Why we all lost in the Stratfor hack

Why we all lost in the Stratfor hack

Summary: I like hearing when companies pay the price for lax security, but in the case of Stratfor, proving that someone's security is weak by spilling everyone's details is like peeing your pants to prove your parents aren't supervising you. It might feel good and warm at first, but you ultimately end up being the loser.

TOPICS: Security

commentary I like hearing when companies pay the price for lax security, but in the case of Stratfor, proving that someone's security is weak by spilling everyone's details is like peeing your pants to prove your parents aren't supervising you. It might feel good and warm at first, but you ultimately end up being the loser.

(Classy dude image by Jón Sigurðsson, CC2.0)

Stratfor is one of the latest companies allegedly targeted by Anonymous. The breach, which began to make headlines on Christmas day in the US, resulted in the loss of 200GB worth of data and ultimately the publication of its customers' emails, credit card numbers, and corresponding verification numbers and addresses.

The hackers wanted to release the credit card details because they belonged to "rich and powerful oppressors". But even the author behind the release stated that of the 860,000, just 50,000 email accounts were from military or government domains. How many of those 50,000 were even responsible for oppressing anyone? And even if all 50,000 were, was it really worth ruining the privacy of 810,000 other likely innocent bystanders?

Sure, Shadow Communications Minister Malcolm Turnbull and Generation Investments founder David Smorgon, who were two Australians that had their private details published, might have a lot of money, but are they rich and powerful oppressors?

Some may argue their opinion that Turnbull is oppressive given his stance on the NBN, but the fact of the matter is that government requires the constant checks and balances, which an opposing politician provides. We are, as a whole, less oppressed through any role that keeps government in check.

What about Smorgon? Well, for a guy who has been awarded the Medal of the Order of Australia for his contributions to health, education and social welfare organisations, surely he's not oppressive, right?

Both men have money, but consider US Homeland Security employee Cody Sultenfuss, which the Associated Press learned did not have the money that was stolen from his account. He said he wasn't rich, and I seriously doubt he could have had much of a hand in oppressing people. It's not just the rich that are the victims.

What about Stratfor itself? The company is an intelligence firm, not a security company. While that doesn't exclude it from attack, most would have thought it would be of little interest to Anonymous. It even provided Anonymous with a warning once. During Anonymous' Operation Cartel, a plan to release the names of those involved in the Mexican Zetas drug cartel in response to the kidnapping of an Anonymous member, the company wrote in a report: "we have seen evidence of cartels employing their own computer scientists to engage in cybercrime, it is logical to conclude that the cartels likely have individuals working to track anti-cartel bloggers and hackers" such as Anonymous' members.

There also appears to be division within Anonymous itself.

Shortly after Stratfor customer information was leaked, a post defending the company was released claiming that Anonymous is not and should not be held responsible for the attack.

"Stratfor analysts are widely considered to be extremely unbiased. Anonymous does not attack media sources," the post read.

"This hack is most definitely not the work of Anonymous."

While Stratfor shouldn't be let off the hook for its lax security practices, there are better ways to prove a point and still stay classy about it.

Partial card numbers, or hashes of the same information provide ways for the rightful owners to confirm their details had been stolen. The information could also have been provided anonymously to multiple government, or independent, privacy institutions.

What experienced hacker wouldn't know about the concept of only providing a hash of sensitive information or covering their tracks to submit information anonymously?

In the absence of data breach laws and the refusal or ignorance by organisations to assess their security, Anonymous and spin-offs like LulzSec certainly do have a role to play in raising awareness of information security, but it's only when the average citizen Joe is protected that we get both the satisfaction of (renegade) justice and the lulz.

Topic: Security

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • While Stratfor may be innocent of many of the 'charges' that Anonymous lay at their door - they nonetheless are representative of a 'ruling elite' that has allowed lax security standards to proliferate by omission. I believe that Anonymous have on-balance played a constructive role in highlighting the flaws in our systems and are making those guardians of our data - sit up, take notice and take security more seriously.
  • I think that the world must wake up and start realising that we made our countries very week by hanging everything any anybody his private stufs on a open network like the internet. Not only we hang our defence systems on the internet, but also our bank systems and medical file system. Spyonage was never been so easy as in this time of internet. You can blame the hackers or Anoumenous, but they all made very clear that the world has run in supidity by hanging everything on the internet. Even our own goverments put all invormation about us on the internet, and likes to make backdoors in our computer systems so they can monitor what we do. But in there stupidity they ignor the fact that other countries can enter the same backdoor. That way, it became impossible to make competition with foreigns companies, because our offers are know by the competition before we send it to our prospects. This is just one example how our own goverments are undermining there own economie with there stupid monitoring behavior....because every one is a suspected terrorist. Well the biggest terrorist of these days are our own goverments. As my girlfriend say to a station full of travlers "Hey stupits, the train doesnt come because the driver is drunk!"