Sunday, December 25, 2011

Post-attack: Stratfor Research website still down after 24 hours

The website of intelligence firm Stratfor Research remains down more than 24 hours after it was rooted and defaced.

A comment on ZeroHedge by "Osgo" seems to summarize some of the key issues.

I find it astounding how people who just have no f'ing idea about INFOSEC, Anonymous, 4Chan, or Lulzsec... who still think AOL is the Internetz... are suddenly Armchair Warrior Commando Supremo, ready to wreak havoc upon enemies of capitalism... actually thinking that WikiLeaks, some sort of black-ops, Soros-scheming, FEMA camp-making endeavor ready to enslave their family, firmly ensconced in their gated community where most of the cars are shiny and their kids a little too clean... get some f'ing perspective, people, this is the Internetz equivalent of you driving around in your old '73 Camaro with a few too many Oly's in you as you took out your neighbors mailboxes, laughing with glee, later discovering your erstwhile girlfriend's angora sweater along with the twin treasures within.

Stratfor's site wasn't updated, patched well or maintained in a way commensurate with their public image. Indeed, it was a public secret that anyone could read ALL the articles in Google's cache... what they just went through is typical... Podunk site from a few years ago grows exponentially without proportionate security measures that EXCEEDED growth. While they hired and promulgated new authors, contributors and analysts with a pantload of letters after their names, they 'prolly didn't hire enough IT/web developers/security folks 'cause let's face it...they're usually considered a cost center, not a name that would bring in new subscribers/biz/accolades. I seem to remember they had open positions for interns... not pro's... go figure....

Every org. has growing pains... but the pain point here? The manageable risk that was unfortunately overlooked by "America's Private CIA" endeavor? By promoting and evangelizing themselves as an alternate intelligence organization, they failed to take into account good OPSEC. Here we have hundreds of records soon to be available, dead-drop names, sovereign ID's, aliases and a Who's-Who of people and corps. who just don't wanna be found....easily cross-referenced with other public disclosures... that any counter-intel org. could use to their great advantage. At this point it may even be an issue of maskirovka, but certainly the intrusion in no way approaches a sovereign level of expertise, IMHO...

This has got to be a flat-out awful Christmas for everyone involved with Stratfor. The company's website is a crucial element of its marketing and service delivery arms; yet, as Osgo implies, the organization's I.T. function may have received short shrift.

No comments: