Please create an account to participate in the Slashdot moderation system


Forgot your password?
Privacy Security Your Rights Online

Data Exposed In Stratfor Compromise Analyzed 141

wiredmikey writes with an excerpt from an article in Security Week: "Following news that security and intelligence firm Stratfor is downplaying the recent hack of its systems, Identity Finder today shared a detailed analysis of the data released so far by the attackers. Based on the analysis, 50,277 Individual Credit Card Numbers were exposed, but 40,626 are expired, leaving just 9,651 that are not expired. In terms of emails, 86,594 Email addresses were claimed to be exposed by the hackers, but only 47,680 were unique. The hackers have released personal information for Stratfor subscribers whose first names begin with A through M, with N through Z expected to be released soon. In addition to the presently published data compromised during the attack, the attackers claim that 200GB of company email containing 2.7 million emails was captured as well." As of posting, Stratfor's website is still down.
This discussion has been archived. No new comments can be posted.

Data Exposed In Stratfor Compromise Analyzed

Comments Filter:
  • by InterestingFella ( 2537066 ) on Wednesday December 28, 2011 @02:20PM (#38517318)
    The credit card numbers they stole and exposed were used to make over one million dollars worth of "donations" to different charities like Red Cross, Save the Children and CARE. Good job Anonymous!

    Except that they were all reversed with chargebacks, which not only took back all the money given, it actually cost the charities around $250 000 in chargeback fees which are now off from what other, legit people donated. Awesome job there! Idiots...
    • Re: (Score:3, Insightful)

      by Herkum01 ( 592704 )
      I highly doubt that Charities are getting charged chargeback fees for something that they did not do themselves and you made up the amount of 250,000 because there is no way the banks would be able to justify the fees for a quarter of the total amount.
      • by InterestingFella ( 2537066 ) on Wednesday December 28, 2011 @02:32PM (#38517474)
        Do you really think that it will be banks covering the costs? That never happens. It's always the merchant. Charity or not. The 250,000 comes from my knowledge of chargeback fees being $25-40 for merchants. With around 10,000 current credit cards exploited, I actually took the lowest possibility of $25 per chargeback and didn't even account for multiple donations per card. The fees can be much higher too, but it is at least $250,000.
        • Like the anonymous coward below notes, I actually took it too low. AIDG gets charged $35 per chargeback [], so it's probably more like $350,000 or more.
          • And this (the merchant getting hit for fraud and banks raking up the pizzo []) coupled wit deregulation is why the banks will never invest in development of less fraud-prone electronic transaction mechanisms. For fuck's sake, they're running rackets and we're bailing them out on a daily basis.
        • by gl4ss ( 559668 )

          what you're saying is that you could have bankrupted any company with the cards.

          this is high profile enough to just end up as a special case, with the transactions reversed in one large batch by the affected cc processors.

          anyhow, it's up to the card owners to dispute.

          the real wtf is what the hell were they storing the card data for? this means stratfor should lose any possibility to do cc payments in future, having vastly fucked up following guidelines.

          • by cdrguru ( 88047 )

            The only way someone gets bankrupted is if they didn't validate the cards properly.

            Now validation costs money to do properly, but failing to validate can cost a lot more. It is like $0.30 plus staff time to do proper validation vs. $25 or $35 to deal with a chargeback.

            See, validation makes sense, especially if you are subject to lots of fraud. Anytime a credit card number is taken on the Internet you can assume at least 20% of the entries are fraudulent and you better handle that - because if you submit m

        • by cdrguru ( 88047 ) on Wednesday December 28, 2011 @03:49PM (#38518374) Homepage

          Banks? There are no "banks" involved with chargeback fees.

          When you sign up for a merchant account , you are contracting with a "merchant services provider". They are the ones that are handling the credit card transaction processing. When you get paid, they put money into the transfer account as per your agreement - then a bank is involved. Until the, you are dealing with a reseller (probably) and some place like First Data which is not in any respect "a bank".

