Hackers hit Security Firm and donate stolen fundsRich
CED Solutions provides theory and technical hands-on courses on information security and hacking prevention with courses on CISSP, Certified Ethical Hacking (CEH), Computer Forensics (CHFI), Security Analyst (ESCA/LPT), Cisco CCNA Security, and Cisco CCNP Security.
One hacker said the goal of the attack on Stratfor Global Intelligence was to pilfer funds from individuals’ accounts to give away as Christmas donations, and some victims confirmed that unauthorized transactions were made using their credit cards.
Anonymous boasted of stealing Stratfor’s confidential client list, which includes entities such as Apple Inc., Bank of America, the Department of Defense, Doctors Without Borders, Lockheed Martin, Los Alamos National Laboratory, the Miami Police Department, and the United Nations. It said it mined the list of more than 4,000 clients to secure about 90,000 credit card numbers, as well as passwords, home addresses, and e-mails.
Stratfor, based in Austin, Texas, provides political, economic, and military analysis to help clients reduce risk, according to its YouTube page. It charges subscribers for its reports, which are delivered through the Web, e-mails, and videos. The company’s main website was down yesterday, with a banner saying the “site is currently undergoing maintenance.’’
Proprietary information about the companies and government agencies that subscribe to Stratfor’s service did not appear to be at any significant risk, with the main threat posed to individual employees who had subscribed.
“Not so private and secret anymore?’’ Anonymous taunted in a message on Twitter, promising that the attack on Stratfor was just the beginning of a Christmas-inspired assault on a long list of targets.
Anonymous said the client list it had posted was a small slice of the 200 gigabytes of information it stole from Stratfor, and it said more leaks would follow. The group said it was able to get the credit card details in part because Stratfor didn’t bother encrypting them – an easy-to-avoid blunder which, if true, would be a major embarrassment for any security-related company.
Fred Burton, Stratfor’s vice president of intelligence, said the company had reported the intrusion to law enforcement and was working with them on the investigation.
Stratfor has protections in place meant to prevent such attacks, he said. “But I think the hackers live in this kind of world where once they fixate on you or try to attack you it’s extraordinarily difficult to defend against,’’ Burton said.
Hours after publishing what it said was Stratfor’s client list, Anonymous tweeted a link to files online that were encrypted. It said they contained such information as client names, addresses, phone numbers, and e-mails.
“Not as many as you expected? Worry not, fellow pirates and robin hoods. These are just the ‘A’s,’ ’’ read a message posted online that encouraged readers to download a file of the hacked information.
The attack is “just another in a massive string of breaches we’ve seen this year and in years past,’’ said Josh Shaul, chief technology officer of Application Security Inc., a New York-based provider of database security software.
Still, companies that shared secret information with Stratfor in order to obtain threat assessments might worry that the information is among the 200 gigabytes of data that Anonymous says it stole, he said.
“If an attacker is walking away with that much e-mail, there might be some very juicy bits of information that they have,’’ Shaul said.
Lieutenant Colonel John Dorrian, public affairs officer for the Air Force, said that “for obvious reasons’’ the Air Force doesn’t discuss specific vulnerabilities, threats, or responses to it. He said officials would take any action needed to protect networks and information.
Sergeant Freddie Cruz Jr., a spokesman for the Miami Police Department, said he could not confirm that the agency was a client of Stratfor and said he had not received any information about a security breach involving the department.
Anonymous presented images that it suggested were receipts for charitable donations made by the group manipulating the credit card data it stole.
“Thank you! Defense Intelligence Agency,’’ read the text above one image that appeared to show a transaction summary indicating that an agency employee’s information was used to donate $250 to a nonprofit.
One receipt – to the American Red Cross – had Allen Barr’s name on it.
Barr, of Austin, Texas, recently retired from the Texas Department of Banking and said he discovered last Friday that $700 had been spent from his account. Barr, who has spent more than a decade dealing with cybercrime at banks, said five transactions were made.
“It was all charities, the Red Cross, CARE, Save the Children. So when the credit card company called my wife she wasn’t sure whether I was just donating,’’ said Barr, who wasn’t aware until a reporter called that his information had been compromised when Stratfor’s computers were hacked.
“It made me feel terrible. It made my wife feel terrible. We had to close the account.’’
Wishing everyone a “Merry LulzXMas’’ – a nod to its spinoff hacking group Lulz Security – Anonymous also posted a link on Twitter to a site containing the e-mail, phone number, and credit card number of a US Homeland Security employee.
The employee, Cody Sultenfuss, said he had no warning before his details were posted.
“They took money I did not have,’’ he said in e-mails, which did not specify the amount taken. “I think, ‘Why me?’ I am not rich.’’
The breach doesn’t necessarily pose a risk to owners of the credit cards. A card user who suspects fraudulent activity on his or her card can contact the credit card company to dispute the charge.
Stratfor notified members that it had suspended its servers and e-mail after learning that its website had been hacked.
“We have reason to believe that the names of our corporate subscribers have been posted on other websites,’’ said the message, signed by George Friedman, Stratfor chief executive. “We are diligently investigating the extent to which subscriber information may have been obtained.’’
One member of the hacking group, who uses the handle AnonymousAbu on Twitter, said more than 90,000 credit cards from law enforcement, the intelligence community, and media companies had been hacked and used to “steal a million dollars’’ and make donations.
Anonymous warned it has “enough targets lined up to extend the fun fun fun of LulzXmas through the entire next week.’’