The Stratfor E-mail Address Scandal That Isn't

The Guardian just ran a sensational story about hundreds of British government and NATO email addresses being exposed via the Stratfor hack. The L.A. Times ran a similar story featuring other exposed email addresses from various U.S. agencies and organizations including the White House. In fact, my email was among those exposed. My response is - big deal. I publicize my email address on the Web. It's one of many that I use for different purposes. An email in and of itself means very little. An email with a ridiculously easy password could be a problem if the person was foolish enough to use that same combination on his work email address but for most people, especially those in large corporations and the U.S. Government, that's next to impossible to do because of specified password requirements and two-factor authentication. And in the case of obtaining free reports via Stratfor's marketing strategy, why bother using a strong password as long as it and its associated email address are different from ones that you use for work? In fact, programs like Anonymizer give you throw-away email addresses and passwords to use for just such an occasion.

One of the articles that I read claimed that the Stratfor breach included 3 email addresses from the White House. Well, two of those were President@whitehouse.gov and Prez@whitehouse.gov. Does anyone seriously believe that either of those are real? They're most likely the invention of someone who, like me, wanted to read one of Stratfor's "free" reports. Stratfor doesn't validate those email addresses and every time you want to download another free report you need to invent a different email address to register under. That's why Stratfor has so many email addresses in its system. People who want a freebie report are loading them up with valid and invalid email addresses like "Prez@whitehouse.gov".

So what are the repercussions to have your email address listed along with hundreds of thousands of others? Spam and spear phishing attacks are pretty much it and both of those can be easily avoided if you've paid any attention to network breaches in the past year. In the rare case that you used your work email address along with your work password, you're pretty much screwed (and deserve to be for being so carless) but by now you've changed your password anyway. The worst part of the Stratfor hack wasn't the release of those email addresses. It was Stratfor's atrocious handling of its members credit card data and the awful state of its own network security. The worst part may be yet to come, if and when Anonymous releases the contents of those emails between Stratfor analysts and their corporate and government clients. Once that happens, you'll be wishing that all you had to worry about was an exposed email address with a weak password.

Related:
An Open Letter to George Friedman and Stratfor
Was Stratfor Breached By An Insider?

Add to Cart View detail

Was Stratfor Breached By An Insider?

While waiting for the other shoe to drop on the Stratfor breach (the release of a few million emails), I took a look at who works for the company in an attempt to understand how they could have made so many mistakes in handling their customer and client data as well as their network security. The adage that a company is only as good as its employees is certainly true about Stratfor.

The company was founded in Austin, TX in 1996 by George Friedman, an academic. LinkedIn has profiles on 63 of its employees. According to those profiles none have a background in information security. The company doesn't have a Chief Information Officer, Chief Security Officer, or Chief Information Security Officer. None of its employees' profiles show that any of them have ever worked at NSA, CIA or any other 3-letter agency. Two senior executives (Fred Burton and Scott Stewart) came from State's Diplomatic Security Service. Many of Stratfor's employees came to the company just after they graduated from college including, most importantly, their IT director for almost 13 years Michael Mooney. Mooney graduated from UT Austin in 1994, joined Stratfor in 1997 and left in September, 2011. I've tried to contact Mr. Mooney by email to find out his side of the story, why he left the company, etc., but so far, no joy. Stratfor's Chief Technology Officer Frank Ginac apparently didn't care for his work based upon his "Mooney's Turds" comment posted by Anonymous:

"It blew my mind to discover that our email server backups are being stored on the same physical server. I'm affectionately referring to these little discoveries as 'Mooney turds'."

If Mooney was fired and held a grudge against Ginac and/or Stratfor, then he would certainly have a motive for payback by helping Anonymous root the company's servers. The timing is certainly interesting. Mooney left the company and a new replacement was found for him almost immediately (October, 2011) which suggests that Ginac was unhappy with Mooney and was looking for a replacement before letting him go. Considering the shabby state of Stratfor's network security, the attacker(s) could have been in there for a few months prior to the December 24th event.

I'm not accusing Michael Mooney of being involved. I am, however, stating that attacks by insiders who hold a grudge against their employer are commonplace and Mooney's position along with the circumstances around his departure will certainly be explored by law enforcement as part of the investigation. Apart from who was allegedly involved, there's no mystery about why Stratfor's network was in the state that it was in. Security wasn't a priority and there was no in-house expertise to make it one. Next comes the consequences to Stratfor's customers, which George Friedman (CEO), Frank Ginac (CTO), and Darryl O'Connor (COO) all need to be held responsible for.

UPDATE (0337PST 03JAN12): According to Stratfor CTO Frank Ginac's Twitter stream, he had been looking to hire a System Administrator (Michael Mooney's job) since January 24, 2011. He repeated his need for a Sys Admin on 28 February and 22 July. It turns out that Michael Mooney wasn't the only Stratfor employee to leave the company in September 2011. So did a Cloud engineer named Trent Geerdes. Neither person has responded to my request for comment.

Ironically, four days before tweeting his first announcement (Jan 24, 2011), Ginac had this to say about security:

UPDATE (1850 PDT 18MAY12): To date there has not been any evidence that an insider was involved in this attack. The FBI has made arrests in the case.

Add to Cart View detail

An Open Letter to George Friedman and Stratfor

29 Dec 2011

Mr. George Friedman,

As one of Stratfor's Free Intelligence Report subscribers, I received an e-mail message from you expressing your "deep regret (that) an unauthorized party illegally obtained and disclosed personally identifiable information and related credit card data of some of our paying subscribers." Your email went on to request feedback from me and your other subscribers about "this situation". Here's my response.

You clearly want to restore confidence among your customers and potential customers after a breach occurs. Your email was unsuccessful in doing that for two main reasons:

1. You failed to address why your customer credit card numbers weren't encrypted. This is probably the most serious aspect of your breach.
2. You failed to disclose how the breach occurred. Anonymous is known for discovering simple website vulnerabilities and exploiting them. I'm guessing that that was the case for you, which means that there's an issue with your own risk assessment capabilities.

Instead of addressing these two critical challenges to your competence as a web-based business and provider of intelligence analysis, you've chosen to offer me one year of consumer identity protection services and pledged to continue sending me your free Security and Geopolitical weekly reports (which I've been unable to get you to stop sending me for well over a year). I hope that you can now see how ludicrous your attempt to restore my confidence is and instead will make a more sincere effort to 1) acknowledge what you did wrong, 2) apologize for it, and 3) tell me what you're going to do differently so that it won't happen again.

Sincerely,

Jeffrey Carr
CEO, Taia Global, Inc.
Author, "Inside Cyber Warfare" (O'Reilly Media 2009. 2011)

Add to Cart View detail