BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Stratfor - Lessons Learned

From: security curmudgeon <jericho () attrition org>
Date: Tue, 3 Jan 2012 17:06:13 -0600 (CST)

http://www.netpublishing.com/2012/01/03/stratfor_lessons_learned.html

Stratfor - Lessons Learned
- Gregory W. MacPherson, Computer Security Expert, CISSP, etc.

The stratfor.com hack is old news by now, so what lessons, if any, are 
there to be learned from this high profile data spill?

screenshot To review, stratfor.com private data including credit cards, 
user accounts, and passwords was dumped on pastebin.com on Christmas Day, 
2011. The data spill exposed not only tens of thousands of users to 
potential identity theft but more importantly exposed the security 
practices of those users, as well as the security practices of 
stratfor.com.

A review of the data and of the incident suggests several points worthy of 
consideration. The data was compromised using either a cross site 
scripting or SQL injection attack. From this fact one might conclude that 
application security trumps data security, and in this case one would be 
correct. Of course if the administrators of stratfor had practiced basic 
data security techniques such as encrypting data at rest, then the 
sensitive PII of tens of thousands of users might not be on display for 
the world today. While the Web site did incorporate SSL for user 
transactions, the account and credit card information existed in a data 
store in clear text rather than as encrypted hash values. Once the 
exterior security of the site was breached, regardless of the method, the 
entire site was compromised. This is referred to in the vernacular as 
"hard exterior, soft chewy inside" and is an unfortunate and prevalant 
security strategy. Numerous discussions of layered security have addressed 
the point, therefore I will not belabor it here. Suffice to say that the 
administrators of stratfor.com now may be viewed as idiots for not 
following well documented and oft published best practices for computer 
security.

[..]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Small, inexpensive USB drives pose huge threats to organizations left unprotected. 
Download Chapter 1 of CREDANT Technologies eBook
Data Protection to the Rescue
http://www.credant.com/campaigns/external_media_ebook/chapter1/lp/
Previous By Date Next
Previous By Thread Next

Current thread: