Data Exposed In Stratfor Compromise Analyzed

wiredmikey writes with an excerpt from an article in Security Week: "Following news that security and intelligence firm Stratfor is downplaying the recent hack of its systems, Identity Finder today shared a detailed analysis of the data released so far by the attackers. Based on the analysis, 50,277 Individual Credit Card Numbers were exposed, but 40,626 are expired, leaving just 9,651 that are not expired. In terms of emails, 86,594 Email addresses were claimed to be exposed by the hackers, but only 47,680 were unique. The hackers have released personal information for Stratfor subscribers whose first names begin with A through M, with N through Z expected to be released soon. In addition to the presently published data compromised during the attack, the attackers claim that 200GB of company email containing 2.7 million emails was captured as well." As of posting, Stratfor's website is still down.

"Donations" to Charities

[InterestingFella]

The credit card numbers they stole and exposed were used to make over one million dollars worth of "donations" to different charities like Red Cross, Save the Children and CARE. Good job Anonymous!

Except that they were all reversed with chargebacks, which not only took back all the money given, it actually cost the charities around $250 000 in chargeback fees which are now off from what other, legit people donated. Awesome job there! Idiots...

Re:

[Herkum01]

I highly doubt that Charities are getting charged chargeback fees for something that they did not do themselves and you made up the amount of 250,000 because there is no way the banks would be able to justify the fees for a quarter of the total amount.

Re:"Donations" to Charities

[InterestingFella]

Do you really think that it will be banks covering the costs? That never happens. It's always the merchant. Charity or not. The 250,000 comes from my knowledge of chargeback fees being $25-40 for merchants. With around 10,000 current credit cards exploited, I actually took the lowest possibility of $25 per chargeback and didn't even account for multiple donations per card. The fees can be much higher too, but it is at least $250,000.

Re:

[InterestingFella]

Like the anonymous coward below notes, I actually took it too low. AIDG gets charged $35 per chargeback [twitter.com], so it's probably more like $350,000 or more.

Re:

[Forty Two Tenfold]

And this (the merchant getting hit for fraud and banks raking up the pizzo [wikipedia.org]) coupled wit deregulation is why the banks will never invest in development of less fraud-prone electronic transaction mechanisms. For fuck's sake, they're running rackets and we're bailing them out on a daily basis.

Re:

[rmstar]

In this case, it would be good PR for a bank to cover it for the charities. Heck, the banks could probably even write it off as a donation.

Good PR? Give me a break. Banks don't give a rats ass about PR because they mostly 0wn this planet, and there is literally nothing that will stop them from 0wning it more. I mean, they seriously damaged the world economy, put lots of people into excruciating hardship in the US, and there they are. PR didn't really play a role in this.

So no, they will take the money for t

Re:

[Anonymous Coward]

You know, if you stopped spelling own with a 0, people might take you seriously... still, it's better than spelling it with a p I suppose.

Re:"Donations" to Charities

[SmurfButcher Bob]

In related news, I know a PR guy who's looking for a job...

Re:

[Minwee]

In related news, I know a PR guy who's looking for a job...

I know that guy, he's pretty good. He wwebsite as on the internet when you were a sperm in your daddys balls, and is a good friend of Cliffy B, Scott Lowe, the guys from Penny Arcade and the mayor of Boston.

Think it through a little more thoroughly:

[Hartree]

"it would be good PR for a bank to cover it for the charities"

You don't understand. The smart PR move is to let the charges stand without comment. That way the charities talk about it to their donors when asking for more funds to make up the difference.

The banks are already not well thought of currently. This makes no difference to them.

Net result: A lot of people who had never heard of Anonymous before their favorite charity mentioned them now hate their guts.

Re:

[RoknrolZombie]

Yes, and they'd manage to leverage other fees to make up for their "loss"...so it still gets passed on to someone that's completely not involved with the situation.

Re:

[gl4ss]

what you're saying is that you could have bankrupted any company with the cards.

this is high profile enough to just end up as a special case, with the transactions reversed in one large batch by the affected cc processors.

anyhow, it's up to the card owners to dispute.

the real wtf is what the hell were they storing the card data for? this means stratfor should lose any possibility to do cc payments in future, having vastly fucked up following guidelines.

