Fallout from the Christmas hack of Stratfor
Wednesday, 04 January 2012 17:57

Let this be the day that you change your password practices.  On December 24th, 2011, Anonymous, the group of hackers that includes anyone who chooses to adapt that label, announced that they had broken into the servers of the defense intelligence organization Stratfor.  Despite Anonymous’ belief in a vast military-industrial-government conspiracy, Stratfor is merely a think tank that researches and reports on global hot spots and events.

It is very important for everyone reading this to re-learn security 101.  Anonymous has posted complete credit card records of those who subscribe to Stratfor’s publications, and 28,517 email addresses and cracked passwords.  Reading through those lists is very educational.  Well known security experts, executives at major networking companies, industry analysts, and government contractors have all had their passwords published on the text-file sharing site pastebin.com.

A cursory glance reveals the corporate email addresses and simple passwords from :

Cisco:  5  employees – including a high ranking executive who used a date for his password.
Juniper: Only 1
Gartner: 4 industry analysts
IBM: 8 employees
Microsoft: 3
Raytheon: 12 employees
SAIC: 15

The passwords revealed are an abject lesson in password strengths.  Do you really think adding a number to the end of a word makes it a better password?  optimus2, compaq23, Satellite1, kate29, magic78, chance10 were all easily cracked. Not to mention those that used: password, stratfor,  chickens, bamboo, mentor, fishhead, trophy, chicago, or the lovely “kisses” or the beguiling “lovecakes”.

What about non-words like “1qaz2wsx” ?(type it, you will see the easy to remember pattern on your keyboard) Those do not work either.

What about number substitution for vowels?  Easy to crack, as the guy who used n0m3ncl8tur3 has discovered.

How about special characters? Slav85! ,stratfor!, Cal!985, Godzilla!, Sith31!, redsox#1, 1q2W#E, all fail.

Lessons re-learned:

1. It is no longer even remotely OK to use simple passwords.  Even so called “throw-away” accounts can lead to embarrassment for you or your organization. Do you really want your co-workers and the press to know that you used your birthday/pet’s name/football team as your password?  ( I experienced this when Gawker was hacked in a similar event in 2010. Look it up to see my stupid password.)
2. Change the password to your email account on Google, Yahoo, Hotmail, today. Make it really strong.
3. NEVER reuse a password. Sorry but it has come to this. Yes, you will have to write them down or store them in a digital safe on your computer or phone.  Only a truly determined hacker (or your spouse/boyfriend/teenage kid) will attempt to hack that.
4. Turn on two factor authentication with your email provider. Google and Yahoo provide a service that uses SMS messages to your phone to log into your account from a new computer. Use it.
5. Only do online banking with banks that provide strong two-factor authentication.

Now for those that collect credit cards and account information on their Internet facing servers.

Lessons for web site owners re-learned from Stratfor:

1. Use a password for your databases.  Apparently Stratfor had no password protection for their SQL database.

2. Do not use the default password hash algorithm that comes with your CMS or Unix library.  There are vast dictionaries of hashed passwords online. Once a hacker has stolen your password list they can look up any hash in these dictionaries or run simple tools to brute force them.  Research and deploy salted hash algorithms. They make the job a lot more difficult for the hacker. Best practice: encrypt those passwords! And secure the keys.
3. Do a complete security review. Things have changed since you set up your Internet presence in 1995 or 2005.

The most painful lesson the Stratfor hack is about to demonstrate is the importance of email security.  The Anonymous member who appears to be taking the lead in this attack against Stratfor has already posted to reddit.com that they will be recruiting volunteers to analyze the 3.3 million emails they stole from Stratfor.  These emails have the potential for embarrassment and real harm that could equal the infamous State Department leak.

One last point.  A quick scan of the 28,517 leaked email addresses reveals the conspicuous absence of any addresses belonging to .gov and .mil.  Were there none, or does Anonymous have plans for those?

My only prediction for 2012: it is going to be a very interesting year.


Updates: More analysis of the leaked data provided by Mike Lennon at SecurityWeek, thanks to Identity Finder.

Dazzlepod has posted a search tool to determine if your own email address is in the leaked Stratfor database. You can also search by domain.

On December 29, Anonymous posted 859,311 email addresses, 68,063 credit card numbers, 50,618 addresses, and 50,569 phone numbers.  Analysis posted here by IdentityFinder.

The latest list of leaked Stratfor emails does include .mil and .gov addresses.

Jan 3 update:  Dazzlepod has added all 860,000 leaked accounts to their searchable database.

Steve Ragan at the Tech Herald has cracked and analyzed 10% of the passwords.

There is no billion dollar market for mobile AV
Tuesday, 17 May 2011 19:30

I remember the first time the executive team of one of the Big Three Anti-Virus vendors explained to me their mobile strategy.  It was the new consumer gold mine they were going to tap. "There are over 100 million smart phones and some day mobile devices will outpace all other platforms!" they would exclaim.  You could see the gleam in their eyes.  Consumers would pay $29.95 a year for AV software to protect their phones from spam and infections!  Well, according to Mary Meeker mobile platforms exceeded PC shipments late last year but there is no AV market for smart phones, iPads, and book readers. Why is that?

There are three reasons: diversity, carriers, and competition.   The reason that viruses became the scourge they are today is the monoculture that Microsoft created. Servers, desktops, laptops, and even embedded systems all run the same code. A single vulnerability in one platform is repeated in the others.  A cyber criminal can focus his development efforts on targeting Windows and Internet Explorer and hit the vast majority of computers.   You may have noticed the plethora of platforms in the mobile arena: IOS on Apple products, Android, BlackBerry, Kindle, etc.  An attacker has to target a particular platform.   In the new mobile world you will never have the situation that existed in 2004 when everyone's PC slowed to a halt. They were infected with so much spyware, adware, and worms that they went out and bought new machines.

PCs connected to the Internet are much different than cell phones connected to Verizon, ATT, or T-Mobile.  Your ISP does not much care if you become infected with a virus. That is your problem, not theirs.  But a virus on a phone network could be cataclysmic.  A single infection causing problems on a cell phone generates a call to the carrier's support center or a visit to the outlet store. It costs them money.  They are investing heavily in network protections to make sure that their cell systems stay virus free.  They choose the platforms they support.  If a particular handset is prone to infections they will drop it or force patch updates across their network.

That is not to say that mobile platforms are problem free. All platforms are vulnerable and will see attacks. But the platform owners will respond before a market ever develops for scanning AV software.   Security will be built in as quickly as possible. App stores will pre-scan and verify software before you down load it. You will still need to be able to lock your device if it is lost or stolen. You will want to encrypt data on it. You will have VPN clients for secure communications.  Many of these protections will be bundled with the mobile device as value added features.

Mobile platforms will be components of other security solutions. I have written on how they are the ideal device for two factor authentication.  That industry will take off.   And companies like Mocana will work with platform developers to build security in.   There is money to be made in mobile security, but there will be no AV market for mobile.

Watch my interview with Adrian Turner, CEO of Mocana, here:

Dim lights Embed Embed this video on your site