This just in.

I have been notified by several of our clients who were victimized when STRATFOR was hacked that the hackers are still testing out the credit cards by making small donations to obscure charities and other organizations around the country. Most of these amounts are $1 or less, so they are easy to slip by. How many of us have iPhones and Android phones that we use to purchase apps for $1 – $4?

This was also confirmed by my credit card company. Some of these charges were from a Colorado based Christian School, Another one was from MOSI (the local Museum of Science and Industry). Several others were from Google. Thankfully, it appears that none of these charges actually made through due to the diligent efforts of credit card companies that were informed by STRATFOR. I had earlier posted Mr. Friedman’s email on this issue. It seems that was very effective.

The downside was that unfortunately payments to many of the other 503(c) organizations are being flagged to prevent further payments due to computer hacking. It is a minor inconvenience, but I urge all who subscribed to STRATFOR to call your credit card companies and ask them to go over recent charges, even the ones that have not shown up on your account yet. Get them to cancel the card and send you a new one.

Good Luck.

Today George Friedman of STRATFOR sent an update to all members about the status of its website as well as apologized once again for the intrusion.

It is refreshing to see an executive take responsibility for their company’s shortcomings (and there is no doubt that STRATFOR let its guard down by keeping CC info unencrypted). But subscribers like me need to know this so we can protect ourselves, and we need to know that companies are actively engaged in fixing security leaks.  This is what keeps subscribers like myself loyal. This is in sharp contrast to how SONY handled their hacking attack last year. After weeks of denying, and multiple attacks, they finally admitted to it. Their stock took a beating because of this.

As I discuss in my previous topic “How much do you really know about your internal computer security?, this is an all too common scenario. IT departments often take shortcuts that would appall most senior executives. Sometimes it is the corporate culture which is in denial, and sometimes it is lack of budget or resources to fix things. These companies are playing a deadly game of chicken. They are betting that they will not be a victim of statistics. What they are failing to see that when s* does hit the fan, it is often too late to do anything. If these companies do get compromised, the first thing to check is whether the security leak was a known issue and if it was, harsh penalties should be imposed. This is the only way to send the message “Do NOT SACRIFICE YOUR CUSTOMERS DATA”.

I am not sure what specific security measures STRATFOR will be employing going forward, but one of the things they should probably consider is using SSL for all PUBLIC and PRIVATE content.

I believe that due to their honest and quick response, STRATFOR will bounce back stronger.

I am re-producing the letter from Mr. Friedman below:

* * * * * * * * * *

Geopolitical Weekly: The Hack on Stratfor

By George Friedman | January 11, 2012

In early December I received a call from Fred Burton, Stratfor’s Vice President of Intelligence. He told me he had received information indicating our website had been hacked and our customer credit card and other information had been stolen. The following morning I met with an FBI special agent, who made clear that there was an ongoing investigation and asked for our cooperation. We, of course, agreed to cooperate. The matter remains under active investigation.

From the beginning I faced a dilemma. I felt bound to protect our customers, who quickly had to be informed about the compromise of their privacy. I also felt bound to protect the investigation. That immediate problem was solved when the FBI told us it had informed the various credit card companies and had provided those companies with a list of compromised cards while omitting that it had come from us. Our customers were therefore protected, as the credit card companies knew the credit cards and other information had been stolen and could act to protect the customers. We were not compelled to undermine the investigation.

The FBI made it clear that it expected the theft to be exposed by the hackers. We were under no illusion that this was going to be kept secret. We knew our reputation would be damaged by the revelation, all the more so because we had not encrypted the credit card files. This was a failure on our part. As the founder and CEO of Stratfor, I take responsibility for this failure, which has created hardship for customers and friends, and I deeply regret that it took place. The failure originated in the rapid growth of the company. As it grew, the management team and administrative processes didn’t grow with it. Again, I regret that this occurred and want to assure everyone that Stratfor is taking aggressive steps to deal with the problem and ensure that it doesn’t happen again.

From the beginning, it was not clear who the attackers were. The term “Anonymous” is the same as the term “unknown.” The popular vision of Anonymous is that its members are young and committed to an ideology. I have no idea if this is true. As in most affairs like this, those who know don’t talk; those who talk don’t know. I have my theories, which are just that and aren’t worth sharing.

I was prepared for the revelation of the theft and the inevitable criticism and negative publicity. We worked to improve our security infrastructure within the confines of time and the desire to protect the investigation by not letting the attackers know that we knew of their intrusion. With the credit card information stolen, I assumed that the worst was done. I was wrong.

Early in the afternoon of Dec. 24, I was informed that our website had been hacked again. The hackers published a triumphant note on our homepage saying that credit card information had been stolen, that a large amount of email had been taken, and that four of our servers had been effectively destroyed along with data and backups. We had expected they would announce the credit card theft. We were dismayed that emails had been taken. But our shock was at the destruction of our servers. This attack was clearly designed to silence us by destroying our records and the website, unlike most attacks by such groups.

