Data Exposed In Stratfor Compromise Analyzed

← Back to Stories (view on slashdot.org)

Data Exposed In Stratfor Compromise Analyzed

Posted by Unknown on Wednesday December 28, 2011 @06:19AM from the forecast-is-for-doom dept.

wiredmikey writes with an excerpt from an article in Security Week: "Following news that security and intelligence firm Stratfor is downplaying the recent hack of its systems, Identity Finder today shared a detailed analysis of the data released so far by the attackers. Based on the analysis, 50,277 Individual Credit Card Numbers were exposed, but 40,626 are expired, leaving just 9,651 that are not expired. In terms of emails, 86,594 Email addresses were claimed to be exposed by the hackers, but only 47,680 were unique. The hackers have released personal information for Stratfor subscribers whose first names begin with A through M, with N through Z expected to be released soon. In addition to the presently published data compromised during the attack, the attackers claim that 200GB of company email containing 2.7 million emails was captured as well." As of posting, Stratfor's website is still down.

97 of 141 comments (clear)

Min score:

Reason:

Sort:

"Donations" to Charities by InterestingFella · 2011-12-28 06:20 · Score: 4, Informative

The credit card numbers they stole and exposed were used to make over one million dollars worth of "donations" to different charities like Red Cross, Save the Children and CARE. Good job Anonymous!

Except that they were all reversed with chargebacks, which not only took back all the money given, it actually cost the charities around $250 000 in chargeback fees which are now off from what other, legit people donated. Awesome job there! Idiots...
1. Re:"Donations" to Charities by Herkum01 · 2011-12-28 06:29 · Score: 3, Insightful
  
  I highly doubt that Charities are getting charged chargeback fees for something that they did not do themselves and you made up the amount of 250,000 because there is no way the banks would be able to justify the fees for a quarter of the total amount.
2. Re:"Donations" to Charities by vlm · 2011-12-28 06:29 · Score: 4, Funny
  
  yeah yeah about that, do you have the URL for donation pages for RIAA and MPAA?
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
3. Re:"Donations" to Charities by InterestingFella · 2011-12-28 06:32 · Score: 3, Informative
  
  Do you really think that it will be banks covering the costs? That never happens. It's always the merchant. Charity or not. The 250,000 comes from my knowledge of chargeback fees being $25-40 for merchants. With around 10,000 current credit cards exploited, I actually took the lowest possibility of $25 per chargeback and didn't even account for multiple donations per card. The fees can be much higher too, but it is at least $250,000.
4. Re:"Donations" to Charities by Anonymous Coward · 2011-12-28 06:36 · Score: 3, Informative
  
  Stratfor Global has us worried. Pls don't donate to AIDG with stolen credit cards, we get hit $35 per fraudulent transaction! #anonymous RT
  Indeed. Good job, Anonymous!
5. Re:"Donations" to Charities by InterestingFella · 2011-12-28 06:39 · Score: 1
  
  Like the anonymous coward below notes, I actually took it too low. AIDG gets charged $35 per chargeback, so it's probably more like $350,000 or more.
6. Re:"Donations" to Charities by JWSmythe · 2011-12-28 06:47 · Score: 5, Informative
  
  It doesn't matter if they're a charity or not. They may have managed to talk the bank out of some of the fines, but that'd be about it.
  One place I worked, which did high volume CC transactions, the typical sale was $25. A chargeback resulted in the bank taking back the full amount ($25) plus fine ($35).
  We worked hard to avoid chargebacks. As I recall, you can lose your merchant account if you exceed 1% chargebacks. Before the chargeback is done, the merchant is given a "chargeback notification". At that point, we can dispute, refund, or ignore it. Since we were an online company, we didn't have a physically signed receipt to prove that the person was actually the purchaser.
  With a signed receipt and someone to confirm that they visually verified the identification, you can dispute.
  We opted to refund, and cancel their account. That way, we simply didn't make the value of the sale, but there were no fines applied. So +$25 on the transaction. -$25 on the refund. $0 total.
  Finally, is the option of ignoring it. +25 transaction, -$25 refund, -$35 fine. -$35 total.
  Typically, the consumer would call first, before the chargeback. We'd assist them in finding out the details of the transaction. We'd give them the time, date, information about the IP, and email address used with it. Most of the time, we could positively say that the transaction occurred in their location (by the IP and ISP). They'd recognize the email address as belonging to someone else in their household. If they wanted, we would cancel the account and refund the full amount. I'd say refunds occurred about 50% of the time. They'd talk to their family members, and find out that they had done the transaction, the card holder just didn't know, but they allowed it anyways.
  For us, it didn't matter that much. We handled millions of dollars a year. Who cared about a few dozen refunds in the same period. It was cheaper to refund and make the consumer happy, than dispute and risk incurring the fines, and risking our merchant account status.
  I know people will stolen card information will test it by donating a small amount to charity. People won't generally notice a $1 or $5 charge on their card, if it's frequently used. They'll catch on when the card is used the second time for a high dollar transaction. The idea of the test transaction is only to verify the card. It's easy, and they don't have to provide a valid delivery address for merchandise. They aren't doing it out of good will, they're exploiting the system a bit more.
  
  --
  Serious? Seriousness is well above my pay grade.
7. Re:"Donations" to Charities by Marxist+Hacker+42 · 2011-12-28 06:57 · Score: 1
  
  Didn't the Great Banking Coup of September 2008 teach you anything? Banks can justify whatever they want, and we all have to take it, because there is no regulatory oversight anymore.
  
