infiltrate the group using principal social media (e.g. Facebook, Twitter). His intention was to release information on the identities of Anonymous members at the B-Sides conference and to sell it to law enforcement.

On February 5-6, 2011, Anonymous attacked the HBGary website stolen tens of thousands of documents from both HBGary Federal and HBGary, Inc., and posted tens of thousands of emails online. The hacktivist also hacked the Barr’s twitter account

Of course the information disclosed was embarrassing such us the support given to the Bank of America against the intention of Wikileaks to publish compromising documents. In the case the HBGary worked with support of others security companies, Palantir and Berico Technologies.

Another example of the revealed info was the documented service provided to the U.S. Air Force to manipulate social media to spread pro-government propaganda.

In many cases the contractors make the “dirty works” for companies and governments managing confidential documents, and not always implement the necessary protection to preserve the sensible information. The case of HBGary represents an exception, the major part of subcontractors have no security mechanism in place to defend their data. Since now we have spoken of intelligence companies that the events demonstrated vulnerable to external attacks, but we must take in care that many contractors simply provide logistic services or similar, but in any case they manage sensible information like the references of government employees.

Don’t forget that subcontractors are preferred targets also for foreign governments that intend to conduct cyber espionage operations.

State sponsored attacks are more dangerous because differently from a typical operation of hacktivism, are silent and perpetrated in time with dramatic consequence. A state sponsored attack is quite different also in the mode of attack that uses to adopt also targeted malware.

Event like the ones exposed must alert on the real security level ensured for the protection of confidential information, the weakest ring of the chain could compromise the overall security chain.

Pierluigi Paganini

 



you might also like

leave a comment