Attacks against credit cards are common, our own failures notwithstanding. So are the thefts of emails. But the deliberate attack on our digital existence was a different order of magnitude. As the global media marveled at our failure to encrypt credit card information, my attention was focused on trying to understand why anyone would want to try to silence us.

In the days that followed, a narrative evolved among people claiming to speak for Anonymous and related groups. It started with looking at our subscriber list and extracting corporate subscribers who were now designated as clients. The difference between clients and subscribers is important here. A client is someone you do customized work for. A subscriber is simply someone who purchases a publication, unchanged from what others read. A subscriber of The New York Times is not its client. Nevertheless, some of the media started referring to these subscribers as clients, reflecting the narrative of those claiming to speak with knowledge of our business.

From there, the storyline grew to argue that these “clients,” corporate and government, provided Stratfor with classified intelligence that we reviewed. We were no longer an organization that analyzed the world for the interested public, but rather a group of incompetents and, conversely, the hub of a global conspiracy. The media focused on the first while the hacking community focused on the second.

This was why they stole our email, according to some of them. As one person said, the credit cards were extra, something they took when they realized they could. It was our email they were after. Obviously, we were not happy to see our emails taken. God knows what a hundred employees writing endless emails might say that is embarrassing, stupid or subject to misinterpretation. What will not appear is classified intelligence from corporations or governments. They may find, depending on what they took, that we have sources around the world, as you might expect. It is interesting that the hacker community is split, with someone claiming to speak for the official Anonymous condemning the hack as an attack on the media, which they don’t sanction, and another faction defending it as an attack on the rich and powerful.

The interpretation of the hackers as to who we are — if indeed that was their interpretation — was so wildly off base as to stretch credulity. Of course, we know who we are. As they search our emails for signs of a vast conspiracy, they will be disappointed. Of course we have relationships with people in the U.S. and other governments and obviously we know people in corporations, and that will be discovered in the emails. But that’s our job. We are what we said we were: an organization that generates its revenues through geopolitical analysis. At the core of our business, we objectively acquire, organize, analyze and distribute information.

I don’t know if the hackers who did this feel remorse as they discover that we aren’t who they said we were. First, I don’t know who they actually are, and second, I don’t know what their motives were. I know only what people claiming to be them say. So I don’t know if there is remorse or if their real purpose was to humiliate and silence us, in which case I don’t know why they wanted that.

And this points to the real problem, the one that goes beyond Stratfor’s own problem. The Internet has become an indispensible part of our lives. We shop, communicate, publish and read on it. It has become the village commons of the planet. But in the village commons of old, neighbors who knew and recognized each other met and lived together. Others knew what they did in the commons, and they were accountable.

In the global commons, anonymity is an option. This is one of the great virtues of the Internet. It is also a terrible weakness. It is possible to commit crimes on the Internet anonymously. The technology that enables the Internet also undermines accountability. Given the profusion of technical knowledge, the integrity of the commons is in the hands of people whose identities we don’t know, whose motives we don’t understand, and whose ability to cause harm is substantial. The consequence of this will not be a glorious anarchy in the spirit of Guy Fawkes, but rather a massive repression. I think this is a pity. That’s why I wonder who the hackers actually are and what cause they serve. I am curious as to whether they realize the whirlwind they are sowing, and whether they, in fact, are trying to generate the repression they say they oppose.

The attempt to silence us failed. Our website is back, though we are waiting for all archives to be restored, and our email is working again. Our failures have been reviewed and are being rectified. We deliberately shut down while we brought in outside consultants to rebuild our system from the ground up. The work isn’t finished yet, but we can start delivering our analyses. The handling of credit cards is being handed off to a third party with appropriate capability to protect privacy. We have acted to help our customers by providing an identity theft prevention service. As always, we welcome feedback from our supporters as well as our critics.

We are fortunate that we have the financial resources and staff commitment to survive the attack. Others might not. We are now in a world in which anonymous judges, jurors and executioners can silence whom they want. Take a look at the list of organizations attacked. If the crushing attack on Stratfor is the new model, we will not be the last. No security system is without flaws even if it is much better than Stratfor’s was.

We certainly expect to be attacked again, as we were last week when emails were sent out to members from a fake Stratfor address including absurd messages and videos. Our attackers seem peculiarly intent on doing us harm beyond what they have already done. This is a new censorship that doesn’t come openly from governments but from people hiding behind masks. Do not think we will be the last or that we have been the first.

We will continue to publish analysis and sell it to those who believe it has value. To our subscribers who have expressed such strong support, we express our deepest gratitude. To our critics, we assure you that nothing you have said about us represents a fraction of what we have said about ourselves. While there is much not to be proud of in this affair, I am proud beyond words of all my dedicated colleagues at Stratfor and am delighted to return our focus to analyzing critical international affairs.