Re:

[cdrguru]

The only way someone gets bankrupted is if they didn't validate the cards properly.

Now validation costs money to do properly, but failing to validate can cost a lot more. It is like $0.30 plus staff time to do proper validation vs. $25 or $35 to deal with a chargeback.

See, validation makes sense, especially if you are subject to lots of fraud. Anytime a credit card number is taken on the Internet you can assume at least 20% of the entries are fraudulent and you better handle that - because if you submit m

Re:"Donations" to Charities

[cdrguru]

Banks? There are no "banks" involved with chargeback fees.

When you sign up for a merchant account , you are contracting with a "merchant services provider". They are the ones that are handling the credit card transaction processing. When you get paid, they put money into the transfer account as per your agreement - then a bank is involved. Until the, you are dealing with a reseller (probably) and some place like First Data which is not in any respect "a bank".

You might be able to get your merchant services provider to back off on some massive fraud and not charge you the full $25 for each and every single chargeback. However, a lot of this is dictated not by your merchant services provider and not even by First Data but relates to the fact that people get involved at both the bank (where your money got put) and also with the customer card accounts themselves. When First Data processes a charge in error and it shows up on some poor customer's statement, they likely have to pay a service fee to the customer's credit card processing company to get the charge taken off. Now that might be a bank.

So the likelyhood of getting the charges waived is pretty low. It costs real money to screw with credit cards and if you aren't properly valididating the transactions - before submitting them - you are going to run up some big bills. Did these charities do proper validation and find out they were being scammed? Hope so, because then it would not have cost them anything. If they ran the charges through, they are likely going to have to pay.

Re:

[deKernel]

Excellent representation of the processing of transactions. Most people don't realize that processing of credit card transactions in the US don't really involve banks other than authorizing of the transaction (meaning there is either money in a checking account for debit cards typically or credit available on a credit account) and acting as the receiver of the transfer for the merchant once the transactions are settled.
Interested in a job :)

Re:

[jroysdon]

Banks can be service providers as well. I know for a fact that Wells Fargo is. Perhaps a different unit of Wells Fargo from their core banking unit, but still Wells Fargo, a bank.

dont leave out Visa and Mastercard

[decora]

all of those transactions go through Visa and Mastercard, depending on which type of card you have.

Re:"Donations" to Charities

[JWSmythe]

It doesn't matter if they're a charity or not. They may have managed to talk the bank out of some of the fines, but that'd be about it.

One place I worked, which did high volume CC transactions, the typical sale was $25. A chargeback resulted in the bank taking back the full amount ($25) plus fine ($35).

We worked hard to avoid chargebacks. As I recall, you can lose your merchant account if you exceed 1% chargebacks. Before the chargeback is done, the merchant is given a "chargeback notification". At that point, we can dispute, refund, or ignore it. Since we were an online company, we didn't have a physically signed receipt to prove that the person was actually the purchaser.

With a signed receipt and someone to confirm that they visually verified the identification, you can dispute.

We opted to refund, and cancel their account. That way, we simply didn't make the value of the sale, but there were no fines applied. So +$25 on the transaction. -$25 on the refund. $0 total.

Finally, is the option of ignoring it. +25 transaction, -$25 refund, -$35 fine. -$35 total.

Typically, the consumer would call first, before the chargeback. We'd assist them in finding out the details of the transaction. We'd give them the time, date, information about the IP, and email address used with it. Most of the time, we could positively say that the transaction occurred in their location (by the IP and ISP). They'd recognize the email address as belonging to someone else in their household. If they wanted, we would cancel the account and refund the full amount. I'd say refunds occurred about 50% of the time. They'd talk to their family members, and find out that they had done the transaction, the card holder just didn't know, but they allowed it anyways.

For us, it didn't matter that much. We handled millions of dollars a year. Who cared about a few dozen refunds in the same period. It was cheaper to refund and make the consumer happy, than dispute and risk incurring the fines, and risking our merchant account status.