  --
  SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
8. Re:"Donations" to Charities by gmack · 2011-12-28 07:01 · Score: 2
  
  After 10 years working in the credit card industry I can tell you that banks rarely pass up and opportunity to hit merchants with fees and charities are nothing more than merchants to them. The theory they go by is that merchants should be able to tell what transactions are fraudulent but really it's just an excuse to charge for the trouble of having to deal with charge backs (and make a little extra money on the side)
9. Re:"Donations" to Charities by Karmashock · 2011-12-28 07:02 · Score: 1
  
  That's kind of messed up. If I were the banks... I'd try to find some way to 'forgive" that or charge the whole incident to the credit card fraud department. Credit cards charge such high interest in part to pay for such things. Just tap that fund for this and leave the poor charities alone.
  
  --
  I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
10. Re:"Donations" to Charities by rmstar · 2011-12-28 07:03 · Score: 3, Insightful
  
  In this case, it would be good PR for a bank to cover it for the charities. Heck, the banks could probably even write it off as a donation.
  Good PR? Give me a break. Banks don't give a rats ass about PR because they mostly 0wn this planet, and there is literally nothing that will stop them from 0wning it more. I mean, they seriously damaged the world economy, put lots of people into excruciating hardship in the US, and there they are. PR didn't really play a role in this.
  So no, they will take the money for the backcharge, and if a charity goes broke, then that will be it.
11. Re:"Donations" to Charities by SmurfButcher+Bob · 2011-12-28 07:17 · Score: 5, Funny
  
  In related news, I know a PR guy who's looking for a job...
  
  --
  
  help me i've cloned myself and can't remember which one I am
12. Re:"Donations" to Charities by Anonymous Coward · 2011-12-28 07:24 · Score: 1
  
  You know, if you stopped spelling own with a 0, people might take you seriously... still, it's better than spelling it with a p I suppose.
13. Re:"Donations" to Charities by gl4ss · 2011-12-28 07:33 · Score: 2
  
  what you're saying is that you could have bankrupted any company with the cards.
  this is high profile enough to just end up as a special case, with the transactions reversed in one large batch by the affected cc processors.
  anyhow, it's up to the card owners to dispute.
  the real wtf is what the hell were they storing the card data for? this means stratfor should lose any possibility to do cc payments in future, having vastly fucked up following guidelines.
  
  --
  world was created 5 seconds before this post as it is.
14. Re:"Donations" to Charities by frisket · 2011-12-28 07:39 · Score: 2
  
  They don't even have to justify anything. Banks in the UK used to charge customers a fee for replying to a letter :-)
15. Re:"Donations" to Charities by sjames · 2011-12-28 07:40 · Score: 1
  
  So, in other words the charities can take option 2 (and probably have standing orders to that effect) and be out nothing.
16. Re:"Donations" to Charities by cdrguru · 2011-12-28 07:49 · Score: 4, Informative
  
  Banks? There are no "banks" involved with chargeback fees.
  When you sign up for a merchant account , you are contracting with a "merchant services provider". They are the ones that are handling the credit card transaction processing. When you get paid, they put money into the transfer account as per your agreement - then a bank is involved. Until the, you are dealing with a reseller (probably) and some place like First Data which is not in any respect "a bank".
  You might be able to get your merchant services provider to back off on some massive fraud and not charge you the full $25 for each and every single chargeback. However, a lot of this is dictated not by your merchant services provider and not even by First Data but relates to the fact that people get involved at both the bank (where your money got put) and also with the customer card accounts themselves. When First Data processes a charge in error and it shows up on some poor customer's statement, they likely have to pay a service fee to the customer's credit card processing company to get the charge taken off. Now that might be a bank.
  So the likelyhood of getting the charges waived is pretty low. It costs real money to screw with credit cards and if you aren't properly valididating the transactions - before submitting them - you are going to run up some big bills. Did these charities do proper validation and find out they were being scammed? Hope so, because then it would not have cost them anything. If they ran the charges through, they are likely going to have to pay.
17. Re:"Donations" to Charities by Minwee · 2011-12-28 07:52 · Score: 1
  
  In related news, I know a PR guy who's looking for a job...
  I know that guy, he's pretty good. He wwebsite as on the internet when you were a sperm in your daddys balls, and is a good friend of Cliffy B, Scott Lowe, the guys from Penny Arcade and the mayor of Boston.
18. Re:"Donations" to Charities by cdrguru · 2011-12-28 07:52 · Score: 2
  
  The only way someone gets bankrupted is if they didn't validate the cards properly.
  Now validation costs money to do properly, but failing to validate can cost a lot more. It is like $0.30 plus staff time to do proper validation vs. $25 or $35 to deal with a chargeback.
  See, validation makes sense, especially if you are subject to lots of fraud. Anytime a credit card number is taken on the Internet you can assume at least 20% of the entries are fraudulent and you better handle that - because if you submit more than 1-2% fraudulent transactions you aren't going to be submitting any more.
19. Re:"Donations" to Charities by poetmatt · 2011-12-28 07:55 · Score: 1
  
  Where does this even come from? The credit card numbers were given to stratfor. That's for security analysis. Where do you make up this collateral damage crap here?
  Do you really use the same credit card to sign up for security analysis as you do for donating to red cross, even if you're the government? I doubt it.
20. Re:"Donations" to Charities by eulernet · 2011-12-28 08:02 · Score: 2
  
  From the ArsTechnica article:
  