          You might be able to get your merchant services provider to back off on some massive fraud and not charge you the full $25 for each and every single chargeback. However, a lot of this is dictated not by your merchant services provider and not even by First Data but relates to the fact that people get involved at both the bank (where your money got put) and also with the customer card accounts themselves. When First Data processes a charge in error and it shows up on some poor customer's statement, they likely have to pay a service fee to the customer's credit card processing company to get the charge taken off. Now that might be a bank.

          So the likelyhood of getting the charges waived is pretty low. It costs real money to screw with credit cards and if you aren't properly valididating the transactions - before submitting them - you are going to run up some big bills. Did these charities do proper validation and find out they were being scammed? Hope so, because then it would not have cost them anything. If they ran the charges through, they are likely going to have to pay.

          • by deKernel ( 65640 )

            Excellent representation of the processing of transactions. Most people don't realize that processing of credit card transactions in the US don't really involve banks other than authorizing of the transaction (meaning there is either money in a checking account for debit cards typically or credit available on a credit account) and acting as the receiver of the transfer for the merchant once the transactions are settled.
            Interested in a job :)

          • Banks can be service providers as well. I know for a fact that Wells Fargo is. Perhaps a different unit of Wells Fargo from their core banking unit, but still Wells Fargo, a bank.

          • all of those transactions go through Visa and Mastercard, depending on which type of card you have.

      • by JWSmythe ( 446288 ) <jwsmythe@jws[ ] ['myt' in gap]> on Wednesday December 28, 2011 @02:47PM (#38517646) Homepage Journal

        It doesn't matter if they're a charity or not. They may have managed to talk the bank out of some of the fines, but that'd be about it.

        One place I worked, which did high volume CC transactions, the typical sale was $25. A chargeback resulted in the bank taking back the full amount ($25) plus fine ($35).

        We worked hard to avoid chargebacks. As I recall, you can lose your merchant account if you exceed 1% chargebacks. Before the chargeback is done, the merchant is given a "chargeback notification". At that point, we can dispute, refund, or ignore it. Since we were an online company, we didn't have a physically signed receipt to prove that the person was actually the purchaser.

        With a signed receipt and someone to confirm that they visually verified the identification, you can dispute.

        We opted to refund, and cancel their account. That way, we simply didn't make the value of the sale, but there were no fines applied. So +$25 on the transaction. -$25 on the refund. $0 total.

        Finally, is the option of ignoring it. +25 transaction, -$25 refund, -$35 fine. -$35 total.

        Typically, the consumer would call first, before the chargeback. We'd assist them in finding out the details of the transaction. We'd give them the time, date, information about the IP, and email address used with it. Most of the time, we could positively say that the transaction occurred in their location (by the IP and ISP). They'd recognize the email address as belonging to someone else in their household. If they wanted, we would cancel the account and refund the full amount. I'd say refunds occurred about 50% of the time. They'd talk to their family members, and find out that they had done the transaction, the card holder just didn't know, but they allowed it anyways.

        For us, it didn't matter that much. We handled millions of dollars a year. Who cared about a few dozen refunds in the same period. It was cheaper to refund and make the consumer happy, than dispute and risk incurring the fines, and risking our merchant account status.

        I know people will stolen card information will test it by donating a small amount to charity. People won't generally notice a $1 or $5 charge on their card, if it's frequently used. They'll catch on when the card is used the second time for a high dollar transaction. The idea of the test transaction is only to verify the card. It's easy, and they don't have to provide a valid delivery address for merchandise. They aren't doing it out of good will, they're exploiting the system a bit more.

        • by sjames ( 1099 )

          So, in other words the charities can take option 2 (and probably have standing orders to that effect) and be out nothing.

          • They could.

            I can't say if they do or not. It's really up to them how they manage things. They may try to play hard ball, to avoid "buyers remorse". It may feel good to donate a bunch of money. The person may realize later that it was more than they could afford. If they confirm that the purchase was legitimate, it becomes a more difficult task to get the chargeback. I say difficult, but not impossible.

