Stratfor Hacking Underscores Need for Fast Communications Response
In what may go down as one of 2011′s more serious cases of malicious website hacking, the main site of Stratfor – which bills itself as a “global intelligence leader” – was taken offline on Christmas Eve.
Stratfor's website ... offline for hours.
It’s the latest cyber-attack attributed to members of the hacktivist group Anonymous, and one of the worst. The names, credit card details and other revealing information of an alleged 4,000 Stratfor clients were stolen and reposted on other websites to be shared around the world. And, that has occurred.
What has happened to Stratfor underscores how any high profile company, such as Stratfor, should respond to its clients in the face of such a crisis, regardless of whether or not it’s a holiday weekend. Stratfor has communicated poorly, especially for a company that provides a continuous stream of global intelligence to clients.
The New York Times reported, “Stratfor executives did not return calls for comment on Sunday.” There is no excuse for that, in my view.
There are lessons already to be learned for professional communicators about the Stratfor incident because communicators need to have a level of tech awareness about today’s digital era where the brands, images and reputations of companies can be shattered in nanoseconds.
Stratfor, which purports to be like a “shadow CIA” intelligence resource for thousands of companies and individuals, appears to have been a poster-child of poor Internet security itself:
- Stratfor’s IT people never hid the company’s website IP numbers or the fact that its servers were located at a relatively small Internet hosting company in Austin, TX, which probably would have been understaffed on Christmas Eve. This may be a small point but it suggests a careless approach to website security. Anyone can quickly see that information via Godaddy.com or any domain name registrar. Simply enter a search for ownership (called “WhoIs”) of Stratfor.com and it reveals the IP numbers and that the servers are located at a place called Corenap.com in Austin. This is akin to intentionally leaving your house keys in the driveway only to be surprised when you return home that the place has been ransacked. Lesson to be learned: It costs $20 a year to hide such critical information.
- Stratfor’s IT people not only hosted the company’s website on the server but also used it for company email, 200GB of which allegedly was stolen by the hackers. Lesson to be learned: Use an online server for website hosting only. Don’t pinch pennies. Use Google Pro Apps for powerful email service that is highly secure and runs separately.
- Stratfor may have lacked a website backup due to the length that the site has been offline. Their site was built on a Microsoft website platform which is one reason companies, like Lockheed Martin, have switched to using WordPress for greater online security. Lesson to be learned: Not all IT people are as smart as they think they are.
- Most troubling of all … Stratfor apparently stored highly sensitive documents on the same server … unencrypted. Clients lists, credit card data, credit card pin numbers and other information seemingly had been kept on the same server used to host the website. That was incomprehensibly reckless and naive, in my opinion.* It possibly is in violation of law. Lesson to be learned: When client and customer information is entrusted to a company, act responsibly. Security of client/customer information is paramount. Keep it offline and secured with encryption.
- When a hacking occurs, get out ahead of the social media buzz with openness, swiftness and transparency. Stratfor waited about 18 hours before posting a poorly written, repetitive and vaguely worded statement publicly on Facebook which seemed to be more about the company than its clients. The company has yet to enter the firestorm of negative details and sharing of company information happening on Twitter and other social media. Lesson to be learned: When a crisis hits, respond instantly. You will be judged on how quickly you communicate. Show empathy, especially about stolen client information. Enter the online conversation even if you don’t have all the facts that the attorneys want you to have. The trust and reputation of a company may be at stake, like Stratfor.
At this stage, about 24 hours after the Stratfor hacking, I would imagine the company has many very, very angry customers because Stratfor has not behaved like a responsible and professional “global intelligence” leader. It will be interesting the see if the company survives itself.
* As an aside, the website hosting company, Media Temple, stored client information in an unencrypted Word file online a couple of years ago. Their corporate site was hacked and the data stolen. Media Temple then blamed its customers for poor security, alienating many customers and generating a negative image of the company.
Related posts:
- “About Us” are the weakest words in communications
- Ragan Communications Features Imperial Sugar, News Strategies
- The Scary Fast Rise of the Second Internet
- Brand Journalism in the Communications Mix
- Simple Way to Create a Communications Measurement Plan
Category: Featured, Reputation management
Subscribe
If you enjoyed this article, subscribe to receive more just like it.