  According to Antisec, Stratfor was using the e-commerce suite Ubercart to handle customer information. The software has built-in encryption, but Stratfor apparently used custom modules that stored customer data in cleartext. Additionally, Stratfor appears to have stored the card security code of its customers, a practice generally prohibited by credit card companies.
  Why the hell did Stratfor store credit card numbers in plain text ?
  They totally deserve what happens to them, I hope they'll have to pay all charges for the credit card changes.
  This is not the first time a company has this kind of problem, but we are now (almost) in 2012, so this problem should have disappeared a long time ago.
  Did they audit their security ? It's pretty sure, but they probably didn't show their custom modules, so it's totally their fault here.
  Would you prefer that their server was hacked by some group other than Anonymous, so that nobody would ever know that there was a problem ?
  Security by obscurity is never good.
  They can try to blame Anonymous, but it's Stratfor's entire fault !
  Who will take the blame ?
21. Re:"Donations" to Charities by deKernel · 2011-12-28 08:51 · Score: 1
  
  Excellent representation of the processing of transactions. Most people don't realize that processing of credit card transactions in the US don't really involve banks other than authorizing of the transaction (meaning there is either money in a checking account for debit cards typically or credit available on a credit account) and acting as the receiver of the transfer for the merchant once the transactions are settled.
  Interested in a job :)
22. Re:"Donations" to Charities by flyingsquid · 2011-12-28 08:59 · Score: 4, Insightful
  
  Anonymous is nothing more than a bunch of irresponsible children. What the fuck is up with targeting Stratfor? It's not some shadowy clandestine service, it's just a think tank formed by a former politics professor that does analysis. Now, I suppose if your entire worldview is informed by children's cartoons and Hollywood blockbuster movies, that's enough to make them the "baddies" and you the "goodies", but the world doesn't really work that way. Let me explain this to you Anonymous children in terms you can understand: if Batman is walking down the street and sees a guy with a strange costume, he doesn't just beat the shit out of the guy. He goes back to the Batcave, and does his homework, and does some sleuthing, and only after he has figured out that the guy is, in fact, engaged in criminal behavior, *then* Batman beats the shit out of him. See, if you break the law to stop a criminal act, then you're a vigilante. Like Batman. But if you break the law and attack people when you don't have any evidence that they are engaged in criminal activity... then you're not Batman. You're just a fucking criminal.
23. Re:"Donations" to Charities by dbIII · 2011-12-28 09:09 · Score: 1
  
  Why the hell did Stratfor store credit card numbers in plain text
  Because they are a useless parking lot for political "science" graduates that can't get a job anywhere else but are handy as campaign workers each election. When is the USA going to wake up and understand that the "think tanks" are full of rejects instead of experts.
24. Re:"Donations" to Charities by dbIII · 2011-12-28 09:27 · Score: 1
  
  The irresponsible children bit is ruined slightly by writing about Batman as if he's real :)
  From one perspective parasitic noisemakers that pretend to be far more than they are such as "think tanks" are an obvious target for people that want to stir up trouble and not get hurt. By pretending to be like a competent well staffed intelligence bureau without actually having the resources of a small newspaper they would look like a juicy target to somebody that would really like to give the CIA or NSA some embarrassment but is not entirely insane. The PR that inflates them to pretend to be far more than they are makes them an easy bubble to burst.
  A more adult analogy is that it's like squeezing the pus out of a pimple without taking any care to stop it getting infected afterwards. It makes more sense to ignore the pimple instead because it's no big deal and it will go away on it's own.
25. Re:"Donations" to Charities by RoknrolZombie · 2011-12-28 09:44 · Score: 1
  
  Yes, and they'd manage to leverage other fees to make up for their "loss"...so it still gets passed on to someone that's completely not involved with the situation.
26. Re:"Donations" to Charities by jroysdon · 2011-12-28 09:47 · Score: 1
  
  Banks can be service providers as well. I know for a fact that Wells Fargo is. Perhaps a different unit of Wells Fargo from their core banking unit, but still Wells Fargo, a bank.
27. Re:"Donations" to Charities by InterestingFella · 2011-12-28 15:32 · Score: 1
  
  Stratfor CEO has actually been criticizing the war in Iran.
28. Re:"Donations" to Charities by JWSmythe · 2011-12-28 19:34 · Score: 1
  
  They could.
  I can't say if they do or not. It's really up to them how they manage things. They may try to play hard ball, to avoid "buyers remorse". It may feel good to donate a bunch of money. The person may realize later that it was more than they could afford. If they confirm that the purchase was legitimate, it becomes a more difficult task to get the chargeback. I say difficult, but not impossible.
  We just chose to take the path that is best for the customer. We'd rather please the consumer, who may then appreciate that we do in fact act honestly. They may become regular customers later on.
  The worst chargeback I was ever involved in was with Western Union. I sent money online for a friend (they gave me cash, I wired money to a second person who we both knew in another state). When they went to retrieve the money, it wasn't there. When I called, they said they had no record of it. I was basically told to go to tell. My bank showed the transaction was successful, and Western Union had received the full amount.
  I went to my bank, and they asked me to contact Western Union. My bank was very cooperative though. I was friendly with the whole staff there, and they knew I was honest. I sat in the branch managers office, and we called with the phone on speaker so we could both hear. It was a short conversation. They told me the transaction didn't exist, and to fuck off. The branch manager took over the call, verified the transaction, and she was told to go to hell. She immediately refunded my transaction, and they took over fucking with Western Union. It took them a couple months, but they got the money back.
  To the best of my knowledge, I'm still blacklisted with Western Union. I'm fine with that.
  That's the route businesses can go. They can play rough. If your bank doesn't know you personally, and/or doesn't know that you're totally honest with them, it can be a long drawn out process, where you have to prove that you're the victim of the fraud. I've gone through that with credit card companies. They mail me dispute papers. I filled them out and returned them. They give a 90 day window to start any proceedings. If you're lucky, you'll get the problem corrected.
  I'm lucky that I haven't had to deal with any of these cases in a few years. Banks that I don't have a personal relationship with can be very difficult. It's virtually impossible to have a "personal relationship" with most credit card companies, since they don't have local offices. You'll only ever speak with a call center in another state or country, and never meet a CSR face to face.
  
