I was interviewed for ABC TV’s current affairs program 7.30 yesterday about Anonymous’ hack of Stratfor. The story was Hack attack reveals Australians’ credit card details.
Interestingly, they chose to focus on the “liberation” of the credit card numbers and how it affected the Australian victims.
They didn’t use any of the material we recorded on who the various victims might be, what the still-to-come publication of some 2.7 million of Stratfor’s internal emails might reveal, and the effect that could have on both Stratfor and the individuals who’ve been feeding them information.
Indeed, this article by Barrett Brown makes it clear that those emails and other internal documents were the real target, not the credit card numbers. Anonymous is trying to give the impression that there’s some powerful stuff in there, but we’ll see.
I guess when you’ve only got six minutes and have to start with “Who is Anonymous?” and “Who is Stratfor?” then there’s not really enough time to get to “This is really a follow-up to Anonymous’ hack of HBGary Federal earlier in the year.”
Careful viewers will notice that reporter Sara Everingham described me as someone who “goes by the name Stilgherrian”, which is a bit of an oops but something that seemed to cause more distress to my Twitter followers than me.
Since some people have asked, I might as well tell you that the interview was shot in a spare office at the ABC’s Ultimo headquarters — rather different from the outdoor shot the last time I was on 7.30.
And despite the story being written and voiced by Sara Everingham, I was actually interviewed by Sarah Dingle. Ah, the Magic of Television!
The video in the story is Flash, so it won’t work on your iDevice. But there’s also an MP4 version of the video.
If the emails were the target, why did they spend three weeks quietly using the cards before dumping the emails and deleting the site? They carded merrily for days or even weeks but only brought Barrett in to chat about as-yet read emails on Christmas eve.
@Ash: Well, let’s assume your timeline is true — I have no reason to doubt it, but I haven’t dug down into the timelines in detail — and do some speculation.
From what Mr Brown says, we seem to be dealing with multiple players. You’d presumably involve people with different skills in an attack anyway. The claim is that 200GB of data was exfiltrated. That’s going to take some time. You have to do it slowly so the victim doesn’t notice any degraded performance on their internet link.
So even if that vast trove of data is the main target, that still leaves plenty of time for the attackers to look around and see what else they can find. Membership databases would probably have been on the hit list anyway, but finding unencrypted credit card numbers along with them was an added bonus.
I’m guessing that since Anonymous is a leaderless organisation it’s difficult to maintain operational. So while some people are concentrating in exfiltrating the main body of data, others couldn’t resist playing around with the cards.
Indeed, the leaderless nature of Anonymous easily answers the many “If they were meant to be doing X, why did they do Y?” questions. Without leadership, it’s really just a bunch of individuals each pursuing their own aims — which happen to move in more or less the same direction much of the time.
Well, that’s what I reckon late on a Friday afternoon, anyway.
Maybe the credit cards were grabbed because it is proof that stratfor where compromised. Every one understands that cc details should be protected and customers expect it.
Prior to the release of email archive it establishes the bonfides of their claims with those that don’t know the difference between dos, ddos or true hacking.
@cw: Perhaps, but I think that’s over-thinking it. The email archive would establish its own bona fides, since it’d contain vast amounts of data that could be cross-referenced with external events.
And the hackers don’t really need to prove that they’ve done the hack before they release the archive — unless of course they also want to taunt the other side and engage in a bit of old-fashioned bravado and prick-teasing the media with “We’ve got SEKRIT!”.
It’s that behaviour which tells me that one of the hackers’ key motives is proving to the world that they’re smarter than the other guys — regardless of whatever political motivations also exist.
I should stress I’m not an expert at any of this stuff. That’s just the impression I get.
I tend to agree that the release of the CC details was because that’s lots faster for the ‘We’re Here’ factor. Much like wiping Aaron Barr’s iPad was. Similarly to the HBGary crack, the data massaging of the real target data (emails) into proper threading, etc., takes time. In both cases, the companies involved appear to have not reasonably disclosed the breaches until they were told about them by the crackers themselves – something that is also telling about these companies that go by the description of ‘IT Security Consultants’
@Pete: Just to be clear, Stratfor isn’t an IT security company. It’s an intelligence outfit which advises on issues including global security — stuff like the risk of terrorism, civil war, nuclear weapons and so on. I’m guessing you’re not making that mistake, but plenty of media reports have done.
As for Stratfor not knowing their network had been breached until the hackers themselves pointed it out, here’s a quote from my wrap of this year’s eCrime Symposium:
I’m not saying this is a good thing but, alas, it’s perfectly normal.
Thanks for the link to your wrap. I was curious about the figures Klein & Co were reporting there and in the next sentence of your wrap (not quoted) you seem to sum it up:
It’ll sure be interesting to see what happens to Stratfor as a result of their apparent PCI-DSS violations as well as what steps those involved in ‘maintaining’ the PCI-DSS ‘standard’ do to ensure such insanity doesn’t happen again. What I’m unclear about is whether each card/CVN number leak is one breach of PCI-DSS or the whole db is one breach (I’ve only recently started reading the CVSS2.0 docs, let alone made it to whatever PCI-DSS is using these days). At USD$500,00 a pop that could get rather nasty if per card breach. But barely enough for ‘big’ businesses to be really concerned about if it’s a whole-of-DB thing.