            We just chose to take the path that is best for the customer. We'd rather please the consumer, who

      • Didn't the Great Banking Coup of September 2008 teach you anything? Banks can justify whatever they want, and we all have to take it, because there is no regulatory oversight anymore.

      • by gmack ( 197796 )

        After 10 years working in the credit card industry I can tell you that banks rarely pass up and opportunity to hit merchants with fees and charities are nothing more than merchants to them. The theory they go by is that merchants should be able to tell what transactions are fraudulent but really it's just an excuse to charge for the trouble of having to deal with charge backs (and make a little extra money on the side)

    • by vlm ( 69642 ) on Wednesday December 28, 2011 @02:29PM (#38517442)

      yeah yeah about that, do you have the URL for donation pages for RIAA and MPAA?

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Stratfor Global has us worried. Pls don't donate to AIDG with stolen credit cards, we get hit $35 per fraudulent transaction! #anonymous RT

      Indeed. Good job, Anonymous! []

    • That's kind of messed up. If I were the banks... I'd try to find some way to 'forgive" that or charge the whole incident to the credit card fraud department. Credit cards charge such high interest in part to pay for such things. Just tap that fund for this and leave the poor charities alone.

    • I hopped over to Stratfor's Facebook page and one of the people who posted on it said their credit card info from Stratfor had been used at the well known charity called the Blizzard Store. ;)

    • Where does this even come from? The credit card numbers were given to stratfor. That's for security analysis. Where do you make up this collateral damage crap here?

      Do you really use the same credit card to sign up for security analysis as you do for donating to red cross, even if you're the government? I doubt it.

    • From the ArsTechnica article:

      According to Antisec, Stratfor was using the e-commerce suite Ubercart to handle customer information. The software has built-in encryption, but Stratfor apparently used custom modules that stored customer data in cleartext. Additionally, Stratfor appears to have stored the card security code of its customers, a practice generally prohibited by credit card companies.

      Why the hell did Stratfor store credit card numbers in plain text ?
      They totally deserve what happens to them, I hope they'll have to pay all charges for the credit card changes.
      This is not the first time a company has this kind of problem, but we are now (almost) in 2012, so this problem should have disappeared a long time ago.
      Did they audit their security ? It's pretty sure, but they probably didn't show their custom modules, so it's totally their fault here.

      Would you prefer th

      • by dbIII ( 701233 )

        Why the hell did Stratfor store credit card numbers in plain text

        Because they are a useless parking lot for political "science" graduates that can't get a job anywhere else but are handy as campaign workers each election. When is the USA going to wake up and understand that the "think tanks" are full of rejects instead of experts.

    • by flyingsquid ( 813711 ) on Wednesday December 28, 2011 @04:59PM (#38519070)
      Anonymous is nothing more than a bunch of irresponsible children. What the fuck is up with targeting Stratfor? It's not some shadowy clandestine service, it's just a think tank formed by a former politics professor that does analysis. Now, I suppose if your entire worldview is informed by children's cartoons and Hollywood blockbuster movies, that's enough to make them the "baddies" and you the "goodies", but the world doesn't really work that way. Let me explain this to you Anonymous children in terms you can understand: if Batman is walking down the street and sees a guy with a strange costume, he doesn't just beat the shit out of the guy. He goes back to the Batcave, and does his homework, and does some sleuthing, and only after he has figured out that the guy is, in fact, engaged in criminal behavior, *then* Batman beats the shit out of him. See, if you break the law to stop a criminal act, then you're a vigilante. Like Batman. But if you break the law and attack people when you don't have any evidence that they are engaged in criminal activity... then you're not Batman. You're just a fucking criminal.
      • by dbIII ( 701233 )
        The irresponsible children bit is ruined slightly by writing about Batman as if he's real :)
        From one perspective parasitic noisemakers that pretend to be far more than they are such as "think tanks" are an obvious target for people that want to stir up trouble and not get hurt. By pretending to be like a competent well staffed intelligence bureau without actually having the resources of a small newspaper they would look like a juicy target to somebody that would really like to give the CIA or NSA some emba
    • seriously. the fact that so few people understand how the CC system works (including you, no offense) is kind of funny.

