AppId is over the quota
When hackers used the Christmas holiday to attack Stratfor, a security group based in Austin, Tex., they initially said they were aiming to steal the credit card numbers of its clients and use them to make $1 million in donations to charity.
But by Tuesday, it was unclear who was actually behind the attack, and whether the real goal was to play Robin Hood or release a trove of Stratfor e-mail correspondence.
On Saturday, hackers claiming to be members of the collective known as Anonymous defaced the Web site of Stratfor, which puts out a newsletter on security and intelligence issues, and posted a file online that they claimed was the organization’s confidential client list, along with credit card details, passwords and home addresses for those clients. The clients were affiliated with organizations including Bank of America, the Defense Department, Doctors Without Borders, Lockheed Martin, Los Alamos National Laboratory and the United Nations.
The hackers claimed to have obtained 2.7 million e-mails from Stratfor’s servers, a number they later increased to 3.3 million. They said they were able to obtain the e-mail and credit card details because Stratfor had failed to encrypt its data — a basic first step in data protection.
IdentityFinder, a data protection software maker, found that hackers had released 47,680 unique e-mail addresses and 50,277 unique credit card numbers — of which 9,651 were not yet expired. Of the 44,188 encrypted passwords, IdentityFinder said 50 percent could be easily cracked.
Stratfor has not clarified whether its data was encrypted, and did not respond to repeated requests for comment. But on Sunday, with its Web site still down, it took to Facebook to respond to the attack. There it said that the published list of “private clients” was “merely a list of some of the members that have purchased our publications and does not comprise a list of individuals or entities that have a relationship with Stratfor beyond their purchase of our subscription based publications.”
By then, hackers had already begun posting receipts online that it said were for donations made with Stratfor subscribers’ stolen credit card details to organizations like the Red Cross and CARE.
In an interview on Monday, a Red Cross spokeswoman, Laura Howe, said that because her organization sees an uptick in giving around the holidays, it was difficult to ascertain how much of its weekend donations online were related to the Stratfor breach.
“We’re aware of the issue and our online giving team is looking into it,” Ms. Howe said. “If someone believes an unauthorized charge has been made, they need to contact their credit card company and we will work with the credit card companies on refunding the donation.”
Contacted Monday, Brian Feagans, a CARE spokesman, said he had not heard about the Stratfor breach. But on Tuesday he issued this statement: “We are looking into this matter and will work with any Stratfor hacking victims who did not intend to give to CARE to assure they get reimbursed.”
Computer security experts began weighing in on Stratfor’s breach Monday. Mikko Hypponen, an influential security expert, pointed out in a blog post that the hack was likely to do charities more harm than good. “When credit card owners see unauthorized charges on their cards, they report them to their bank or credit card company. Credit card companies will do a charge back to the charities, which will have to return the money,” Mr. Hypponen wrote. “In some cases, charities could be hit with penalties. At the very least, they will lose time and money in handling the charge backs.”
In a statement posted online on Monday, Barrett Brown, an Anonymous spokesman, said that the goal of the Stratfor attack was not to donate money to charities.
“Rather, the operation was pursued in order to obtain the 2.7 million e-mails that exist on the firm’s servers,” Mr. Brown wrote in a post on the Web site Pastebin. “This wealth of data includes correspondence with untold thousands of contacts who have spoken to Stratfor’s employees off the record over more than a decade.”
But by Tuesday, hackers had released only limited e-mail correspondence. They posted one e-mail from Stratfor’s chief executive, George Friedman, to a Stratfor senior programmer, thanking him for his help in promoting Mr. Friedman’s recent book.
There were also questions as to whether the Stratfor attack was really the work of Anonymous. On Sunday, someone claiming to represent Anonymous posted a message on Pastebin denying responsibility for the attack: “The Stratfor hack is definitely not the work of Anonymous.”
The confusion escalated Monday night when a separate note on Pastebin claimed that the authors of the first post were Stratfor employees and that the post “claiming the Stratfor hack is not the work of Anonymous is not the work of Anonymous.”
“With these sorts of operations, there will always be objections from one quarter or another that it’s not really an Anonymous op,” Mr. Brown said in an e-mail on Monday. He said that the denial message had been posted by someone “who has a history of putting up such things under false pretenses.”
No comments:
Post a Comment