  --
  Serious? Seriousness is well above my pay grade.
29. Re:"Donations" to Charities by Xest · 2011-12-28 23:18 · Score: 1
  
  Meh, sounds like a good thing.
  Money out of the Red Cross' coffers means they've got less money to waste on things like suggesting online gamers are committing warcrimes. That's between wasting money suing games companies who dare use the red cross on health packs and stuff too.
  Money out of Save the Children's coffers means they have less money to continue to campaign for web censorship.
  It may suck for CARE, but I've no idea who the fuck they are.
  Either way, if the Red Cross and Save the Children were effected it could only be a good thing, these are charities that have long lost their way and already have too much money such that they're focussing on things that are no longer core to their goal as a charity but are detrimental to society.
  Perhaps anonymous did us a favour after all. The first two at least aren't charities that I'd shed a tear for if they had to tighten their belts and return to focussing on what they were created to focus on due to the loss of income.
30. Re:"Donations" to Charities by Forty+Two+Tenfold · 2011-12-29 01:26 · Score: 2
  
  And this (the merchant getting hit for fraud and banks raking up the pizzo) coupled wit deregulation is why the banks will never invest in development of less fraud-prone electronic transaction mechanisms. For fuck's sake, they're running rackets and we're bailing them out on a daily basis.
  
  --
  Upward mobility is a slippery slope - the higher you climb the more you show your ass.
31. Re:"Donations" to Charities by Marxist+Hacker+42 · 2011-12-29 05:51 · Score: 1
  
  And if Hyperbole doesn't, Starvation will.
  
  --
  SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Attacking the American Intelligence Community by Anonymous Coward · 2011-12-28 06:29 · Score: 2, Insightful

A special Category in the Darwin Awards.
Re:Another Linux using server compromised? LMAO! by HBI · 2011-12-28 06:36 · Score: 1

The stratfor guys might have been in better shape if they'd kept their systems patched. Just sayin'
2.2.15 is not the latest. 2.2.21 is.

--
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Probably not important... by Oswald · 2011-12-28 06:38 · Score: 1

...but 74kB per email?
1. Re:Probably not important... by geek · 2011-12-28 06:40 · Score: 1
  
  A lot of corporations require long signatures with disclaimers and terms etc. Usually they plant a bunch of corporate logos in there too. The size of the emails sounds about right.
2. Re:Probably not important... by rrohbeck · 2011-12-28 06:55 · Score: 1
  
  Just a handful of PowerPoint files will skew the average quite a bit.
  
  --
  thegodmovie.com - watch it
A new way to mitigate credit card fraud by Kardos · 2011-12-28 06:42 · Score: 2

"Based on the analysis, 50,277 Individual Credit Card Numbers were exposed, but 40,626 are expired, leaving just 9,651 that are not expired"
Sounds like 80% of the problem evapourated based on card expiry. How do we go about making CCs expire more frequently?
1. Re:A new way to mitigate credit card fraud by tibit · 2011-12-28 06:51 · Score: 4, Informative
  
  You must not have any credit cards, then. I haven't had any credit cards (and I have a dozen) that are not renewed with the account number intact. The expiration date is bumped ahead by some predictable number of months (12, 24, 48, etc), and that's it. Those "expired" numbers are as good as unexpired ones: in either case the account could have been closed, but other than that it's a simple thing to brute force the renewed expiration date. You should get it right on 3rd or 4th try at worst. You can then cache the initial expiration date delta with the first 4 digits of the account number as the cache lookup key.
  
  --
  A successful API design takes a mixture of software design and pedagogy.
2. Re:A new way to mitigate credit card fraud by Kardos · 2011-12-28 07:01 · Score: 1
  
  What about re-using the numbers for different customers... the name *and* number are verified right?
3. Re:A new way to mitigate credit card fraud by Bucky24 · 2011-12-28 07:28 · Score: 2
  
  So if it's expired just add 4 years or so to the date and the card goes through.
  Whenever a new card is issued, the CVV changes (or is it CCV). Most online credit card forms require this number in addition to the other info on the card, so just changing the year doesn't work.
  
  --
  All the world's a CPU, and all the men and women merely AI agents
4. Re:A new way to mitigate credit card fraud by TheNinjaroach · 2011-12-28 07:31 · Score: 1
  
  Those "expired" numbers are as good as unexpired ones: in either case the account could have been closed, but other than that it's a simple thing to brute force the renewed expiration date.
  You're forgetting about the CCV "extended verification" digits on the back of the card, they are rotated along with the expiration date but not in such a predictable pattern.
  
  Brute forcing one of those will almost assuredly have the card locked out before you get a chance to spend any money.
  
  --
  I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
5. Re:A new way to mitigate credit card fraud by tibit · 2011-12-28 08:39 · Score: 1
  
  Hmm, this is insightful. Some places do not need CCV, though. I haven't checked TFA: did they store CCVs?!
  