    • by Xest ( 935314 )

      Meh, sounds like a good thing.

      Money out of the Red Cross' coffers means they've got less money to waste on things like suggesting online gamers are committing warcrimes. That's between wasting money suing games companies who dare use the red cross on health packs and stuff too.

      Money out of Save the Children's coffers means they have less money to continue to campaign for web censorship.

      It may suck for CARE, but I've no idea who the fuck they are.

      Either way, if the Red Cross and Save the Children were effect

  • by Anonymous Coward

    A special Category in the Darwin Awards.

    • by gl4ss ( 559668 )

      storing credit card numbers attached to account data doesn't sound like intelligence community, sounds more like some douches who went out to find some guys and said "hey you're really smart! give us your cc number and some cash!" to some slobs they found.

      real funny shit is how "TEH OFFICIAL ANONYMOUS" is claiming they didn't do it, which is a bit of a what the fuck too, don't they realize they're anonymous - there's no core, there's no agenda, if you don't like it form a hacking group like lulzsec.

      but you

    • by sycodon ( 149926 )

      Add on 9,651 charges of credit card fraud.

    • by dbIII ( 701233 )
      This lot and similar only pretend to be intelligent - hence the simple doubleplusgood label "think tanks". This incident highlights that better than anything else.
  • ...but 74kB per email?
    • by geek ( 5680 )

      A lot of corporations require long signatures with disclaimers and terms etc. Usually they plant a bunch of corporate logos in there too. The size of the emails sounds about right.

    • Just a handful of PowerPoint files will skew the average quite a bit.

  • "Based on the analysis, 50,277 Individual Credit Card Numbers were exposed, but 40,626 are expired, leaving just 9,651 that are not expired"

    Sounds like 80% of the problem evapourated based on card expiry. How do we go about making CCs expire more frequently?

    • by tibit ( 1762298 ) on Wednesday December 28, 2011 @02:51PM (#38517708)

      You must not have any credit cards, then. I haven't had any credit cards (and I have a dozen) that are not renewed with the account number intact. The expiration date is bumped ahead by some predictable number of months (12, 24, 48, etc), and that's it. Those "expired" numbers are as good as unexpired ones: in either case the account could have been closed, but other than that it's a simple thing to brute force the renewed expiration date. You should get it right on 3rd or 4th try at worst. You can then cache the initial expiration date delta with the first 4 digits of the account number as the cache lookup key.

      • Those "expired" numbers are as good as unexpired ones: in either case the account could have been closed, but other than that it's a simple thing to brute force the renewed expiration date.

        You're forgetting about the CCV "extended verification" digits on the back of the card, they are rotated along with the expiration date but not in such a predictable pattern.

        Brute forcing one of those will almost assuredly have the card locked out before you get a chance to spend any money.

        • by tibit ( 1762298 )

          Hmm, this is insightful. Some places do not need CCV, though. I haven't checked TFA: did they store CCVs?!

          • If they stored CVV, they'd be in a hell of a lot of trouble. PCI compliance requires not storing the CVV. However, as stated earlier, a lot of places don't require CVV. *None* of the cards should have CVV stored, so there's no real difference between expired and unexpired.
      • Isn't that what the verification code in the back is for? That one has always changed for me (even if the main number doesn't).

      • by Xest ( 935314 )

        Each time I've had any new car the 3 CVV digits on the rear changes too.

        With all my debit cards, the last 4 digits of the card changes each time too.

        Also, I don't think I've ever had a debit card for it's full term. My banks always sent me out a new card before the old one expires for various reasons such as adding chip and pin, adding contactless payment tech, or this time simply for "security reasons" without elaborating what they are.

        I don't think I've even ever had a credit expire on it's given date and

        • by tibit ( 1762298 )

          You're right as to debit cards, I had same experience with those. They seem somehow different from credit cards as far as reissuance is concerned. For credit cards, they had simply sent me new ones a couple months before the expiration date, and they'd usually have new expiration = old expiration + 36 months.

