BreachExchange mailing list archives
Stratfor - Lessons Learned
From: security curmudgeon <jericho () attrition org>
Date: Tue, 3 Jan 2012 17:06:13 -0600 (CST)
http://www.netpublishing.com/2012/01/03/stratfor_lessons_learned.html Stratfor - Lessons Learned - Gregory W. MacPherson, Computer Security Expert, CISSP, etc. The stratfor.com hack is old news by now, so what lessons, if any, are there to be learned from this high profile data spill? screenshot To review, stratfor.com private data including credit cards, user accounts, and passwords was dumped on pastebin.com on Christmas Day, 2011. The data spill exposed not only tens of thousands of users to potential identity theft but more importantly exposed the security practices of those users, as well as the security practices of stratfor.com. A review of the data and of the incident suggests several points worthy of consideration. The data was compromised using either a cross site scripting or SQL injection attack. From this fact one might conclude that application security trumps data security, and in this case one would be correct. Of course if the administrators of stratfor had practiced basic data security techniques such as encrypting data at rest, then the sensitive PII of tens of thousands of users might not be on display for the world today. While the Web site did incorporate SSL for user transactions, the account and credit card information existed in a data store in clear text rather than as encrypted hash values. Once the exterior security of the site was breached, regardless of the method, the entire site was compromised. This is referred to in the vernacular as "hard exterior, soft chewy inside" and is an unfortunate and prevalant security strategy. Numerous discussions of layered security have addressed the point, therefore I will not belabor it here. Suffice to say that the administrators of stratfor.com now may be viewed as idiots for not following well documented and oft published best practices for computer security. [..] _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Small, inexpensive USB drives pose huge threats to organizations left unprotected. Download Chapter 1 of CREDANT Technologies eBook Data Protection to the Rescue http://www.credant.com/campaigns/external_media_ebook/chapter1/lp/
Current thread:
- Stratfor - Lessons Learned security curmudgeon (Jan 04)