In answer to your question, Stratfor could have shown accountability, accept responsibility and demonstrated a level of empathy and active support for clients whose credit cards have been compromised by the company’s lack of security. Just telling customers that, “opps but we permitted credit card information to fall into the wrong hands” is not good enough.

Contacting non-specific law enforcement and hiring a security consultant they should have already had on retainer are irrelevant.

Quite honestly, I would be surprised if Stratfor can survive their own lack of accountability and transparency.

DH

Realistically, they had no idea that they were breached until it hit. Again this is due entirely to their terrible security-fu to begin with (all the more galling since they claim expertise not just in OSINT but also in Cyber OSINT), however it seems to be the case: they were all home fat, dumb and happy when the thing hit.

Pragmatically speaking, they lost any chance to get ahead of the buzz because the buzz alerted them. So while it’s great to sit in an ivory tower and curse them for not getting ahead, we need to judge them based on what was possible for them, in their situation. And what they did, in my opinion, was exemplary. They admitted it nearly immediately and gave everyone the “We’ve been pwn3d, we lost your info, panic now, details to follow” almost immediately; they did not overcommit, they promised to look into it. Then they followed up on the 25th, and promised to follow up again on the 28th. You say that they waited 18 hours and were repetitive – I respectfully disagree. On the 25th they stated that they were preparing to offer credit monitoring, they gave specific steps to take for those clueless enough not to understand the exposure, and they mentioned their work with law enforcement (and STRATFOR has some pretty good connections there), AND they committed to do better in the future, telling us they hired a firm much like mine to help them not suck any more.

Their customers are almost entirely in the industry, and as such, know how to get their own luggage off the carousel. I don’t see among my colleagues even a hint of the great vengeance and furious anger you stated would be forthcoming – we’re all security and intelligence professionals and we all know that everyone gets hacked. We don’t forgive what they did, but we understand that they did it, and they’ve promised to fix it.

On Twitter, the conversations have been mixed until you recognize universal, violent agreement: every one of us in the business believe that they should be flogged with a bullwhip for what they did pre-breach. And all of us recognize that post-breach, w

So I would ask you to be more specific. What specifically could STRATFOR do now to get ahead of this, in your opinion. I’m sure you don’t mean merely to kick someone when he’s down: let’s get specific. In the past 36 hours they’ve:

* Admitted a breach and informed those they believe may be affected
* Contacted law enforcement and are conducting and cooperating with an active investigation
* Arranged for credit monitoring for those affected
* Given basic tips for all customers
* Engaged a team of security consultants to help them get their house in order going forward
* Promised to ensure that in the future, they will be better stewards of the information we entrust them with.
* Promised to come back with more information tomorrow.

What else should they be doing, in your opinion, to stay ahead of this? I am being neither sarcastic nor rhetorical, I honestly think they’ve done a good job so far.

Kind regards,
Nick Selby

Your comments suggest you have no credentials in the area of crisis communications. Are you in IT?

dh

And that’s why companies may wind up looking more incompetent. As you note, their first e-mail suggested the hack occurred on Christmas Eve. It didn’t, but now they are on record as having not known for how long they had been compromised.

On my blog, I encourage breached entities to be transparent, but I also encourage them NOT to rush to statements they may regret. Yes, be prompt, but only tell your customers that you are investigating and will tell them more as soon as you know more. Tell them what to do to err on the side of caution, e.g., “Although we have not verified anything yet, to be safe, we suggest you contact your banks,…”

But don’t make any firm statements about the breach that you haven’t yet verified by forensics.

And no, they do NOT have to get their site back up as quickly as you suggest. And if I were them, I’d leave it down until after a security consultant could arrange to secure it adequately. And that doesn’t happen within 24 hours – or 48 – or 72.

The only point on which we agree is that Stratfor fscked up royally by not encrypting sensitive info and by storing CVVs at all, much less in clear text.

They will pay dearly for this breach. They need to get their breach response right. Your advice is not only unhelpful, but I think it’s counterproductive.

My #4 point is the most important. I agree. It was inexcusable for Stratfor to have unencrypted confidential client information on the server.

DH

#1 – You cannot mask your IP information, all you can do is mask the domain name ownership, but certainly not the IP. There appears to be a basic misunderstanding of how DNS works.

#2 – Email was NOT hosted at the same site. Where did you get your information? A simple DNS check reveals that strafor.com is hosted at IP 66.219.34.37 – which as you stated appears to have been allocated to Corenap. However, the MX record for stratfor points to mxgw01.stratfor.com, which resolves to 207.71.53.57, which is where the Stratfor mail server resides, right on Time Warner Telecom netblock. The recommendation to use something secure such as Google made me laugh.

#3 – Stratfor took their own webiste down. This was not a defacement, this was a hack. When you’ve had a breach like this, you take the site down to stop the bleeding. Getting the site back up, such as from a backup would do nothing to help. They’d be standing up the same exact insecure site that got hacked in the first place.

#4 The only valid comment I could find in this article. Bad form to leave CC# unencrypted. Stratfor could be held liable for all the fraudulent transactions.

#5 The Stratfor server has been owned for several weeks now – Anonymous delayed the release of the hack until Christmas Eve for the express purpose of catching them off guard. So they got caught off guard – on Christmas Day, for crying out loud, very few companies could provide a full response within the first 24 hours given the same circumstances.

Joel Helgeson

Interesting point about the backup. But they’ve got to get it back soon.

Thank you for your opinion. I know quite a bit about DNS.

There was one email from Friedman on Christmas Eve, not multiple as you suggest incorrectly. And, yes … organizations that depend on the net get their sites back online as quickly as possible, not 24+ hours later.

Have you read what The New York Times is reporting?
http://www.nytimes.com/2011/12/26/technology/hackers-breach-the-web-site-of-stratfor-global-intelligence.html
DH

We received private emails from George shortly after they found out about the compromise, not 18 hours later and via facebook as you suggested.

And when your site is cracked, you don’t just restore it from “backup” and continue as usual… you take it offline until the security issues can be addressed.

Your point #4 was valid, but the rest is uninformed and irresponsible.