ANONYMOUS
'2011 is over and what a chaotic year it's been: brutal tyrants and inept dictators were overthrown while multinational corporations and lazy security contractors were systematically targeted for embarrassment and elimination. Was it the year of protests, occupations, revolutions? The year of the hacktivist? Looking back, we’re not quite sure what the hell it was, but we certainly had lots of laughs contributing to the mayhem by owning pretty much anything and everything we wanted to.
Did you enjoy looting and plundering the pocketbooks of the rich and powerful during Lulzxmas? Did you enjoy using and abusing the personal emails and passwords of feds and corporate executives? How about all those "Law Enforcement Sensitive" documents stolen from NY police chief emails? And that epic cslea.com defacement on New Years Eve? Yes, many lulz were had during this past week, and rest easy fellow pirates, that was only a taste of the chaos to come.
We're ringing in the new year with another exciting #antisec zine release, and this is a big one. Lots of servers were rooted and rm'd. More than a few clueless sysadmins had their .bash_history and mail spools spilled. A lot of cops got doxed — shit, with all the live passwords being dropped here one could easily own police departments in nearly every U.S. state.
To match this truly epic hacking spree, we also had to go on an epic shopping spree. In an act of loving egalitarian criminality, we used company credit cards to make donations to dozens of charities and revolutionary organizations, including the Bradley Manning Support Organization, the EFF, the ACLU, CARE, American Red Cross, Amnesty International, Greenpeace, some commies, some prisoners, various occupations, and many more unnamed homies. It took weeks of hard work, but it paid off: to the tune of over $500,000 dollars liberated in total. Some examples we publicized were eventually returned: other payments made more discretely were confirmed to have been received and changed to hard cash. Of course, we had to engage in some pranks as well. What’s life without a little laughter at the expense of the 1%? We sent Pop-Tarts to the sysadmins with the hopes they would appreciate the humor. We also transferred to ourselves some form of anonymous currency that can't be traced or returned. Maybe we even sold or traded some of these cc dumps and password lists with other black hat comrades for botnets and 0days. Fuck em' if they can't take a joke!
While we attacked the institutions of capitalism, it would only make sense to attack those who enforce it, the inherently oppressive protectors of property and purveyors of social control; the pigs, the fuzz... the police. Do you remember a month ago when the mayors of over eighteen major cities in the U.S. collaborated with the swine to launch a coordinated attack on Occupation sites? The indiscriminate, and unprovoked, arrest and brutalization of thousands of protesters? We the 99% face an endless cycle of evictions and layoffs, while the powerful elite laugh all the way to the bank, comforted by their lucrative federal contracts and billion dollar bailouts. All our lives we have been robbed blind, and now it's time to start pointing our guns in the right direction.
In retaliation for this unprovoked, premeditated police-state brutality, we executed our own raid against New York and California police targets. And no, we will not be using pepper spray or tasers: we'll leave that for the boys in blue. Did you think we forgot? Did you think we would let you kick us out of our parks, teargas us, send veterans to the hospital, and conspire with other police forces to repress our uprising? We do not forgive, we do not forget: our vengeance will swallow you whole, and we will shit you out in to a place more hellish than the prisons you fill.
On New Years Eve, our while revolutionary comrades brought the noise to the front of jails across the world in support of the incarcerated, we were opening fire on the websites and emails of the 1%, publishing stolen information from police departments in both California and New York. From coast to coast we lulzed as we hit the top police chiefs: skimming their private email and Facebook accounts, blissfully abusing their internal law enforcement portals, and making off quick with their private documents which we then published on tor hidden services and BitTorrent. Finally, we defaced their websites and rm'd their servers, live on IRC and Twitter for the whole world to see.
While we attacked police targets, we also decided to go after their supply chain. We bring you the full story of how we gutted the military and law enforcement equipment supply store, SpecialForces.com. Truth be told, we had been keeping quiet about this particular target for a time while we lived large off its pillaged goods. However, just prior to this release, a former member leaked the cleartext password lists, and some media picked up on it. Now that the jig is up, the full story of this owning can be told. To top this target off, we threw in some credit cards and home address info to thousands of their mostly military and police customer base. Hope they don't mind. Just kidding.
We're calling upon all allied battle ships, all armies of darkness, to rise up and use and abuse all the personal information of these tyrannical agents and supporters of the 1%. You wanted lulz? With the sheer amount of passwords, credit cards, and mail spools we plastered all over the internet, you can guarantee that the richest and most powerful people will continue to get owned hard well into 2012.