I know people will stolen card information will test it by donating a small amount to charity. People won't generally notice a $1 or $5 charge on their card, if it's frequently used. They'll catch on when the card is used the second time for a high dollar transaction. The idea of the test transaction is only to verify the card. It's easy, and they don't have to provide a valid delivery address for merchandise. They aren't doing it out of good will, they're exploiting the system a bit more.

Re:

[sjames]

So, in other words the charities can take option 2 (and probably have standing orders to that effect) and be out nothing.

Re:

[JWSmythe]

They could.

I can't say if they do or not. It's really up to them how they manage things. They may try to play hard ball, to avoid "buyers remorse". It may feel good to donate a bunch of money. The person may realize later that it was more than they could afford. If they confirm that the purchase was legitimate, it becomes a more difficult task to get the chargeback. I say difficult, but not impossible.

We just chose to take the path that is best for the customer. We'd rather please the consumer, who

Re:

[Marxist Hacker 42]

Didn't the Great Banking Coup of September 2008 teach you anything? Banks can justify whatever they want, and we all have to take it, because there is no regulatory oversight anymore.

Re:

[frisket]

They don't even have to justify anything. Banks in the UK used to charge customers a fee for replying to a letter :-)

Re:

[Marxist Hacker 42]

And if Hyperbole doesn't, Starvation will.

Re:

[gmack]

After 10 years working in the credit card industry I can tell you that banks rarely pass up and opportunity to hit merchants with fees and charities are nothing more than merchants to them. The theory they go by is that merchants should be able to tell what transactions are fraudulent but really it's just an excuse to charge for the trouble of having to deal with charge backs (and make a little extra money on the side)

Re:"Donations" to Charities

[vlm]

yeah yeah about that, do you have the URL for donation pages for RIAA and MPAA?

Re:

[Anonymous Coward]

Stratfor Global has us worried. Pls don't donate to AIDG with stolen credit cards, we get hit $35 per fraudulent transaction! #anonymous RT

Indeed. Good job, Anonymous! [twitter.com]

Re:

[Karmashock]

That's kind of messed up. If I were the banks... I'd try to find some way to 'forgive" that or charge the whole incident to the credit card fraud department. Credit cards charge such high interest in part to pay for such things. Just tap that fund for this and leave the poor charities alone.

Charities?

[Hartree]

I hopped over to Stratfor's Facebook page and one of the people who posted on it said their credit card info from Stratfor had been used at the well known charity called the Blizzard Store. ;)

Re:

[poetmatt]

Where does this even come from? The credit card numbers were given to stratfor. That's for security analysis. Where do you make up this collateral damage crap here?

Do you really use the same credit card to sign up for security analysis as you do for donating to red cross, even if you're the government? I doubt it.

Re:

[eulernet]

From the ArsTechnica article:

According to Antisec, Stratfor was using the e-commerce suite Ubercart to handle customer information. The software has built-in encryption, but Stratfor apparently used custom modules that stored customer data in cleartext. Additionally, Stratfor appears to have stored the card security code of its customers, a practice generally prohibited by credit card companies.

Why the hell did Stratfor store credit card numbers in plain text ?
They totally deserve what happens to them, I hope they'll have to pay all charges for the credit card changes.
This is not the first time a company has this kind of problem, but we are now (almost) in 2012, so this problem should have disappeared a long time ago.
Did they audit their security ? It's pretty sure, but they probably didn't show their custom modules, so it's totally their fault here.

Would you prefer th

Re:

[dbIII]

Why the hell did Stratfor store credit card numbers in plain text

Because they are a useless parking lot for political "science" graduates that can't get a job anywhere else but are handy as campaign workers each election. When is the USA going to wake up and understand that the "think tanks" are full of rejects instead of experts.

Re:"Donations" to Charities

[flyingsquid]

Anonymous is nothing more than a bunch of irresponsible children. What the fuck is up with targeting Stratfor? It's not some shadowy clandestine service, it's just a think tank formed by a former politics professor that does analysis. Now, I suppose if your entire worldview is informed by children's cartoons and Hollywood blockbuster movies, that's enough to make them the "baddies" and you the "goodies", but the world doesn't really work that way. Let me explain this to you Anonymous children in terms you can understand: if Batman is walking down the street and sees a guy with a strange costume, he doesn't just beat the shit out of the guy. He goes back to the Batcave, and does his homework, and does some sleuthing, and only after he has figured out that the guy is, in fact, engaged in criminal behavior, *then* Batman beats the shit out of him. See, if you break the law to stop a criminal act, then you're a vigilante. Like Batman. But if you break the law and attack people when you don't have any evidence that they are engaged in criminal activity... then you're not Batman. You're just a fucking criminal.