  --
  A successful API design takes a mixture of software design and pedagogy.
6. Re:A new way to mitigate credit card fraud by joe_cot · 2011-12-28 09:09 · Score: 1
  
  If they stored CVV, they'd be in a hell of a lot of trouble. PCI compliance requires not storing the CVV. However, as stated earlier, a lot of places don't require CVV. *None* of the cards should have CVV stored, so there's no real difference between expired and unexpired.
7. Re:A new way to mitigate credit card fraud by fnj · 2011-12-28 10:35 · Score: 1
  
  They did, and they are.
8. Re:A new way to mitigate credit card fraud by stephanruby · 2011-12-28 10:41 · Score: 1
  
  Isn't that what the verification code in the back is for? That one has always changed for me (even if the main number doesn't).
9. Re:A new way to mitigate credit card fraud by Xest · 2011-12-28 23:22 · Score: 1
  
  Each time I've had any new car the 3 CVV digits on the rear changes too.
  With all my debit cards, the last 4 digits of the card changes each time too.
  Also, I don't think I've ever had a debit card for it's full term. My banks always sent me out a new card before the old one expires for various reasons such as adding chip and pin, adding contactless payment tech, or this time simply for "security reasons" without elaborating what they are.
  I don't think I've even ever had a credit expire on it's given date and be replaced by one with only a fixed number of months added on. It's always expired early too IIRC.
10. Re:A new way to mitigate credit card fraud by tibit · 2011-12-29 02:19 · Score: 1
  
  You're right as to debit cards, I had same experience with those. They seem somehow different from credit cards as far as reissuance is concerned. For credit cards, they had simply sent me new ones a couple months before the expiration date, and they'd usually have new expiration = old expiration + 36 months.
  
  --
  A successful API design takes a mixture of software design and pedagogy.
11. Re:A new way to mitigate credit card fraud by Kalriath · 2011-12-31 09:41 · Score: 1
  
  You can't do that. CC numbers are absolutely unique, and the available pool isn't as large as you think either (the digits on the card have to pass the Luhn algorithm)
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Re:Another Linux using server compromised? LMAO! by tibit · 2011-12-28 06:47 · Score: 1

+1 funny as hell.

--
A successful API design takes a mixture of software design and pedagogy.
Expired cards by nstlgc · 2011-12-28 06:50 · Score: 4, Interesting

Where I live, when your card expires, you just get a new one with the same card number but a few years added to the expiration date. Wouldn't this allow the attackers to reuse some of the expired cards?

--
I'm Rocco. I'm the +5 Funny man.
1. Re:Expired cards by Baloroth · 2011-12-28 07:11 · Score: 1
  
  Unless the CVN changed, which it probably did. Mine does anyways. Which makes it worthless for online purchases. Might still be able to abuse it, but much less easily.
  
  --
  "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
2. Re:Expired cards by jmottram08 · 2011-12-28 11:13 · Score: 1
  
  On average? 500 tries. And do you think that the account would be locked before 500 tries went through?
  (Yes)
3. Re:Expired cards by Kalriath · 2011-12-31 09:42 · Score: 1
  
  Not worthless. The rule is that if CV2 code is supplied, it must be correct. However, it is optional.
  Just don't expect to have any chance of winning a chargeback if you didn't request CV2.
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
They were pwned, that's what counts by Mister+Liberty · 2011-12-28 07:05 · Score: 1

Go anon!
If even strong passwords can get leaked... by Pvt_Waldo · 2011-12-28 07:07 · Score: 1

...what's the point of having a strong one?
I'm wondering what's the biggest risk with passwords: having it hacked and either stored decrypted or decrypted later, or having someone guess it? I'm starting to think it's the former, which makes me think there's no point in super complex "try and guess THIS one!" passwords.
1. Re:If even strong passwords can get leaked... by tibit · 2011-12-28 07:14 · Score: 2
  
  Cover yourself from both ends: have one password per account (a must!) and have them complex. If you do the former, then you'll need a password manager anyway, so the latter becomes trivial.
  
  --
  A successful API design takes a mixture of software design and pedagogy.
2. Re:If even strong passwords can get leaked... by Midnight_Falcon · 2011-12-28 07:21 · Score: 1
  
  Passwords are of course useful but not without their flaws, and they've been around so long that their flaws are long identified. Super complex passwords help for things like hard drive encryption, etc; where brute force is the only viable means of access.
  Don't use passwords if possible! Especially on your public web Linux server, unless they're at the application-level and protected by TLS/SSL.
  SSH daemon should only respond to key-based authentication queries, and furthermore iptables should lock down the SSH daemon to only known IPs. If your sysadmins don't pay for static IP service at home, they can use full tunnel VPN back to HQ.
  
  Putting in mod_security and keeping SELinux on does a lot to keep apache safe as well.
3. Re:If even strong passwords can get leaked... by SmurfButcher+Bob · 2011-12-28 07:27 · Score: 1
  
  You're mostly correct - you are mentioning the problem with having a "Global Secret". In that sense, a personal password is little different than a "Global Secret" that hasn't been distributed, yet.
  The larger issue is almost always endpoint security, though. Endpoints are *both* ends - your local PC, and the server at the far side. In this case, the cost of engineering a competent solution was more than the cost of a compromise - the bulk of the cost of this hack will be paid by anyone BUT Stratfor execs. Even if the company goes belly up, the execs won't lose a penny - they'll still walk away with a metric truckload of cash - cash that they didn't spend on a competent solution.
  