This post is satire, right?
Nope.
I am referring to the ridiculousness of the bullet points you posted. Do you really think the IPs behind domain names can be kept secret? Do you know anything at all about DNS?
We received private emails from George shortly after they found out about the compromise, not 18 hours later and via facebook as you suggested.
And when your site is cracked, you don’t just restore it from “backup” and continue as usual… you take it offline until the security issues can be addressed.
Your point #4 was valid, but the rest is uninformed and irresponsible.
Jason,
Thank you for your opinion. I know quite a bit about DNS.
There was one email from Friedman on Christmas Eve, not multiple as you suggest incorrectly. And, yes … organizations that depend on the net get their sites back online as quickly as possible, not 24+ hours later.
Have you read what The New York Times is reporting?
http://www.nytimes.com/2011/12/26/technology/hackers-breach-the-web-site-of-stratfor-global-intelligence.html
DH
I’ve been a Stratfor Client for the past 3 years. I was drawn to them because of their in-depth, cogent and unbiased analysis of many events that mirror the DDOS attacks that they are currently experiencing. A few years ago they had a great piece on the Cyber Attacks against Estonia by Russian Hacktivists. I wonder and hope that they will provide their readers with the same level of critical analysis regarding this incident.
David,
You seem to be assuming that the hack occurred on Christmas Eve. Their screenshot of a “donation” showed a transaction date of December 17. They may have revealed the hack yesterday but it may have been going on over weeks before.
Nor should you assume that they have no backup. They may have a backup by why upload it if you haven’t figured out how to secure it better?
A private email from Friedman on Christmas Eve suggested the hack occurred then.
Interesting point about the backup. But they’ve got to get it back soon.
This entire article is a joke. I understand that there was an attempt to get something posted quickly, but aside from #4, the whole thing is absurd.
#1 – You cannot mask your IP information, all you can do is mask the domain name ownership, but certainly not the IP. There appears to be a basic misunderstanding of how DNS works.
#2 – Email was NOT hosted at the same site. Where did you get your information? A simple DNS check reveals that strafor.com is hosted at IP 66.219.34.37 – which as you stated appears to have been allocated to Corenap. However, the MX record for stratfor points to mxgw01.stratfor.com, which resolves to 207.71.53.57, which is where the Stratfor mail server resides, right on Time Warner Telecom netblock. The recommendation to use something secure such as Google made me laugh.
#3 – Stratfor took their own webiste down. This was not a defacement, this was a hack. When you’ve had a breach like this, you take the site down to stop the bleeding. Getting the site back up, such as from a backup would do nothing to help. They’d be standing up the same exact insecure site that got hacked in the first place.
#4 The only valid comment I could find in this article. Bad form to leave CC# unencrypted. Stratfor could be held liable for all the fraudulent transactions.
#5 The Stratfor server has been owned for several weeks now – Anonymous delayed the release of the hack until Christmas Eve for the express purpose of catching them off guard. So they got caught off guard – on Christmas Day, for crying out loud, very few companies could provide a full response within the first 24 hours given the same circumstances.
Joel Helgeson
Thank you for your perspective. My article is about best practices. A company needs to implement all security safeguards. Stratfor did not. Stratfor is still offline on Monday, December 26.
My #4 point is the most important. I agree. It was inexcusable for Stratfor to have unencrypted confidential client information on the server.
DH
I agree with Helgeson. The main thing they did wrong was #4. They informed the affected customers VERY quickly. Everyone else can wait. These guys http://policeledintelligence.com/2011/12/25/rating-the-stratfor-incident-response/ rated them A- for communication.
You wrote, “When a hacking occurs, get out ahead of the social media buzz with openness, swiftness and transparency.”
And that’s why companies may wind up looking more incompetent. As you note, their first e-mail suggested the hack occurred on Christmas Eve. It didn’t, but now they are on record as having not known for how long they had been compromised.