In this release, we will detail the lulzy and agonizing death of Stratfor.com, a premiere "global intelligence" company out of Austin, Texas. Long story short, they got owned hard. Really hard. The sheer amount of destruction we wreaked on Statfor’s servers is the digital equivalent of a nuclear bomb: leveling their systems in such a way that they will never be able to recover.
We rooted box after box on their intranet: dumping their mysql databases, stealing their private ssh keys, and copying hundreds of employee mail spools. For weeks we used and abused their customer credit card information (which was all stored in cleartext in their mysql databases), eventually dumping all 75,000 credit cards and 860,000 md5-hashed passwords of their "private client list".
And if dumping everything on their employees and clients wasn't enough to guarantee their bankruptcy, we laid waste to their webserver, their mail server, their development server, their clearspace and srm intranet portal and backup archives in such a way that ensures they won't be coming back online anytime soon.
"But why Stratfor?!" came the cries from many butthurt customers, right wingers, confused pacifists, and many others who have never even heard of Stratfor until we blasted their asses off the internet.
Now those who are already familiar with Antisec know we have always had a burning hatred for the security and intelligence industries (especially private companies with lucrative federal contracts).
After all, these white hat "professionals" work for the corrupt governments and multi-national corporations to develop and protect technology that allow the oligarchical elite to better monitor and repress the general public while plotting for global financial and military dominance. They protect their assets and systems, while providing "accurate" and "non-ideological" intelligence and risk forecasts which the rich depend on to maintain global market stability.
Bet they didn't see this coming. Should have expected us. We found out that just like the cracks in the armor of global capitalism, their professional looking website was vulnerable as hell. Despite all their expensive degrees, meaningless certificates, and padded resumes of the elite, they remain woefully clueless in all matters related to security.
Besides the internal email correspondence between Stratfor and their "private clients" (which are sure to be quite revealing and embarrassing), what we were really after was the names, addresses, passwords, and credit cards to their customers.
Who really pays $39.95 a month for daily right-wing political spam and access to a shitty drupal site?
The DHS, FBI, Army, Navy, Bank of America, Raytheon, BAE, Lockheed Martin, Merrill Lynch, BP, Chevron, Monsanto, KBR, Booz Allen Hamilton, Microsoft, International Monetary Fund, and the World Bank are just a few on this list made up of the mightiest corporations and government institutions that exist.
We shook the rotten tree of Stratfor and some ugly ass ducklings tumbled out: notorious war criminals Henry Kissinger, Paul Wolfowitz, ex-Vice President Dan Quayle, former CIA director Jim Woolsey, and many, many more.
Australian billionaires Malcolm Turnbull and David Smorgon? They're on it. So is Nick Selby from "Police Led Intelligence" who advises pigs on how to secure their systems. Fuck, even notorious white hat right-wing snitch Thomas Ryan from "Provide Security" is up in this shit. And we're really asked why we hit Stratfor!?
About the only person we felt bad about doxing was Harry Shearer. Besides the massive headaches these rich scumbags will have to go through to try to recover all their ill-gotten cash, the password information in these databases will ensure many future ownings of the 1%.
So we decided to dump it all - not only because we wanted to share the lulz with everybody, but because we wanted to bring absolute mayhem upon the exploitative capitalist system in which Stratfor and it's clients perpetuate. Suckaa!!!
The question is, will Stratfor ever recover? If they manage to clean up the remains of their charred servers, analyze the source of the breach and attempt to put up new websites with the hopes we won't be back for more, will they ever survive as a corporation? Who will trust them ever again? How are their customers going to feel when they realize how hard they've been owned? Will anyone ever take their analysis and risk predictions seriously again? We're excited to hear all the embarrassment and controversy that will ensue in the fallout of this epic death of a corporation, but we'll let the researchers and journalists handle all that.
We don't normally give out security advice, but here's some for free: next time, consider running a free service.
/************************************************
*** HILARIOUS QUOTES FROM OWNED SYSADMINS !!! ***
************************************************/
// TO KICK IT OFF, SOME INSPIRING WORDS OF WISDOM FROM IT MANAGER FRANK GINAC:
"You do realize how preposterous it is to suggest that stratfor simply shutdown completely for 2 days, right? The plan that you've attached paints a gloom and doom picture claiming no chance that such a move will succeed. Does that really seem a rationale conclusion?"