  --
  
  help me i've cloned myself and can't remember which one I am
4. Re:If even strong passwords can get leaked... by jschottm · 2011-12-28 07:29 · Score: 3, Interesting
  
  Use unique passwords for everything important and use a secure but salted password for various sites. Let's say my generic secure password is $sJ55Pm#
  I salt the secure password between the fives with the initials of the website alternating caps. So my /. password could be $sJ5Sd5Pm# and my World of Warcraft password could be $sJ5WoW5Pm#.
  I only have to remember one good password and a formula. Someone clever enough could hand analyze the passwords and might spot the salting but realistically, very few people are worth that effort.
  which makes me think there's no point in super complex "try and guess THIS one!" passwords.
  One practices good password habits because they help when a site does things properly. Nothing is going to save you if a site is terribly set up but that doesn't mean you should abandon best practices.
5. Re:If even strong passwords can get leaked... by expo53d · 2011-12-28 07:35 · Score: 1
  
  The advantage of "try and guess THIS one!" type password is not only are they hard to guess, but if they are long enough and hashed properly (SHA1 or similiar) they cannot be unercrypted. (Presuming that the decrpyting party does not have access to a super computer). This is due to the fact that these passwords go through a one-way type hash, thus the only way to crack them is having a list of every single possible hash and its key (or generating such a list). So if one has a password that is 27 characters long, an attacker will need to generate a hash for every password from 1 character long to 27 characters long. Example: 1,2 ... 001, 002 .... goalcar, goalcat, goalcau ... and so on.
6. Re:If even strong passwords can get leaked... by gl4ss · 2011-12-28 08:01 · Score: 1
  
  if you're storing customer cc's on the same machine as you're doing your email hosting and web serving from.. what's the point in anything?
  
  --
  world was created 5 seconds before this post as it is.
7. Re:If even strong passwords can get leaked... by dbIII · 2011-12-28 10:02 · Score: 1
  
  Having no password and instead using keys makes the stolen laptop problem even worse. Of course a depressingly large number of laptops have sticky notes with VPN or similar passwords on them anyway.
8. Re:If even strong passwords can get leaked... by Midnight_Falcon · 2011-12-28 10:19 · Score: 1
  
  Huh? I was referring to webservers where you don't have physical access and can only be hacked remotely. Of course no one would suggest having no password on your laptop, rather, your laptop should have full disk encryption if possible with a password. Using keyfiles from a smartcard and a password for that is even better.
9. Re:If even strong passwords can get leaked... by dbIII · 2011-12-28 10:57 · Score: 1
  
  You've misunderstood. Once a thief has possession of a laptop and can log onto that (sometimes by depressingly simple methods) they are then possibly one click away from getting into those remote webservers because the laptop has the key. That's why I wrote above "VPN or similar passwords" because I was writing about logging into remote systems just as you were.
  Now within the same physical environment as the servers I sometimes do exactly what you've suggested, but offsite I'm very reluctant to have some way in that is stored entirely on an offsite computer. I prefer to have at least something requires an authorised human being instead of being open to an unauthorised one that gets access to an unattended keyboard. Your suggestions above would, for example, allow an angry attention-seeking teenager to delete not only their parent's files but whatever the parent has access to.
10. Re:If even strong passwords can get leaked... by Midnight_Falcon · 2011-12-28 11:16 · Score: 1
  
  I think we're misunderstanding each other. In proper SSH key configurations, the key itself has a passphrase, although this passphrase is not a 'password' in the typical sense in that it is not transmitted to the server. It's only using for decrypting the file in place.
  Essentially what I was trying to say is that passwords only do so much, but should be used in combination with another means of security (e.g. two factor auth). I suppose "don't use passwords if possible" can be interpreted as simply "don't put security on things"; which is not what I was trying to say. I was just saying passwords aren't the only way to secure things and should be part of it, not end-all-be-all. Anyone with the password has access if you use a password, and there are lots of means of maintaining that. Now, obtaining SSH keys and getting 2fa-protected VPN credentials is a whole much tougher layer of the onion to peel back.
  I think SSH key only access on a webserver is far superior to passwords being allowed. Of course, if you leave your key hanging out available, that'll be compromised. But good luck brute forcing an SSH key.
11. Re:If even strong passwords can get leaked... by dbIII · 2011-12-28 11:21 · Score: 1
  
  You wrote "Don't use passwords" so I took your word for it and assumed that you also meant not using a passphrase with the key. I'm glad you've written the post above because the earlier post taken at face value looked like very bad advice.
12. Re:If even strong passwords can get leaked... by fnj · 2011-12-28 11:33 · Score: 1
  
  Alone, alternating caps adds next to no security. It is one of a number of well-known predictable ideas which are cheap to test for, so the attacker will try them. It only takes three times as long to test the root plus both series of alternating caps as it does to test just the all lower case root. Using leet speak (sorry, 133+ speak) is not of very much use for the same reason.
  Truly random upper case characters and digits thrown into the password, in NON-OBVIOUS PLACES, offers FAR more security.
  The number of permutations of four lower case letters, for example 'fish', is 26*26*26*26, or 456,976. Adding use of all caps, e.g. FISH' and capitalizing the first letter, e.g. 'Fish', only TRIPLES the number of cases to test: a total of 1,370,928. Probably not worth it. Adding the two alternating caps cases, e.g. 'FiSh' and 'fIsH', only quintuples the number of cases to test: a total of 2,284,880. A big waste. Using 5 lower case letters alone instead of 4 would get you far more benefit than these tricks - 11,881,376 cases.
  But if you throw in truly random upper case letters and digits, even one or two of each in non-obvious places, the number of cases to test for even a 4 place password becomes 14,776,336, and for 5 characters, 916,132,832. Now we're getting a truly useful benefit. Adding the set of ASCII symbols helps even more, but makes it a lot harder to type.
  Obviously the above assumes you eliminate dictionary attack, so you wouldn't use 'fish' as the root. Maybe you would use 'tqod'. That's a lot better than 'fish', but still not very high grade. The important thing is that you don't think changing it to 'Tqod' or 'TqOd' is going to buy you anything significant. But 't7qOD' would be a lot better.
  Your use of symbols, avoidance of dictionary words and syllables, and separation of the digits is good. Putting the symbols at the front and back is less beneficial. The alternating caps wouldn't normally do much good at all, but combined with your other techniques they're not really in alternating positions. I'd say you've got a pretty damn good system.
13. Re:If even strong passwords can get leaked... by jschottm · 2011-12-28 13:58 · Score: 1
  
