Extreme cybersecurity ineptitude: Stratfor was a hack waiting to happen

Remember the Stratfor hack back in 2011? Stratfor cybersecurity was pretty much non-existent, according to a leaked confidential forensic investigation report (pdf), originally released by Verizon in February 2012. It was a hack waiting to happen, and the report serves as a reminder for how NOT to do business.

Background

Stratfor Global Intelligence bills itself as “a geopolitical intelligence firm that provides strategic analysis and forecasting to individuals and organizations around the world.” After AntiSec hackers stole five and a half million emails and then gave them to WikiLeaks, the Atlantic said “Stratfor’s reputation among foreign policy writers, analysts, and practitioners is poor; they are considered a punchline more often than a source of valuable information or insight.” Yet as far back as 2001, “a Stratfor subscription could cost up to $40,000 per year.”

Suspected cause and attack vectors

Verizon spelled out suspected host and network attack vectors. It found practically no system hardening and no file integrity monitoring. Stratfor had no firewall, no antivirus protection and no security monitoring. “No device was used to filter any ingress or egress traffic, allowing any data into and out of the systems environment unrestricted.” There was “no level of centralized logging to routinely monitor and analyze suspicious and/or anomalous security events.”

Keep in mind that Stratfor is a level 3 merchant, charging at least $40,000 annually for subscriptions via its Ubercart shopping cart application. “The back-end database driving the Stratfor e-commerce process retained Primary Account Number (PAN), expiry, and CVV2/CVC2 in plain, unencrypted text.” There was also no network segmentation. “Stratfor did not segregate its payment ecommerce environment from its corporate office environment. That is to say, systems interacting with cardholder data were directly accessible from systems within the corporate subnet with single-factor authentication credentials.”

No secured remote access: The “affected systems (web server, database server, mail servers, Active Directory server) in both the corporate and payment environments allowed for single-factor remote access either through SSH (Linux) or Windows Remote Desktop (RDP).” Furthermore, the “remote access channels were not restricted by trusted IP address or geolocation.” Remote access was left permanently enabled, yet there was also no remote access monitoring or logging.

Those were just a few examples of Stratfor’s security ineptitude found during Verizon’s investigation. “This is an extreme case and a breakdown of a magnitude I’ve never seen before.” Kevin Cunningham, president and founder of SailPoint, told The Daily Dot, “You have to define your policy and ensure that controls are in place. In this case, it doesn’t look like they had any policies defined. It’d be like not only leaving your front door unlocked and your windows open, but also your family jewels on the kitchen table.”

Anti-forensic measures

Verizon investigators wrote that hackers disabled the web server by “using the Unix ‘rm –rf’ command against the root director as superuser. This caused the contents of nearly every writable mounted file system on the server to be deleted, up to the point that the server itself crashed after system-critical files or directories were deleted. This same Unix command was also run against two separate mail servers as well as the e-commerce database server.”

This one command helped to remove the intruders’ digital footprints from the compromised systems and proved to be an investigative challenge, as standard file timeline and metadata analysis could not be conducted.

The intruders used TOR for most of their malicious activity. The report stated, “Engaging in this degree of anti-forensic activity indicates the high level of sophistication and organization during the intruder’s actions. Many intruders in similar cases make no effort to ‘cover their tracks’ or otherwise obfuscate their actions. Taking specific and deliberate actions that hinder investigative efforts after the fact is indicative of a highly specialized, and professional attacker or group of attackers.”

Chat logs floating around on the web show that FBI informant Sabu orchestrated the Stratfor hack. Fellow LulzSec member Jeremy Hammond, who is serving 10 years, claimed Sabu set him up for the fall. Another Anonymous hacker, Hyrriiya, confessed to first hacking Stratfor — two weeks before LulzSec – and providing access to other AntiSec hacktivists.

Considering all the extreme security mistakes, Stratfor got off easy; it did not admit to any wrongdoing or liability. Instead, the company settled a class-action lawsuit for approximately $1.175 million in 2012.