Stratfor Hack Proves a Few Things

Tuesday, January 03, 2012


The recent hack on Stratfor proves a few things.

Disappointingly, it shows that companies like Stratfor who claim to be the vanguard of security and intelligence only exist to collect revenue giving lip service to the security of their own site.

They obviously took few precautions with respect to the privacy of individuals and organizations. They did not encrypt passwords. They had no reason to store credit card numbers much less store them in the open.

Their access protocols were weak and overall protection strategy non-existent. They are the poster child for all that is wrong with many false prophets. They say do as I tell you to do not as I do (ignore the man behind the current).

After the fact, they indicate they have hired a firm to correct their ills.  I should frikkin’ hope so! Other than that, they have no clue as to what crisis communication is and have largely ignored their user community with relatively useless information. I find out more on pastebin.

How many more companies believe they can get by with half-baked cyber security? Why are budgets being cut for information security by CIOs who just don’t get it? Why is it that organizations do business with other organizations without performing cyber security due diligence on the entity?

So, I have to change passwords (which had long been changed). So, I have to change credit card numbers (which I do periodically where I need to or not (kinda like a shower)). So, my email information is in the public domain (it was anyway). So what! It has long been available as proven by my students at Utica College.

The issue I see is for Stratfor is their complete loss of credibility, the exposure of their client list (which folks like me should exploit), and the revenue loss they should suffer including major fines and penalties. I hope they suffer poorly in this New Year.  Hey, clients of Stratfor, take a look at Treadstone 71. We actually secure our information, don’t take yours and let professional firms handle financial transactions.

As for Anonymous (القحبة وسائل الإعلام), they just continue to prove they’ll disclose anything even info on individuals who are just squirrels trying to get a nut (who probably align more closely to them then to Stratfor).

Or at least they once did.

About the Author:  Jeff Bardin is currently Chief Intelligence Officer for Treadstone 71. In 2007 he was awarded the RSA Conference award for Excellence in the Field of Security Practices. The Bardin-led security team from Hanover Insurance also won the 2007 SC Magazine Award – Best Security Team competing against such organizations as Barclays Global and the Department of State. Jeff sits on the Board of Directors, Boston Infragard; Content Raven, Wisegate, was a founding member of the Cloud Security Alliance; is a member of the Cyber Security Forum Initiative, the RSA Conference Submission Selection Committee and formerly on the Customer Advisory Board for Chosen Security. Jeff published The Illusion of Due Diligence in 2010 and was a co-author for the Computer and Information Security Handbook, Understanding Computers, and has published articles for magazines such as The Intelligencer, CSO, and SC Magazine. Jeff served in the USAF as a cryptologic linguist, and in the USANG as an officer.  He has BA in Special Studies - Middle East Studies & Arabic Language from Trinity College as well as a MS in Information Assurance from Norwich University.  He is also a professor of masters programs in cyber intelligence, counterintelligence, cybercrime and cyber terrorism at Utica College. Jeff also holds the CISSP, CISM, C|CISO and NSA-IAM certifications.

Possibly Related Articles:
Information Security
Data Loss Enterprise Security Anonymous hackers Protocols breach Stratfor
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.