Christmas Eve and Christmas Day were spent watching the Stratfor compromise develop in real time, which is not how I had planned to spend the Christmas weekend. Strategic Forecasting Inc., the Texas-based private-intelligence consultancy, was breached at some point in mid-December (the precise timeline is unclear) and the breach was made public on Christmas Eve through a series of Twitter announcements from Anonymous-aligned accounts and an initial data dump on Pastebin. By Christmas afternoon there was a 250MB archive in public circulation containing the firm's customer list, internal email, credit-card data for several thousand subscribers, and assorted internal documents. The dump has been growing since.
The compromise itself looks technically straightforward and structurally familiar. From what is in the public record so far, Stratfor's website and customer database were running on infrastructure that had not been patched aggressively, the customer credit-card data was stored unencrypted, the customer passwords were stored either as MD5 hashes (per some reports) or in cleartext (per others), and there was no meaningful network segmentation between the public-facing systems and the internal customer-data systems. The pattern matches HBGary Federal in February, Sony PSN in April, and Sony Pictures during LulzSec in June. The same five technical errors keep recurring; the same incident pattern keeps replaying; the affected organisations keep insisting in their post-breach communications that they "take security seriously" and were the victims of a "sophisticated" attack. This was not a sophisticated attack. None of the four mentioned were sophisticated attacks.
The Stratfor angle that interests me more than the technical detail is the customer list. Stratfor sells private-intelligence reporting to government agencies, military contractors, large corporations, and a range of individual subscribers. The customer list, now in public circulation, names approximately seven hundred thousand subscribers including individuals associated with the Department of Defense, the Department of Homeland Security, several large defence contractors, and a substantial number of journalists, academics, and military personnel by name. The political-cyber implication is that anyone on that list whose subscription was paid for by their employer is now identifiable as a Stratfor reader, which for a journalist or academic is mildly embarrassing and for an intelligence-services employee or military-affiliated researcher is meaningfully operational. Whether the AntiSec operators understood the political consequences of this dimension of the dump is unclear; the consequences are nonetheless playing out.
The stolen credit cards have been used for political donations rather than for fraud in the conventional sense — there are reports of donations to the Red Cross, to the EFF, and to similar charities running across Christmas Day, as Brian Krebs has been documenting. The political theatre is consistent with the AntiSec rhetoric of the past six months. The actual financial cost to Stratfor's customers will be the cost of the donations, the time of disputing the charges with the relevant card issuers, and the operational unpleasantness of having had your credit card stolen and used in a public-spectacle context. None of those is a small cost, but none of them is the structural cost.
The structural cost is the question of what private-intelligence firms can credibly claim about their security going forward. Stratfor's selling proposition is that subscribers receive analysis they cannot obtain through public channels; the implicit claim is that the relationship between firm and subscriber is itself private. That claim is now publicly broken. Other firms in the same sector — and there are several with similar customer lists, similar revenue models, and similar information-security postures — should expect the same operational scrutiny. The companies that have been quiet through 2011 about their information-security investment are now in a more difficult position than they were last week.
For the engagements I run, the post-Christmas conversations will be the same conversation I have been having since Sony PSN in April, now amplified. "Could this happen to us" is the wrong question; "what would the public-spectacle dump of our customer list and internal email actually expose" is the right question. Most boards I have asked have not been able to answer it precisely, which is itself the answer. The reading exercise that I will be putting in front of two of the Hedgehog clients in January is "imagine the AntiSec dump of your organisation; what is in it; who would care; what would happen". The point is not to defend against AntiSec specifically — the technical defence against breach was always the same — but to make the cost of an unprepared response visible. Stratfor's response over the past forty-eight hours has been ineffective because the organisation does not appear to have prepared for the contingency. The preparation is bounded; the cost of not preparing is not.
The other thing this incident has done, which I had not expected, is to put a sharper end-of-year framing on what 2011 has actually been. The list of breaches and incidents I have written about this year — HBGary Federal, the RSA SecurID compromise, Comodo, Sony PSN, Lockheed Martin and the SecurID-derived attacks against the defence contractors, the LulzSec fifty days, DigiNotar, Duqu, and now Stratfor — is more substantial than any prior year I can remember. Kim Zetter at Wired has been the steadiest source of running coverage on the Stratfor incident specifically and is worth reading for the comprehensive timeline. I will write the year retrospective properly next week. For now, the Christmas weekend has produced what may be the cleanest single illustration of the structural problem the year has produced. Information security has not, in this past calendar year, been delivering the level of defensive capability that the implicit promise of the controls frameworks suggested it would.
The next post will be the 2011 retrospective, depending on whether anything else breaks before New Year.