// YOU DONT EVEN KNOW THE EXTENT OF THE GLOOM AND DOOM WE HAVE PLANNED, FRANK
"Attended the TakeDownCon security conference. Focus of the conference was on wireless and mobile security. No vendors pushing product or service at this conference. Instead, great presentations by renowned white hat hackers (good hackers) and security experts. Bottom line is that no mobile platform is secure, including the Blackberry, but there are best practices that minimize the risk of their use within the enterprise. We will be incorporating these best practices in our operation over the coming months."
// INCORPORATING PRACTICES FROM "GOOD WHITE HAT HACKERS"? HOW'D THAT WORK OUT?
"It blew my mind to discover that our email server backups are being stored on the same physical server. I'm affectionately referring to these little discoveries as 'Mooney turds'."
// SO SAD WE RM'D YOUR MAIL SERVER AND ALL BACKUPS, FRANK
"Most if not all of us use professional and social networking sites like LinkedIn and Facebook. All offer levels of privacy ranging from wide open where everyone can see your profile, activities, and posts to closed allowing only your immediate connections (or friends) access. As a private intelligence company we must all take extra care to protect our personal information from those who would use that information to exploit us personally or professionally. Although we don't have hard and fast rules on how to set your privacy settings nor do we restrict use of such sites, I suggest that you temper your need to share with prudence and consider the business that we are in. It's also important to check your privacy settings regularly to ensure that the sites you use haven't changed the meaning or scope of privacy settings -- we've all heard or read the news regarding this practice at Facebook. I suggest that you never include any information in your profile -- regardless of privacy setting -- that could be used to compromise your identity. Specifically, never include: your birth date, your exact street address (although this information can usually be found on the web quite easily), your cell phone number, SSN or other government issued ID number (that should be obvious), or any other information that someone could use to compromise your identity if your account were compromised."
// EVEN WITH ALL THE BEST SECURITY PRACTICES LEARNED FROM THE "RENOWNED WHITE
// HAT HACKERS" WE STILL MANAGED TO STEAL ALL YOUR PERSONAL INFORMATION. UMAD?
//
// Frank Ginac CC Number: 376792323491009 Expiration: 5/2014 CVV: 9385
// Pass (md5): 6c0e721556401ce239ad454e83f0dc60
// Phone: 512-788-3882 Address: 7901 Bee Caves Road #23 Austin, Texas, 78746
"I've called IT again, about both email problems and the fact that the site's down again. There's a ghost in the machine, apparently. It's been a crazy night. Cheers! " // ^ UJELLY, MITNICK?
// THE SENIOR PROGRAMMER KEVIN GARRY GETS WIND SOMETHING AINT RIGHT
"just logged into prod and seeing this in logs (/var/logs/php/php.log)
[06-Dec-2011 20:33:04] PHP Fatal error: Call to undefined function myshellexec() in /var/www/vhosts/www.stratfor.com/includes/common.inc(1707) : eval()'d code on line 11
last shows a lot of concurrent autobot users - rsyncing get hosed up maybe? df on prod seems fine. can we get a full list of any recent changes please""
// BETTER CALL UP OUR TALENTED NEW SYSADMIN NICK GERON
"Re: changes between 3:15a and 4:30a? Major changes in the cabinet. Please send any IP/hostname/dns/whatever weirdness you see my way and I'll try and track it down. Been fighting this cabinet all night. -Nick"
// HOT ON OUR TRAIL!! HAVE WE BEEN DISCOVERED?
On Dec 9, 2011, at 22:16, Nick wrote:
Due to an as yet undetermined cause, there was a significant amount of load on www this evening starting sometime after 6:55PM (first alerts just before 7). Cacti graphs for memory and traffic on www and db2 do not indicate that there was an increase in demand. The only anomalous data point is the increase load/queued processes reported. Unfortunately, I have yet to have time to get detailed diagnostic monitoring up and running, otherwise I would likely have been able to pin down the source. Logs may yet reveal something worthwhile.
>
> Once on the system, I discovered apache processes were consuming the majority of CPU and RAM resources - so much so that the host was swapping heavily. After an apache restart, load quickly dropped to normal levels. This is unlikely related to a (D)DoS attack due to the rapid recovery following the restart and the lack of abnormal traffic patterns.