  Alone, alternating caps adds next to no security.
  Well, yes, that's why I specified in this theoretical example that the salt was the initials of the website with the caps alternated. One needs the salt (which, yes, is not a true cryptographic salt, although I do know people who run their generic secure password plus a salt through hash algorithms and use the resulting hash as their password) to be memorable to the user and again, virtually no one is important enough that someone would sit there pulling apart an almost random password to figure out if the user salts their passwords per site and if so what it is.
  You're spending waaaay too much time analyzing a throwaway example when the meat of the message is to subtly vary passwords so that if a website fails to properly store your password that the keys to the kingdom don't fall to the bad guys, that a simple technique can both dramatically improve the quality of one's passwords while safeguarding against bad programming and/or system administration.
14. Re:If even strong passwords can get leaked... by fnj · 2011-12-29 06:16 · Score: 1
  
  Yes, I think "pretty damn good system" makes it pretty clear I like it.
  The rest is a completely general critique of a lot of not so good ideas that are found in this topic in general.
Re:Another Linux using server compromised? LMAO! by ArhcAngel · 2011-12-28 07:15 · Score: 1

The reason the authorities can't catch anonymous is that they're all chicks! They go around acting like nerd groupies fawning over admins in a socially engineered hack where they get the root password from the unsuspecting admin. The authorities can't catch them because the only description they get from the admin is "she was purty and soft".

--
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
It's called a securid token. by Colin+Smith · 2011-12-28 07:18 · Score: 1

HTH.

--
Deleted
Re:Another Linux using server compromised? LMAO! by HBI · 2011-12-28 07:25 · Score: 2

Apache 2.2.15 was released 3/6/10.
Apache 2.2.21 was released 9/13/11.
So yeah, they were almost 2 years out of date.

--
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Inhibit Histrionics by Bob9113 · 2011-12-28 07:39 · Score: 1, Offtopic

I wrote, and rewrote, and rewrote a long and subtle post on the value of contemplating the underlying forces acting in society that lead to events like this, rather than jumping to adulation or condemnation. I came to the conclusion that I could not make it clear that I was advocating contemplation, not support or opposition. That all I would get in response would be some twit turning my post into a straw man then hurling rhetorical vitriol at it.
Then it came to me -- I may be able to extract some value from this thread after all. So, I implore you, read through this thread with this question in mind: Do the histrionic posts add value to the discussion or take it away?
My guess; histrionics cheapen the discussion. An emotional and one-sided post about how Anonymous is a terrorist organization or the savior of true democracy is sound and fury signifying nothing, and a waste of our valuable time.
Inhibit histrionics, however you can. They are pablum for the masses and better left to the professional simpletons in popular media.

--
Stop-Prism.org: Opt Out of Surveillance
1. Re:Inhibit Histrionics by pdxer · 2011-12-28 07:59 · Score: 1
  
  Only terrorists want to inhibit histrionics!
  
  --
  Looking for a job in Portland, Oregon?
2. Re:Inhibit Histrionics by RGRistroph · 2011-12-28 08:20 · Score: 1
  
  I think the best inhibitors of histronics are the long and subtle posts on the value of contemplation of underlying forces acting in society. Post away, ignore the peanut gallery.
3. Re:Inhibit Histrionics by Bob9113 · 2011-12-28 08:59 · Score: 1
  
  Post away, ignore the peanut gallery.
  Yeah -- you're right, as is the Offtopic mod. Thanks.
  
  --
  Stop-Prism.org: Opt Out of Surveillance
Think it through a little more thoroughly: by Hartree · 2011-12-28 07:42 · Score: 2

"it would be good PR for a bank to cover it for the charities"
You don't understand. The smart PR move is to let the charges stand without comment. That way the charities talk about it to their donors when asking for more funds to make up the difference.
The banks are already not well thought of currently. This makes no difference to them.
Net result: A lot of people who had never heard of Anonymous before their favorite charity mentioned them now hate their guts.
Email size? by SimplyGeek · 2011-12-28 07:43 · Score: 1

200GB of email? When I see figures like that, I always ask if they include attachments or not. Of so, reduce the figure by at least 80%.
1. Re:Email size? by frisket · 2011-12-28 07:49 · Score: 1
  
  In any case, if it's "corporate" email it's probably trivial or ephemeral, concerned with administrative minutiae or the perpetual re-editing of "reports" as if they were something of great value. Out of 200Gb I would expect perhaps half a dozen emails containing something interesting, salacious, or actionable (perhaps all three :-) and that kind of hit rate is barely worth the trouble of pwning their server.
2. Re:Email size? by djdanlib · 2011-12-28 08:18 · Score: 1
  
  I blame HTML mail. Have you ever seen the source of your average Exchange email thread? The horrors!!
  Then there are those people who send BMPs embedded in Word/Excel so they can send you a screenshot! Gaaaack
3. Re:Email size? by gl4ss · 2011-12-28 08:21 · Score: 1
  
  it's probably customers asking for security strategy advice and tips. that's their business, answering such mails. if they turn out as a joke on quality, they're finished as a business.
  