  • Expired cards (Score:5, Interesting)

    by nstlgc ( 945418 ) on Wednesday December 28, 2011 @02:50PM (#38517690)
    Where I live, when your card expires, you just get a new one with the same card number but a few years added to the expiration date. Wouldn't this allow the attackers to reuse some of the expired cards?
    • Unless the CVN changed, which it probably did. Mine does anyways. Which makes it worthless for online purchases. Might still be able to abuse it, but much less easily.
      • Not worthless. The rule is that if CV2 code is supplied, it must be correct. However, it is optional.

        Just don't expect to have any chance of winning a chargeback if you didn't request CV2.

  • ...what's the point of having a strong one?

    I'm wondering what's the biggest risk with passwords: having it hacked and either stored decrypted or decrypted later, or having someone guess it? I'm starting to think it's the former, which makes me think there's no point in super complex "try and guess THIS one!" passwords.

    • by tibit ( 1762298 )

      Cover yourself from both ends: have one password per account (a must!) and have them complex. If you do the former, then you'll need a password manager anyway, so the latter becomes trivial.

    • Passwords are of course useful but not without their flaws, and they've been around so long that their flaws are long identified. Super complex passwords help for things like hard drive encryption, etc; where brute force is the only viable means of access.

      Don't use passwords if possible! Especially on your public web Linux server, unless they're at the application-level and protected by TLS/SSL.
      SSH daemon should only respond to key-based authentication queries, and furthermore iptables should lock do

      • by dbIII ( 701233 )
        Having no password and instead using keys makes the stolen laptop problem even worse. Of course a depressingly large number of laptops have sticky notes with VPN or similar passwords on them anyway.
        • Huh? I was referring to webservers where you don't have physical access and can only be hacked remotely. Of course no one would suggest having no password on your laptop, rather, your laptop should have full disk encryption if possible with a password. Using keyfiles from a smartcard and a password for that is even better.
          • by dbIII ( 701233 )
            You've misunderstood. Once a thief has possession of a laptop and can log onto that (sometimes by depressingly simple methods) they are then possibly one click away from getting into those remote webservers because the laptop has the key. That's why I wrote above "VPN or similar passwords" because I was writing about logging into remote systems just as you were.
            Now within the same physical environment as the servers I sometimes do exactly what you've suggested, but offsite I'm very reluctant to have some
            • I think we're misunderstanding each other. In proper SSH key configurations, the key itself has a passphrase, although this passphrase is not a 'password' in the typical sense in that it is not transmitted to the server. It's only using for decrypting the file in place.

              Essentially what I was trying to say is that passwords only do so much, but should be used in combination with another means of security (e.g. two factor auth). I suppose "don't use passwords if possible" can be interpreted as simply "d

              • by dbIII ( 701233 )
                You wrote "Don't use passwords" so I took your word for it and assumed that you also meant not using a passphrase with the key. I'm glad you've written the post above because the earlier post taken at face value looked like very bad advice.
    • You're mostly correct - you are mentioning the problem with having a "Global Secret". In that sense, a personal password is little different than a "Global Secret" that hasn't been distributed, yet.

      The larger issue is almost always endpoint security, though. Endpoints are *both* ends - your local PC, and the server at the far side. In this case, the cost of engineering a competent solution was more than the cost of a compromise - the bulk of the cost of this hack will be paid by anyone BUT Stratfor execs

    • by jschottm ( 317343 ) on Wednesday December 28, 2011 @03:29PM (#38518156)

      Use unique passwords for everything important and use a secure but salted password for various sites. Let's say my generic secure password is $sJ55Pm#

      I salt the secure password between the fives with the initials of the website alternating caps. So my /. password could be $sJ5Sd5Pm# and my World of Warcraft password could be $sJ5WoW5Pm#.

      I only have to remember one good password and a formula. Someone clever enough could hand analyze the passwords and might spot the salting but realistically, very few people are worth that effort.

      which makes me think there's no point in super complex "try and guess THIS one!" passwords.