Re:

[dbIII]

The irresponsible children bit is ruined slightly by writing about Batman as if he's real :)
From one perspective parasitic noisemakers that pretend to be far more than they are such as "think tanks" are an obvious target for people that want to stir up trouble and not get hurt. By pretending to be like a competent well staffed intelligence bureau without actually having the resources of a small newspaper they would look like a juicy target to somebody that would really like to give the CIA or NSA some emba

Re:

[InterestingFella]

Stratfor CEO has actually been criticizing the war in Iran.

if anon had balls, theyd go after the CC companies

[decora]

seriously. the fact that so few people understand how the CC system works (including you, no offense) is kind of funny.

Re:

[Xest]

Meh, sounds like a good thing.

Money out of the Red Cross' coffers means they've got less money to waste on things like suggesting online gamers are committing warcrimes. That's between wasting money suing games companies who dare use the red cross on health packs and stuff too.

Money out of Save the Children's coffers means they have less money to continue to campaign for web censorship.

It may suck for CARE, but I've no idea who the fuck they are.

Either way, if the Red Cross and Save the Children were effect

Attacking the American Intelligence Community

[Anonymous Coward]

A special Category in the Darwin Awards.

Re:

[gl4ss]

storing credit card numbers attached to account data doesn't sound like intelligence community, sounds more like some douches who went out to find some guys and said "hey you're really smart! give us your cc number and some cash!" to some slobs they found.

real funny shit is how "TEH OFFICIAL ANONYMOUS" is claiming they didn't do it, which is a bit of a what the fuck too, don't they realize they're anonymous - there's no core, there's no agenda, if you don't like it form a hacking group like lulzsec.

but you

Re:

[sycodon]

Add on 9,651 charges of credit card fraud.

Re:

[dbIII]

This lot and similar only pretend to be intelligent - hence the simple doubleplusgood label "think tanks". This incident highlights that better than anything else.

Probably not important...

[Oswald]

...but 74kB per email?

Re:

[geek]

A lot of corporations require long signatures with disclaimers and terms etc. Usually they plant a bunch of corporate logos in there too. The size of the emails sounds about right.

Re:

[rrohbeck]

Just a handful of PowerPoint files will skew the average quite a bit.

A new way to mitigate credit card fraud

[Kardos]

"Based on the analysis, 50,277 Individual Credit Card Numbers were exposed, but 40,626 are expired, leaving just 9,651 that are not expired"

Sounds like 80% of the problem evapourated based on card expiry. How do we go about making CCs expire more frequently?

Re:

[Bucky24]

So if it's expired just add 4 years or so to the date and the card goes through.

Whenever a new card is issued, the CVV changes (or is it CCV). Most online credit card forms require this number in addition to the other info on the card, so just changing the year doesn't work.

Re:A new way to mitigate credit card fraud

[tibit]

You must not have any credit cards, then. I haven't had any credit cards (and I have a dozen) that are not renewed with the account number intact. The expiration date is bumped ahead by some predictable number of months (12, 24, 48, etc), and that's it. Those "expired" numbers are as good as unexpired ones: in either case the account could have been closed, but other than that it's a simple thing to brute force the renewed expiration date. You should get it right on 3rd or 4th try at worst. You can then cache the initial expiration date delta with the first 4 digits of the account number as the cache lookup key.

Re:

[TheNinjaroach]

Those "expired" numbers are as good as unexpired ones: in either case the account could have been closed, but other than that it's a simple thing to brute force the renewed expiration date.

You're forgetting about the CCV "extended verification" digits on the back of the card, they are rotated along with the expiration date but not in such a predictable pattern.

Brute forcing one of those will almost assuredly have the card locked out before you get a chance to spend any money.