>
> Inspection of the logs revealed that a local process initiated an initialization script driven restart several times. This led me to another Mooney easter egg. There is a script (/root/apacheup.sh) configured to grab robots.txt from the site via wget and if it fails, will stop/kill and start apache. Looking at the times for this scripted activity shows that they line up with nagios reports that the site was down. There is some question in my mind if the way the script is written could have left orphaned processes around, which after three cycles sapped all available resources. That needs more thought. Its hard to say definitely without more evidence.
>
> -Nick"
// NICK'S SECURITY ANALYSIS: WHEN IN DOUBT, MAKE SHIT UP AND BLAME SOMEONE ELSE
"At 10:00 AM Central on Friday (12/16), you will be required to reset your email password. This process will take just a few moments and it is a task you can perform on your own. Follow the procedure below:"
// TOO BAD WE ALREADY COPIED ALL 160GB OF YOUR MAIL SPOOLS,
// BUT THANKS FOR THE HEADS UP WE'LL BE SURE TO CAPTURE THE PLAINTEXTS !!
"-------- Original Message --------
Subject: Re: User accounts on website
Date: Wed, 7 Dec 2011 13:05:32 -0600 (CST)
From: Kevin Garry
To: Frank Ginac
CC: Nick Geron
both are stored in the database.
usernames are plain text, passwords are one-way md5 encrypted.
employee accounts are treated the same as subscribers in the current (intranet+billing+consumer setup)
thanks
__________________________________
Kevin J. Garry
STRATFOR, Sr. Programmer
ph: 512.507.3047
em: kevin.garry@stratfor.com
----- Original Message -----
From: Frank Ginac
To: Nick Geron , Kevin Garry
Sent: Wed, 07 Dec 2011 12:56:18 -0600 (CST)
Subject: User accounts on website
How do we store user login info for accounts on the website? Are usernames and passwords stored in the db? Are passwords encrypted? What about employee accounts?
// ONE WAY MD5 YOU SAY, KEVIN?
// Password: L!@u21c3 CC Number: 4744720059117396 Expiration: 8/2013 CVV: 463
/* FACEBOOK HILARITY!!! *******************************************************/
Shortly after news articles came out about Stratfor's destruction and their customers started to realize how hard they've been owned, hundreds of angry customers rushed to Facebook to rage. Many were rightfully mortified how a self-described intelligence corporation could fail so hard to protect their customer information. The second irony is when those customers who had some harsh words against Anonymous themselves found out the hard way how maybe it was a bad idea to post using their real names.
"STRATFOR
Dear readers,
It's come to our attention that our members who are speaking out in support of us on Facebook may be being targeted for doing so and are at risk of having sensitive information repeatedly published on other websites. So, in order to protect yourselves, we recommend taking security precautions when speaking out on Facebook or abstaining from it altogether. // TLDR: WE CANNOT PROTECT YOU
We thank you so much for your support during this situation - it has helped to make Stratfor what it is today. Keeping you and your information safe is our number one priority." // SHOULD HAVE EXPECTED US
Victor Gebilaguin: "The hackers ought to be shot then hanged upside down in
public."
Name: VICTOR A GEBILAGUIN
CC Number: 4055984392110004
Expiration: 2/2013
CVV: 101
Username: vgebilaguin@gmail.com
Pass (md5): 3f31469d10163c60620d48698f3445e2
E-mail: vgebilaguin@gmail.com
Address:
Name: Victor Albert Gebilaguin
Phone: 63324911214
Address: B1 L5 Ruby St Countryside Homes
Lawaan III
Talisay City, Cebu, 6045 Philippines
David Anderson: "@Brian Houston...I bet most of these people don't even know what Stratfor does, they are just getting links from Twitter and spreading some hate because that's what their "leaders" are telling them to do. Way to think freely, and openly - lemmings."
David Anderson: "@Seb... Nice selective observation and added distortions. Clever, yet completely unfounded. And, what exactly is going to change for me? How did this help? What exactly was accomplished? Nothing. Absolutely nothing. Nice vieled threats as well. You guys are unbelievable."
David Anderson: "Justin, answer the question: Where do you get your information? I am talking about getting news and information...where do you get yours?"