On my blog, I encourage breached entities to be transparent, but I also encourage them NOT to rush to statements they may regret. Yes, be prompt, but only tell your customers that you are investigating and will tell them more as soon as you know more. Tell them what to do to err on the side of caution, e.g., “Although we have not verified anything yet, to be safe, we suggest you contact your banks,…”
But don’t make any firm statements about the breach that you haven’t yet verified by forensics.
And no, they do NOT have to get their site back up as quickly as you suggest. And if I were them, I’d leave it down until after a security consultant could arrange to secure it adequately. And that doesn’t happen within 24 hours – or 48 – or 72.
The only point on which we agree is that Stratfor fscked up royally by not encrypting sensitive info and by storing CVVs at all, much less in clear text.
They will pay dearly for this breach. They need to get their breach response right. Your advice is not only unhelpful, but I think it’s counterproductive.
Dear WMichel and Dissent,
Your comments suggest you have no credentials in the area of crisis communications. Are you in IT?
dh
David,
I think that you are conflating the previous activities – crap security, dunderheaded management choices, clearly idiotic and unforgivable decisions especially including your #4 above but also many, many other things – with their incident response. As someone who consults very large enterprises on how to deal with incidents similar to this from a security standpoint (not, I admit, from a communications standpoint, and I don;’t challenge your credentials here), and as an analyst, I would say that you need to de-couple your damnation of their rubbish before the breach when you look at their behavior after the breach.
Realistically, they had no idea that they were breached until it hit. Again this is due entirely to their terrible security-fu to begin with (all the more galling since they claim expertise not just in OSINT but also in Cyber OSINT), however it seems to be the case: they were all home fat, dumb and happy when the thing hit.
Pragmatically speaking, they lost any chance to get ahead of the buzz because the buzz alerted them. So while it’s great to sit in an ivory tower and curse them for not getting ahead, we need to judge them based on what was possible for them, in their situation. And what they did, in my opinion, was exemplary. They admitted it nearly immediately and gave everyone the “We’ve been pwn3d, we lost your info, panic now, details to follow” almost immediately; they did not overcommit, they promised to look into it. Then they followed up on the 25th, and promised to follow up again on the 28th. You say that they waited 18 hours and were repetitive – I respectfully disagree. On the 25th they stated that they were preparing to offer credit monitoring, they gave specific steps to take for those clueless enough not to understand the exposure, and they mentioned their work with law enforcement (and STRATFOR has some pretty good connections there), AND they committed to do better in the future, telling us they hired a firm much like mine to help them not suck any more.
Their customers are almost entirely in the industry, and as such, know how to get their own luggage off the carousel. I don’t see among my colleagues even a hint of the great vengeance and furious anger you stated would be forthcoming – we’re all security and intelligence professionals and we all know that everyone gets hacked. We don’t forgive what they did, but we understand that they did it, and they’ve promised to fix it.
On Twitter, the conversations have been mixed until you recognize universal, violent agreement: every one of us in the business believe that they should be flogged with a bullwhip for what they did pre-breach. And all of us recognize that post-breach, w
So I would ask you to be more specific. What specifically could STRATFOR do now to get ahead of this, in your opinion. I’m sure you don’t mean merely to kick someone when he’s down: let’s get specific. In the past 36 hours they’ve:
* Admitted a breach and informed those they believe may be affected
* Contacted law enforcement and are conducting and cooperating with an active investigation
* Arranged for credit monitoring for those affected
* Given basic tips for all customers
* Engaged a team of security consultants to help them get their house in order going forward
* Promised to ensure that in the future, they will be better stewards of the information we entrust them with.
* Promised to come back with more information tomorrow.
What else should they be doing, in your opinion, to stay ahead of this? I am being neither sarcastic nor rhetorical, I honestly think they’ve done a good job so far.
Kind regards,
Nick Selby
Nick,
In answer to your question, Stratfor could have shown accountability, accept responsibility and demonstrated a level of empathy and active support for clients whose credit cards have been compromised by the company’s lack of security. Just telling customers that, “opps but we permitted credit card information to fall into the wrong hands” is not good enough.
Contacting non-specific law enforcement and hiring a security consultant they should have already had on retainer are irrelevant.
Quite honestly, I would be surprised if Stratfor can survive their own lack of accountability and transparency.
DH