      One practices good password habits because they help when a site does things properly. Nothing is going to save you if a site is terribly set up but that doesn't mean you should abandon best practices.

      • by fnj ( 64210 )

        Alone, alternating caps adds next to no security. It is one of a number of well-known predictable ideas which are cheap to test for, so the attacker will try them. It only takes three times as long to test the root plus both series of alternating caps as it does to test just the all lower case root. Using leet speak (sorry, 133+ speak) is not of very much use for the same reason.

        Truly random upper case characters and digits thrown into the password, in NON-OBVIOUS PLACES, offers FAR more security.

        The number

        • Alone, alternating caps adds next to no security.

          Well, yes, that's why I specified in this theoretical example that the salt was the initials of the website with the caps alternated. One needs the salt (which, yes, is not a true cryptographic salt, although I do know people who run their generic secure password plus a salt through hash algorithms and use the resulting hash as their password) to be memorable to the user and again, virtually no one is important enough that someone would sit there pulling apa

          • by fnj ( 64210 )

            Yes, I think "pretty damn good system" makes it pretty clear I like it.

            The rest is a completely general critique of a lot of not so good ideas that are found in this topic in general.

    • The advantage of "try and guess THIS one!" type password is not only are they hard to guess, but if they are long enough and hashed properly (SHA1 or similiar) they cannot be unercrypted. (Presuming that the decrpyting party does not have access to a super computer). This is due to the fact that these passwords go through a one-way type hash, thus the only way to crack them is having a list of every single possible hash and its key (or generating such a list). So if one has a password that is 27 characters
    • by gl4ss ( 559668 )

      if you're storing customer cc's on the same machine as you're doing your email hosting and web serving from.. what's the point in anything?

    • For anything that could cost you money, your job etc you want passwords that you can remember and that are hard to crack even if somebody has a copy of /etc/shadow or similar:
      More importantly, don't reuse passwords that you put on anything important. Some idiot may store them in plain text on a blog site, dropbox authentication or whatever useless bunch and then a cracker could use them to get into your bank or wherever else you've used the password.
      Now even Facebook passwords could be
  • by Bob9113 ( 14996 )

    I wrote, and rewrote, and rewrote a long and subtle post on the value of contemplating the underlying forces acting in society that lead to events like this, rather than jumping to adulation or condemnation. I came to the conclusion that I could not make it clear that I was advocating contemplation, not support or opposition. That all I would get in response would be some twit turning my post into a straw man then hurling rhetorical vitriol at it.

    Then it came to me -- I may be able to extract some value fro

    • by pdxer ( 2520686 )
      Only terrorists want to inhibit histrionics!
    • I think the best inhibitors of histronics are the long and subtle posts on the value of contemplation of underlying forces acting in society. Post away, ignore the peanut gallery.

      • by Bob9113 ( 14996 )

        Post away, ignore the peanut gallery.

        Yeah -- you're right, as is the Offtopic mod. Thanks.

  • 200GB of email? When I see figures like that, I always ask if they include attachments or not. Of so, reduce the figure by at least 80%.
    • by frisket ( 149522 )
      In any case, if it's "corporate" email it's probably trivial or ephemeral, concerned with administrative minutiae or the perpetual re-editing of "reports" as if they were something of great value. Out of 200Gb I would expect perhaps half a dozen emails containing something interesting, salacious, or actionable (perhaps all three :-) and that kind of hit rate is barely worth the trouble of pwning their server.
      • by gl4ss ( 559668 )

        it's probably customers asking for security strategy advice and tips. that's their business, answering such mails. if they turn out as a joke on quality, they're finished as a business.

    • I blame HTML mail. Have you ever seen the source of your average Exchange email thread? The horrors!!

      Then there are those people who send BMPs embedded in Word/Excel so they can send you a screenshot! Gaaaack

  • Stratfor's site will be secure AND up about the same time in the far, far future when American finally catches up with China and buildts a 500-mile-per-hour bullet train. OR NOT................

Karl's version of Parkinson's Law: Work expands to exceed the time alloted it.