To all, I dedicate myself to denying our attackers the prize they wanted. We are returning to the work we love, dedicated to correcting our mistakes and becoming better than ever in analyzing and forecasting how the world works.

* * * * *

By now, we have all seen TV and print ads by hosting company giants, 1nd1, Go Daddy and Network Solutions that offer easy point and click websites for small businesses. Most of these allow a business owner to create either a free website or perhaps at a small initial fee but ongoing rate of less than $50/month.

I just love it when I see how they twist things in their commercials. For example, in one advertisement, they give an example of a business website, say, Suzie’s Flower Shop. The ad goes on to show that now that they have a website, potential customers can find them easily when they search for ‘Suzie’s Flower Shop’. Really? If the potential customers already know the company name, and they’ve already decided to buy if from this company, why would they be searching for it by the exact name, unless they want to look at the products or perhaps look up the address.

These ads are doing a disservice to their customers by giving them a false sense of hope that once a business uses their services to create a free website, people will start flocking to their online stores. I know too many good people who have been burned by these services, because usually, by the time they realize that no one is coming to their websites, they have already lost 9-12 months or even more.

Here are some of the reasons why a professional website design and SEO company can provide a much better ROI (Return on Investment):

  • A professional web design and SEO company will take the time to learn about your business.
  • They will take the time to review your online marketing strategy.
  • They will conduct competitive analysis.
  • They will research and recommend appropriate domain name(s) for your business.
  • They will provide effective keyword research for your niche products.
  • They will create your website with SEO from the ground up.
  • They will create a website that can grow with your business.
  • An ethical website design company will create your business website you can take with you, if you decide to move to another company.
  • They will provide ongoing maintenance, so a business can focus on what it does best.
  • They will help you monitor your internet marketing efforts and make adjustments as necessary.

These are just some of the benefits.

Here are some of the problems our clients faced when they had previously signed up with such services:

  • No guidance on appropriate domain names
  • No guidance on online marketing
  • No way to tweak the webpages for effective SEO tactics
  • No way to get to the code of the website for enhancements
  • NO PORTABILITY. You cannot move your website. If you decide to move, tough luck. You’ll have to start from scratch elsewhere.

The biggest problem is that by the time a business owner realizes what he/she is getting into, precious time has been wasted. It is not uncommon for realization to hit them 9-12 months down the road – time that could have been spent on building up their online business.

Having said that, there are definitely reasons why you would choose such services to make a free website:

  • You have a very small business – more like part-time, that you do it as a hobby.
  • Use these services to build an online presence on a temporary basis, while your main website is being designed.

In summary, don’t get trapped by these free website builders and offers to build cheap online marketing websites. Sure it may cost you less up front, but are you really saving money? For example, if a well-designed and well optimized website can bring an attorney 1 or 2 new clients per month, compared to no new clients with the free website, that could mean a potential loss of tens of thousands of dollars every month. Invest wisely in your business.

 

The ongoing saga with STRATFOR indicates that the computer security breach may have been more extensive than previously knows, because their website is still down 10 days after the attack.

One would think that a respected, global security company should have been better able to keep their data secure, UNFORTUNATELY, this problem is more pervasive than one would admit.

First of all, it is important to understand that while the upper executives should be blamed, it is also important to look at the entire picture. Management executives are not generally involved in day-to-day technical security concerns. This is why they designate others such as CIO’s or CTO’s this task. It appears to me one of these may have dropped their guard or become complacence. First of all, people in charge of this should be removed immediately from their tasks till full investigation has been completed.

I bet that right now, most people who are responsible for their computer security procedures are pretty smug about their own computer security model. Yet, I am willing to bet that many of them have no clue on the day to day workings and how open they really are from computer security threats. There are way too many companies out there that believe that if they have a firewall, they don’t need any computer security procedures. They are often complacent about computer security threats. Here is an easy way to find out whether personally identifiable customer information is truly encrypted and secure: call up your QA Manager and inform him that you want to personally test some website features to become more familiar with them and that you need a list of existing usernames and passwords, along with social security numbers and date of births so you can simulate a customer. At this point it does not matter whether the information provided is from a production region, or a systems and integration region. Real data is after all real data, no matter what region it resides in. If your QA staff is able to provide you with anything more than usernames, you probably have a problem. Under no circumstances, should passwords be visible to ANYONE. Social security numbers and DOBs should be available on a very restricted basis. None of this info should be used to test. There are plenty of other fake data generators out there that will provide fictitious data to play with.

Based on my experiences, there are probably 6 out of 10 companies that have some personally identifiable information for their customers available in plain text in some database, ready to be queried and misused.

Do yourself and your customers a favor. Go ahead and secure this data. Yes, it will be a little inconvenient for the QA staff and developers, but that can be easily remedied. Loss of customer faith is not easily repaired.