Name: David A Anderson
CC Number: 4873010000171400
Expiration: 5/2013
CVV: 655
Username: anderson@gkccf.org
Pass (md5): 2ae2d5290154402d28a80321e15d3463
E-mail: anderson@gkccf.org
Address:
Name: David Anderson
Phone: 8167922550
Address: 5 Westowne St, Ste 500
Liberty, Missouri, 64068 United States
Jim Erickson: "i saw what they posted before startfor took it down. lots of talk about quitting work, joining communes and insurrection. pretty childish stuff."
Name: James J Erickson
CC Number: 4121262344022290
Expiration: 2/2012
CVV: 405
Username: jimerickso@gmail.com
Pass (md5): a3bdce32679619b31f45f8a22357a068
E-mail: jimerickso@gmail.com
Address:
Name: James Erickson
Phone: 5156890237
Address: 1412 Indiana Avenue
Ames, Iowa, 50014 United States
Roger W. Isom: PUNKS and CANNIBALS!!! that is EXACTLY what the GROUP ANONYMOUS STANDS FOR.... I'd have NO TROUBLE FEEDING THESE DUDES STRAIGHT to the GREAT WHITES for a feeding FRENZY!!!
Roger W. Isom: THESE thugs ANONYMOUS are the typical SUPPORTER of the ASSAD REGIME in SYRIA and THE LOONS in TEHRAN....Their LEADERS need to be IDENTIFIED then GIVEN TO THE PEOPLE OF SYRIA.... LET THE SYRIANS HANDLE THESE FREAKS THEMSELVES!!!
Roger W. Isom: They need to be HURT and HURT BAD!!!!I put Anonymous in league with POL POT.... and I view SUPPORTERS of that group JUST AS POL POT nothing MORE!
Roger W. Isom: I do NOT feel sorry for ANOYMOUS getting MUGGED in PUBLIC....
Roger W. Isom: ANONYMOUS BE PREPARED!!!! HACKING IS A TWO WAY STREET!!!!! and YOU CAN BE BURNED!!!!! WHEN YOUR SECRETS are EXPOSED how'd YOU FEEL looking like a PEDOPHILE THAT JUST GOT CAUGHT IN THE ACT?????????? HEY at that point.... I WALK!!!
Roger W. Isom: ANONYMOUS.... BE WARNED!!!!!!!
John Anon: "As a non-professional subscriber to Stratfor I can say to Anonymous: suck my ass. If we ever cross paths you will have no quarter. You people a leeching ass-suckers and will pay the price."
// OK WE HEARD ENOUGH FROM STRATFOR'S SUPPORTERS... NOW THEIR DETRACTORS:
"Honestly: keeping your client info (no matter how current), with no additional safeguards (eg. SHA1 instead of MD5 for. passwords, a feature that even MySQL provides) is completely reckless. Every halfway decent web coder (meaning: not your nephew) would do better."
"Stratfor needs to pay, they may have broken the law, at best they were reckless jerks who couldn't secure a hammock. Either way anyone defending them on here is really pathetic. YOU KNOW WHO YOU ARE."
"The news is reporting that only folks who bought publications had their data stolen. This is hogwash. As a subscriber since the beginning, I have never bought anything other than the service. And now my data has been compromised through what looks more and more like extremely shoddy business practices -- non-encryption of data, careless storage, etc. This reflects poorly on your entire business model and I will be reviewing carefully whether or not I renew in the future."
"You've been shown exactly what happens when you make claims that are false - you will be embarrassed by those with actual talent. I hope all your customers drop you, as your fail was one of capitalism; it's cheaper not to upgrade security and encrypt users' data, so you cut corners to make a profit. I understand, but do your customers?"
"Yeah, just what you need when you get up on Dec. 25th, two hours on the line with AMEX trying to get a human to get your card killed before some prickly fourteen-year old script kiddie buys boatloads of certain implements intended for specifically female orifices, typically pink, to send to your house..."
"And it's hillarious a company with links to MNC, the UN and gov't agencies is relegated to posting on facebook to tell the world about their problems like a 15 year old girl ahahahah"
"Some of which have been compromised the past week. ALL have which canceled their memberships."
"You'd be better off switching to mall security advisory work."
"hey you heard that NWA TRACK - Strat OTTA LULZVILLE. lol"
// SECURITY ADVICE FROM OUR WHITE HAT ENEMIES
// KEVIN MITNICK WHORES HIS CONSULTING COMPANY ON AL JAREERA ENGLISH
AJE: For more on this, I'm joined from Los Vegas by Kevin Mitnick, he's a computer security consultant and a former hacker. Thanks for joining us. So how do s-
Mitnick: Thank you for having me on your show.