Re:

[tibit]

Hmm, this is insightful. Some places do not need CCV, though. I haven't checked TFA: did they store CCVs?!

Re:

[joe_cot]

If they stored CVV, they'd be in a hell of a lot of trouble. PCI compliance requires not storing the CVV. However, as stated earlier, a lot of places don't require CVV. *None* of the cards should have CVV stored, so there's no real difference between expired and unexpired.

Re:

[fnj]

They did, and they are.

Re:

[stephanruby]

Isn't that what the verification code in the back is for? That one has always changed for me (even if the main number doesn't).

Re:

[Xest]

Each time I've had any new car the 3 CVV digits on the rear changes too.

With all my debit cards, the last 4 digits of the card changes each time too.

Also, I don't think I've ever had a debit card for it's full term. My banks always sent me out a new card before the old one expires for various reasons such as adding chip and pin, adding contactless payment tech, or this time simply for "security reasons" without elaborating what they are.

I don't think I've even ever had a credit expire on it's given date and

Re:

[tibit]

You're right as to debit cards, I had same experience with those. They seem somehow different from credit cards as far as reissuance is concerned. For credit cards, they had simply sent me new ones a couple months before the expiration date, and they'd usually have new expiration = old expiration + 36 months.

It's called a securid token.

[Colin Smith]

HTH.

Re:

[Kardos]

What about re-using the numbers for different customers... the name *and* number are verified right?

Re:

[Kalriath]

You can't do that. CC numbers are absolutely unique, and the available pool isn't as large as you think either (the digits on the card have to pass the Luhn algorithm)

Expired cards

[nstlgc]

Where I live, when your card expires, you just get a new one with the same card number but a few years added to the expiration date. Wouldn't this allow the attackers to reuse some of the expired cards?

Re:

[Baloroth]

Unless the CVN changed, which it probably did. Mine does anyways. Which makes it worthless for online purchases. Might still be able to abuse it, but much less easily.

Re:

[Kalriath]

Not worthless. The rule is that if CV2 code is supplied, it must be correct. However, it is optional.

Just don't expect to have any chance of winning a chargeback if you didn't request CV2.

Re:

[jmottram08]

On average? 500 tries. And do you think that the account would be locked before 500 tries went through?

(Yes)

They were pwned, that's what counts

[Mister Liberty]

Go anon!

If even strong passwords can get leaked...

[Pvt_Waldo]

...what's the point of having a strong one?

I'm wondering what's the biggest risk with passwords: having it hacked and either stored decrypted or decrypted later, or having someone guess it? I'm starting to think it's the former, which makes me think there's no point in super complex "try and guess THIS one!" passwords.

Re:

[tibit]

Cover yourself from both ends: have one password per account (a must!) and have them complex. If you do the former, then you'll need a password manager anyway, so the latter becomes trivial.

Re:

[Midnight_Falcon]

Passwords are of course useful but not without their flaws, and they've been around so long that their flaws are long identified. Super complex passwords help for things like hard drive encryption, etc; where brute force is the only viable means of access.

Don't use passwords if possible! Especially on your public web Linux server, unless they're at the application-level and protected by TLS/SSL.
SSH daemon should only respond to key-based authentication queries, and furthermore iptables should lock do

Re:

[dbIII]

Having no password and instead using keys makes the stolen laptop problem even worse. Of course a depressingly large number of laptops have sticky notes with VPN or similar passwords on them anyway.

Re:

[Midnight_Falcon]

Huh? I was referring to webservers where you don't have physical access and can only be hacked remotely. Of course no one would suggest having no password on your laptop, rather, your laptop should have full disk encryption if possible with a password. Using keyfiles from a smartcard and a password for that is even better.

Re:

[dbIII]

You've misunderstood. Once a thief has possession of a laptop and can log onto that (sometimes by depressingly simple methods) they are then possibly one click away from getting into those remote webservers because the laptop has the key. That's why I wrote above "VPN or similar passwords" because I was writing about logging into remote systems just as you were.
Now within the same physical environment as the servers I sometimes do exactly what you've suggested, but offsite I'm very reluctant to have some

Re:

[Midnight_Falcon]

I think we're misunderstanding each other. In proper SSH key configurations, the key itself has a passphrase, although this passphrase is not a 'password' in the typical sense in that it is not transmitted to the server. It's only using for decrypting the file in place.

