Stratfor Denies Anonymous Compromised Client List

Stratfor has asserted that hackers from the Anonymous collective did not steal its confidential client list, but rather a list of people who had purchased its publications.

Strategic Forecasting, an organization that focuses on intenerational security issues, is downplaying the severity of the cyber-attack it suffered over the weekend, claiming its client list had not been stolen.

A group of hackers claiming to be part of the hacktivist collective Anonymous attacked the global intelligence think tank on Dec. 24 and stole approximately 200GB of information, such as credit card numbers and other personal information, from Stratfor's servers, according to various posts on Twitter.

The attackers originally claimed to have obtained and disclosed Stratfor's confidential client list. However, CEO George Friedman said in a statement on Facebook on Dec. 25 that the information appears to be "merely" a list of members that have purchased Stratfor's publications in the past and did not necessarily mean those individuals or entities had any kind of relationship with the think tank.

Stratfor suspended its Website and warned members in an email that some names and personal information may be disclosed by the attackers on other sites. As of Dec. 27, the Website is still displaying a maintenance message.

There also appears to be some dissent online about the collective's role in the Stratfor attack. An "emergency press release" posted on text-sharing site Pastebin criticized the attack and said the Stratfor perpetrators did not represent the loose collection of hackers. Anonymous doesn't have a formal organization or hierarchy, which means there's no single "official" voice.

"As a media source, Stratfor's work is protected by the freedom of press, a principle which Anonymous values greatly," the writers wrote.

Hacktivist attacks increased dramatically in 2011 and will continue to increase in 2012, Seth Goldhammer, director of product management at LogRhythm, told eWEEK. Hackers will continue to use data theft, distributed denial of service and Website defacement as ways to embarrass governments and private corporations, Goldhammer said.

"Anon, LulzSec, Anti-Sec found their sea legs-buoyed by a perceived greater cause the ease with which large corporations could be brought to their knees," Anup Ghosh, founder and CEO of Invincea, wrote on the company's blog, noting that attackers were often acting in response to globalization, political unrest and perceived unfair corporate practices.

The Stratfor attackers have published some of the stolen credit card information, which Identity Finder analyzed using its data discovery and protection software. The company identified 50,277 unique credit card numbers, of which 9,651 were active and not expired.

It appears some of those numbers have been used to donate large sums of money to charitable organizations such as the American Red Cross, Save the Children, African Child Foundation and CARE, according to F-Secure's Mikko Hypponen. The charities lose out twice in this scenario, as they won't see a dime from these supposed contributions as they will have to return the funds once credit card owners report the fraudulent transactions and may be hit with penalties, Hypponen wrote.

Dumping personal information online, or "doxing," has become a pervasive security problem in 2011, Kris Harms, a principal consultant at Mandiant, said in December's "State of the Hack" presentation. Attackers are publishing sensitive information to publicly embarrass specific individuals or organizations, and the victims are doubly hurt when criminals use the information for identity theft and other crimes, according to Harms.

Identity Finder also found 44,188 passwords in the dumped dataset. Even though the passwords were encrypted, the company said roughly half could be easily cracked. Approximately 73 percent of decrypted passwords were considered weak in the analysis. Considering the prevalence of password reuse online, the threat is "significant," according to Todd Feinman, CEO of Identity Finder.

"The victims will have no way to know when an identity thief is reusing their email and password combination to attempt to log into their online bank, an online retailer where they have saved their credit card for future purchases, or other online accounts such as email," said Feinman.