Stratfor held payment details in plain text before 2011 hack: Report

A leaked Verizon report from soon after the Stratfor hack of 2011 into the hack the company suffered has shown a lack of basic security in its systems.
Written by Chris Duckett, Contributor

The AntiSec hack of global intelligence firm Stratfor shortly before Christmas 2011, revealed the payment details of 79,062 credit cards, thanks to Stratfor storing the cardholder's name, address, CVC/CVV, and expiry date in plain text, a leaked Verizon security report into the incident has stated.

Revealed by The Daily Dot over the weekend, the leaked report said that Stratfor had failed to harden its systems in almost any fashion before the hack took place.

Despite having a nominal e-commerce environment for its website, database and e-commerce systems, and a corporate environment for its office employees, the report said that Stratfor had failed to segment its networks, and systems interacting with cardholder data were directly accessible from the corporate subnet. Furthermore, no external logging of remote SSH or remote desktop connections was made, nor were firewalls employed to filter either inward or outward bound network traffic.

This lack of network separation was to prove costly for Stratfor, as Verizon said that the hackers had piped a MySQL dump directly to a corporate Zimbra mail server, from where the data was subsequently taken.

Stratfor became aware of the data breach on the 6th Decemeber 2011, and informed the FBI of at-risk payment information the next day. However, on the 24th December, Stratfor's site was defaced, as well as having the servers rendered unusable as the attackers ran a recursive delete command, "rm -rf", on each system's root directory, effectively deleting each entire system.

"The fact that the STRATFOR database, Zimbra, SMTP, and Web servers were Internet facing and remotely accessible contributed to the occurrence of this data breach," the Verizon report said. "It should be noted that a password management policy does not exist within Stratfor."

The report said that one account was shared among several users, and several used accounts were present on systems where they need not be. One IT employee, who told Verizon investigators that had no need for SSH access to the SMTP server, was found to have had 35 SSH connections from October until the end of 2011. It is possible that this number could be higher, as Verizon had to scan unallocated space on the systems' hard drives due to Stratfor rebuilding and reimaging the server after the attack took place.

During its investigation, Verizon confirmed that Stratfor had not conducted any penetration testing on its environment; did not use any form of access control list; and was not using any file integrrity monitoring, which allowed the attackers to write custom scripts onto the systems, and compress and extract the e-commerce databases.

The Daily Dot said that a cache sealed court documents obtained by the publication had shown that the Stratfor attacks were directed by Lulzsec leader turned informant, Xavier "Sabu" Monsegur, and that chat logs showed Sabu had gained knowledge of Stratfor's weaknesses from another hacker known as "Hyrriiya".

LulzSec member Jeremy "Anarchaos" Hammond pled guilty to taking part in the Stratfor attack, and is currently serving ten years in prison.

Editorial standards