Essentially what I was trying to say is that passwords only do so much, but should be used in combination with another means of security (e.g. two factor auth). I suppose "don't use passwords if possible" can be interpreted as simply "d

Re:

[dbIII]

You wrote "Don't use passwords" so I took your word for it and assumed that you also meant not using a passphrase with the key. I'm glad you've written the post above because the earlier post taken at face value looked like very bad advice.

Re:

[SmurfButcher Bob]

You're mostly correct - you are mentioning the problem with having a "Global Secret". In that sense, a personal password is little different than a "Global Secret" that hasn't been distributed, yet.

The larger issue is almost always endpoint security, though. Endpoints are *both* ends - your local PC, and the server at the far side. In this case, the cost of engineering a competent solution was more than the cost of a compromise - the bulk of the cost of this hack will be paid by anyone BUT Stratfor execs

Re:If even strong passwords can get leaked...

[jschottm]

Use unique passwords for everything important and use a secure but salted password for various sites. Let's say my generic secure password is $sJ55Pm#

I salt the secure password between the fives with the initials of the website alternating caps. So my /. password could be $sJ5Sd5Pm# and my World of Warcraft password could be $sJ5WoW5Pm#.

I only have to remember one good password and a formula. Someone clever enough could hand analyze the passwords and might spot the salting but realistically, very few people are worth that effort.

which makes me think there's no point in super complex "try and guess THIS one!" passwords.

One practices good password habits because they help when a site does things properly. Nothing is going to save you if a site is terribly set up but that doesn't mean you should abandon best practices.

Re:

[fnj]

Alone, alternating caps adds next to no security. It is one of a number of well-known predictable ideas which are cheap to test for, so the attacker will try them. It only takes three times as long to test the root plus both series of alternating caps as it does to test just the all lower case root. Using leet speak (sorry, 133+ speak) is not of very much use for the same reason.

Truly random upper case characters and digits thrown into the password, in NON-OBVIOUS PLACES, offers FAR more security.

The number

Re:

[jschottm]

Alone, alternating caps adds next to no security.

Well, yes, that's why I specified in this theoretical example that the salt was the initials of the website with the caps alternated. One needs the salt (which, yes, is not a true cryptographic salt, although I do know people who run their generic secure password plus a salt through hash algorithms and use the resulting hash as their password) to be memorable to the user and again, virtually no one is important enough that someone would sit there pulling apa

Re:

[fnj]

Yes, I think "pretty damn good system" makes it pretty clear I like it.

The rest is a completely general critique of a lot of not so good ideas that are found in this topic in general.

Re:

[expo53d]

The advantage of "try and guess THIS one!" type password is not only are they hard to guess, but if they are long enough and hashed properly (SHA1 or similiar) they cannot be unercrypted. (Presuming that the decrpyting party does not have access to a super computer). This is due to the fact that these passwords go through a one-way type hash, thus the only way to crack them is having a list of every single possible hash and its key (or generating such a list). So if one has a password that is 27 characters

Re:

[gl4ss]

if you're storing customer cc's on the same machine as you're doing your email hosting and web serving from.. what's the point in anything?

Most of you probably know this but ...

[dbIII]

For anything that could cost you money, your job etc you want passwords that you can remember and that are hard to crack even if somebody has a copy of /etc/shadow or similar:
http://xkcd.com/936/
More importantly, don't reuse passwords that you put on anything important. Some idiot may store them in plain text on a blog site, dropbox authentication or whatever useless bunch and then a cracker could use them to get into your bank or wherever else you've used the password.
Now even Facebook passwords could be

Inhibit Histrionics

[Bob9113]

I wrote, and rewrote, and rewrote a long and subtle post on the value of contemplating the underlying forces acting in society that lead to events like this, rather than jumping to adulation or condemnation. I came to the conclusion that I could not make it clear that I was advocating contemplation, not support or opposition. That all I would get in response would be some twit turning my post into a straw man then hurling rhetorical vitriol at it.