AJE: Sure. So how do security breaches like this happen Kevin?
Mitnick: They're constant, and, uh, I think it really illustrates that there are a lot of companies out there that are still the low hanging fruit, and in this particular case, allegedly Stratfor's website was compromised, which likely means that there was a web application that was internet-facing that wasn't secure.
AJE: So can companies put any systems in place to ensure something like this doesn't happen again?
MITNICK: Definitely, there are security products but more importantly there is security testing. I don't believe Stratfor has done the proper security testing , and that's by hiring companies to do what is called penetration testing, I mean I've been doing penetration testing for years, and I have a 100% success rate. So it really shows there's a lot of low hanging fruit...
AJE: Ok now, you're a former hacker. Help us understand, why do you think it was that Anonymous went after big business?
Mitnick: Well, who really knows if it's Anonymous, I mean one group can be claiming they are Anonymous to steal credit card information to make the real Anonymous look like it is doing it. So we don't really know who did it, but its obviously to get media attention, that's what I think the goal is here, and it's causing a huge mess because what happens when they use a credit card, uh, fraudulently, what happens is the merchant has to do a thing called a chargeback, and it's very costly and time uh, and it's very time consuming.
// ONCE AGAIN MITNICK USES OUR HACKS TO GET MEDIA ATTENTION TO ADVERTISE HIS
// PATHETIC SECURITY CONSULTING. DAMN HOW MANY TIMES DO YOU HAVE TO GET OWNED?
CNN: KEVIN MITNICK'S SECRET WEAPON FOR AVOIDING JAIL: TALKING TO COPS
Of course, Mitnick isn't wearing the accessory with any expectation that he will ever be arrested--he's a security consultant, speaker and author (his memoir, "Ghost in the Wires," came out last year and is a fun read). For him the bracelet is mostly a novelty and a bit of an inside joke, much like the version of his business card that doubles as an aluminum lock-pick kit. Plus he likes the "Harry Houdini" aspect of it, having been fascinated with magic since he was a child. "I show it to cops. It's a conversational piece," he said of the bracelet in a recent interview.
// NICK SELBY FROM POLICELEDINTELLIGENCE.COM GETS DOXED
"To summarize, on Christmas Eve, the illegal hacking group AntiSec/Anonymous announced that it had taken down the STRATFOR server, and made claims about some 200GB of email, along with a private list of STRATFOR customers, and credit cards used to pay for the STRATFOR commercial intelligence services. These services are provided to individuals, businesses and government agencies, and the price starts at around $99 annually.
Yesterday evening, STRATFOR put out a quick email to its customer base saying, essentially, “Holy crap, we been Pwnz0r3d!”. But this was really good and fast action on STRATFOR’s part. In fact, they did very well ... This is great: they took responsibility for investigating and scoping, and the implication is that, regardless of how it happened, STRATFOR was standing behind its customers. It’s cheap to do, but it means a lot and ultimately presents a potentially huge liability – they were clearly aware of this when they stated this."
// CAN'T MAKE UP YOUR MIND? NICK GETS PERSONAL ...
“With That Revealing Shirt? He Was Just Begging to be Hacked.” Blaming The Victim in the STRATFOR Hack
In the days since the STRATFOR breach, I initially gave the firm high marks in communicating with its user base after idiotically allowing all their data go bye-bye. I’m going to modify that stance a bit in another post – I now see that they have in fact fallen very short of what they could have done in some serious and substantive ways. I list one way below.
But in this post I am mainly speaking to the Information Security Digirati, the suckholes in the opinion bubble who have used the opportunity to become, to paraphrase J. Frank Parnell, ‘half-baked goggle-boxed do-goodies telling everyone that the reason they lost their credit cards was because they didn’t use an @ in their password.’ This is the same school of thought which makes everyone hate information security: “Security must be working because everything sucks, it’s hard to use and a pain in the ass.”
The reason that the STRATFOR breach occurred had absolutely nothing to do with users using STRATFOR or password or other forms of stupid passwords. The reason was that STRATFOR spent no time or energy on its information security, were bad stewards of my data and broke industry standards and guidelines as to the protection of specific data such as passwords, credit card numbers and personally identifiable information of its members. It systematically refused to address core, fundamental problems, despite claiming expertise in cyber OSINT.
