Speak Out and You May Be Targeted, Warns Breached Security Firm Stratfor

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://techland.time.com/2011/12/27/speak-out-and-you-may-be-targeted-warns-breached-security-firm-stratfor/

Be careful what you say, or say nothing at all, advises hacked
international intelligence and threat analysis firm Stratfor, after
revealing hackers may be targeting members who offer public support
for the company in the wake of a serious security breach. Stratfor was
allegedly infiltrated Sunday night by hacktivist group Anonymous.
Anonymous announced on Twitter that it had stolen thousands of credit
card numbers as well as the personal information of Stratfor’s
clients, posting links to some of that information Sunday and again on
Monday.

Stratfor’s website was still inaccessible Tuesday morning, and the
company has resorted to using its Facebook page to communicate with
the public. It’s not clear what, if anything, hackers are doing to
harass outspoken victims, but Stratfor’s cautioning against saying
anything just the same.

“It’s come to our attention that our members who are speaking out in
support of us on Facebook may be being targeted for doing so and are
at risk of having sensitive information repeatedly published on other
websites,” wrote the company on Sunday afternoon. “So, in order to
protect yourselves, we recommend taking security precautions when
speaking out on Facebook or abstaining from it altogether.”

It’s not yet clear what was taken in the alleged data heist, but
Stratfor admits that on December 24, both “personally identifiable
information” as well as “related credit card data” from its members
was disclosed. But where the hackers claim they also obtained a list
of Stratfor’s “private clients” — members who “have a relationship
with Stratfor beyond their purchase of [the company's]
subscription-based publications” — Stratfor denies the charge, and
says the list “was merely…of some of the members that have purchased
our publications.”

Anonymous claims the data it obtained was unencrypted, and Stratfor
hasn’t said whether it was or wasn’t. Storing personal data like
names, addresses and telephone numbers unencrypted isn’t uncommon, but
credit card data is almost always encrypted — if Stratfor’s credit
card data was somehow stored unencrypted, it would be a major
embarrassment for a company that’s built its brand on the basis of
security and threat analysis.

The information — posted by Anonymous online and linked to through
Twitter — is said to be an alphabetical listing of thousands of
Stratfor clients, both individuals and companies, including financial,
media and government groups. It also contains emails, allegedly
between members of Stratfor’s information technology department.

The hackers announced they would donate any money obtained from the
hack to charities, but the chances are virtually zero of that
happening, since impacted members are doubtless freezing suspect
cards, and would see any illicitly donated money returned once the
transaction posted.

Stratfor says it’s working with law enforcement to investigate the
breach and is using a “leading identify theft protection and
monitoring service” as it moves forward, adding that it will outline
“services to be provided” in “a subsequent email that is to be
delivered to the impacted members no later than Wednesday, December
28th.”
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Small, inexpensive USB drives pose huge threats to organizations left unprotected. 
Download Chapter 1 of CREDANT Technologies eBook
Data Protection to the Rescue
http://www.credant.com/campaigns/external_media_ebook/chapter1/lp/