Then it came to me -- I may be able to extract some value fro

Re:

[pdxer]

Only terrorists want to inhibit histrionics!

Re:

[RGRistroph]

I think the best inhibitors of histronics are the long and subtle posts on the value of contemplation of underlying forces acting in society. Post away, ignore the peanut gallery.

Re:

[Bob9113]

Post away, ignore the peanut gallery.

Yeah -- you're right, as is the Offtopic mod. Thanks.

Email size?

[SimplyGeek]

200GB of email? When I see figures like that, I always ask if they include attachments or not. Of so, reduce the figure by at least 80%.

Re:

[frisket]

In any case, if it's "corporate" email it's probably trivial or ephemeral, concerned with administrative minutiae or the perpetual re-editing of "reports" as if they were something of great value. Out of 200Gb I would expect perhaps half a dozen emails containing something interesting, salacious, or actionable (perhaps all three :-) and that kind of hit rate is barely worth the trouble of pwning their server.

Re:

[gl4ss]

it's probably customers asking for security strategy advice and tips. that's their business, answering such mails. if they turn out as a joke on quality, they're finished as a business.

Re:

[djdanlib]

I blame HTML mail. Have you ever seen the source of your average Exchange email thread? The horrors!!

Then there are those people who send BMPs embedded in Word/Excel so they can send you a screenshot! Gaaaack

The future of Stratfor

[sgt_doom]

Stratfor's site will be secure AND up about the same time in the far, far future when American finally catches up with China and buildts a 500-mile-per-hour bullet train. OR NOT................

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[tibit]

+1 funny as hell.

Re:

[ArhcAngel]

The reason the authorities can't catch anonymous is that they're all chicks! They go around acting like nerd groupies fawning over admins in a socially engineered hack where they get the root password from the unsuspecting admin. The authorities can't catch them because the only description they get from the admin is "she was purty and soft".

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Another Linux using server compromised? LMAO!

[fnj]

Bzzzt. Thank you for playing. The 2.2.15 doesn't tell you the patch level. Here's from a completely up to date RHEL6 system:

[fnj@baldur ~]$ rpm -qa | grep httpd
httpd-tools-2.2.15-15.el6.x86_64
httpd-2.2.15-15.el6.x86_64

The -15 tells you the patch level. 2.2.15-15.el6.x86_64 was issued this month. As long as Redhat supports RHEL6, and that will be for a goodly number of years more, they will issue security and other patches. For example, their kernel is presently 2.6.32-220.2.1.el6.x86_64, but they track and backport not only the latest security patches but also a lot of hardware support and new feature improvements.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[fnj]

I don't think it makes any difference in principle what the distro is, apart from rolling releases. For example debian squeeze:

root@testvm:~# dpkg-query -p apache2 | grep Version
Version: 2.2.16-6+squeeze4

I'd be surprised if that did not include the latest security patches.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

You can't moderate AND post. Slashdot doesn't allow that. It is impossible for anyone to explain why they moderated any particular way.

Moderation is largely about your presentation of your argument, which is earning you a lot of that mess. It still looks like you cherry-pick the facts that are convenient for your argument, regardless of whether you're actually doing so. There are undoubtedly facts that don't make your argument look as solid. That's what I'm asking: do you, or don't you pay attention to the

Re:

[Lally Singh]

As another hacked reader, yeah I'm unhappy about this too. Considering that I was donating to wikileaks before, this is just painful.

Stratfor's just come out with their email, 8pm, not great, but here we are. They've done the standard 1yr prepaid monitoring service for identity theft.

I looked around to verify that my CC was actually breached (who knows, maybe it was a card I've already canceled?), but all the primary copies of the CC list seem inaccessible. It'd be lovely if they were taken down before I

Shakes head as the fail whale is summoned again:

[Hartree]

I saw a copy of their email. My reaction? Your customers have just been hacked. They're probably checking closely what they click on in any email you send.

Pro Tip:

Using URLs that display as coming from csid.com but when hovered over show up as en25.com is probably not a peachy wonderful idea.

I happen to know that en25.com is eloqua (contact management service) and could check that it was probably legit, but most would figure it was a fishing attack sent out on your compromised email list.

Stratfor may be try