That has nothing to do with my password strength, ace.
Nick Selby
CC Number: 4388576036478199 Expiration: 5/2012 CVV: 638
Username: nick.selby@tridentrm.com cracked: vg9nas
Pass (md5): 5f68e911423d3dbe46b40d075efc7dbe
E-mail: nick.selby@tridentrm.com
Name: Nick Selby Phone: 5186724784
Address: PO Box 61 / Philmont, New York, 12565 United States
CC Number: 372733586691004 Expiration:3/2012
Username: nselby Pass (md5): 5f68e911423d3dbe46b40d075efc7dbe vg9nas
E-mail: nick.selby@gmail.com
Name: Nick Selby Phone: 34767582795
Address: 207 Washinton St Ste 470794 / Brookline Village, MA, 02447
MIKKO @ F-SECURE.COM:
At the first glance, actions like this look a bit like the actions of Robin Hood — steal from the rich, give to the poor. But unfortunately, in this case the poor won't get a dime. These anonymous donations will never reach the ones in need. And in fact, these actions will just end up hurting the charities, not helping them. Merry Christmas.
// THE GRINCH WHO STOLE LULZXMAS
BY GREGORY W. MACPHERSON COMPUTER SECURITY EXPERT, CISSP, ETC.
"One would like to think that people who boast of academic, government, or military credentials would be more cognizant of their responsibility to protect the privileged information entrusted to them, but apparently they too, despite their august credentials, are idiots when it comes to authentication credentials and the management thereof ... For those sites which rely solely on the arcane userid and password combination, I suspect that this holiday season was less than merry as their security staff worked late to try and head off the inevitable compromises that would result after dozens of credentials were published."
// FINALLY SOMEONE GETS IT
RICHARD STIENNON, INFOSECISLAND.COM
"The most painful lesson the Stratfor hack is about to demonstrate is the importance of email security. The Anonymous member who appears to be taking the lead in this attack against Stratfor has already posted to reddit.com that they will be recruiting volunteers to analyze the 3.3 million emails they stole from Stratfor. These emails have the potential for embarrassment and real harm that could equal the infamous State Department leak. One last point. A quick scan of the 28,517 leaked email addresses reveals the conspicuous absence of any addresses belonging to .gov and .mil. Were there none, or does Anonymous have plans for those? My only prediction for 2012: it is going to be a very interesting year."
// SOMEONE GETS IT
KRYPT3IA:
"Another oddity has always been the LulzSec/Antisec logo. It always came off as being effete and French. This connection now with the Tarnac 9 and the Coming Insurrection now kind of makes sense to me. Could it be that there are some core members here who have a background with the movement from France and all that surrounds it post their arrest in 2008? More so, one wonders just how many of the followers within AntiSec/LulzSec are in fact Anarchists with a penchant for all of this?"
// THEY R ON TO US
J.R. DUNN, AMERICANTHINKER.COM
"This intrusion went quite a bit farther than most -- the Guy Fawkes boys actually managed to extract funds (a reported $500,000 worth) from Stratfor's clients (whom the company insists on calling "members"), which they then gave to charities. The humiliation here is total, and Stratfor will be lucky to survive. But should it? ... For example, assertions that Stratfor was manipulating its information to support certain agendas. (I was once told by an individual involved in the company that they were taking a certain stance concerning the Gulf War because his daughter was serving as a naval officer in the Persian Gulf. This kind of thing is understandable but not excusable.) But all that is secondary to the simple, undeniable fact of the break-in. That alone puts Stratfor in the clown car with an orange wig and two-foot-long shoes. There are plenty of ways an organization can go wrong and recover, but there is certain kind of error that is almost always fatal -- the type that turns you into a punchline. If you were to make a film about Stratfor, it wouldn't be a thriller -- it would be a comedy. There's certainly a place for a professionally run and seriously intentioned private intelligence service in the U.S. But Stratfor isn't it. Much as I hate to say it, this is a case where the Anons have done us all a favor."
// JUST ONE MORE COMMENT FROM OUR AL JAZEERA CORRESPONDENT:
wow. these hacks are insane! you aren't afraid of the DIA?
i mean military intelligence man.
?!
/******************************************************************************/
THE TIME FOR TALK IS OVER. LET'S RIDE ON THIS MOFOS!! BUST OUT THE HACKLOG!! '
(http://bolt.thexfil.es/84e9h)