  --
  world was created 5 seconds before this post as it is.
Charities? by Hartree · 2011-12-28 07:53 · Score: 1

I hopped over to Stratfor's Facebook page and one of the people who posted on it said their credit card info from Stratfor had been used at the well known charity called the Blizzard Store. ;)
Re:Attacking the American Intelligence Community by gl4ss · 2011-12-28 07:54 · Score: 1

storing credit card numbers attached to account data doesn't sound like intelligence community, sounds more like some douches who went out to find some guys and said "hey you're really smart! give us your cc number and some cash!" to some slobs they found.
real funny shit is how "TEH OFFICIAL ANONYMOUS" is claiming they didn't do it, which is a bit of a what the fuck too, don't they realize they're anonymous - there's no core, there's no agenda, if you don't like it form a hacking group like lulzsec.
but you know why stratfors client list is secret? because when it is secret they can claim that there's all sorts of cool persons there and not just peons, they're an image and guesswork company first and actual security provider second(or 4th or 6th, more probably 666th on the list..). that's why you get to spam them with stupid questions if you're a sub. it's like subbing to a nigerian information minister who happens to know english and reads the news.
why would they do that?(act more poshy than they are) well, to fool new clients into buying their newsletters and analysis - like "if you publish a picture of mohammed having sex with kids you might get suicide bombed" and "if you deal nuke technology to iran don't tell to isrealis unless you're finnish and have immunity and even then don't tell until you have the money in the bank".

--
world was created 5 seconds before this post as it is.
Re:I merely post facts by Anonymous Coward · 2011-12-28 07:59 · Score: 1

You can't moderate AND post. Slashdot doesn't allow that. It is impossible for anyone to explain why they moderated any particular way.
Moderation is largely about your presentation of your argument, which is earning you a lot of that mess. It still looks like you cherry-pick the facts that are convenient for your argument, regardless of whether you're actually doing so. There are undoubtedly facts that don't make your argument look as solid. That's what I'm asking: do you, or don't you pay attention to the facts against other OSes? I want the whole truth, not just part of it, and you'd get a lot better moderation if you would post the rest.
The future of Stratfor by sgt_doom · 2011-12-28 08:47 · Score: 1

Stratfor's site will be secure AND up about the same time in the far, far future when American finally catches up with China and buildts a 500-mile-per-hour bullet train. OR NOT................
Re:Attacking the American Intelligence Community by sycodon · 2011-12-28 09:09 · Score: 1

Add on 9,651 charges of credit card fraud.

--
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
Re:Attacking the American Intelligence Community by dbIII · 2011-12-28 09:31 · Score: 1

This lot and similar only pretend to be intelligent - hence the simple doubleplusgood label "think tanks". This incident highlights that better than anything else.
Most of you probably know this but ... by dbIII · 2011-12-28 09:57 · Score: 1

For anything that could cost you money, your job etc you want passwords that you can remember and that are hard to crack even if somebody has a copy of /etc/shadow or similar:
http://xkcd.com/936/
More importantly, don't reuse passwords that you put on anything important. Some idiot may store them in plain text on a blog site, dropbox authentication or whatever useless bunch and then a cracker could use them to get into your bank or wherever else you've used the password.
Now even Facebook passwords could be considered important because HR people love to use the excuse of looking up employees or potential employees so they can spend all day on Facebook.
So I've been led to believe than one unique password per important login is the way to go. For other things that can't be used to establish an online identity for the purposes of fraud (eg. here) it doesn't matter IMHO. I use unique passwords anyway because I've been paranoid about these things ever since my credit card number was used by thieves via carbon copy some years back.
Re:Another Linux using server compromised? LMAO! by fnj · 2011-12-28 10:29 · Score: 3, Informative

Bzzzt. Thank you for playing. The 2.2.15 doesn't tell you the patch level. Here's from a completely up to date RHEL6 system:
[fnj@baldur ~]$ rpm -qa | grep httpd
httpd-tools-2.2.15-15.el6.x86_64
httpd-2.2.15-15.el6.x86_64
The -15 tells you the patch level. 2.2.15-15.el6.x86_64 was issued this month. As long as Redhat supports RHEL6, and that will be for a goodly number of years more, they will issue security and other patches. For example, their kernel is presently 2.6.32-220.2.1.el6.x86_64, but they track and backport not only the latest security patches but also a lot of hardware support and new feature improvements.
dont leave out Visa and Mastercard by decora · 2011-12-28 11:30 · Score: 1

all of those transactions go through Visa and Mastercard, depending on which type of card you have.
if anon had balls, theyd go after the CC companies by decora · 2011-12-28 11:39 · Score: 1

seriously. the fact that so few people understand how the CC system works (including you, no offense) is kind of funny.
Re:As One of the Hacked by Lally+Singh · 2011-12-28 13:12 · Score: 1

As another hacked reader, yeah I'm unhappy about this too. Considering that I was donating to wikileaks before, this is just painful.
Stratfor's just come out with their email, 8pm, not great, but here we are. They've done the standard 1yr prepaid monitoring service for identity theft.
I looked around to verify that my CC was actually breached (who knows, maybe it was a card I've already canceled?), but all the primary copies of the CC list seem inaccessible. It'd be lovely if they were taken down before I become collateral damage in all this, but it hasn't exactly been a lucky week.
Canceling the card, and watching the account like a hawk. It's all we can do, and hopefully it's enough.

--
Care about electronic freedom? Consider donating to the EFF!
Shakes head as the fail whale is summoned again: by Hartree · 2011-12-28 14:13 · Score: 1

I saw a copy of their email. My reaction? Your customers have just been hacked. They're probably checking closely what they click on in any email you send.
Pro Tip:
Using URLs that display as coming from csid.com but when hovered over show up as en25.com is probably not a peachy wonderful idea.
I happen to know that en25.com is eloqua (contact management service) and could check that it was probably legit, but most would figure it was a fishing attack sent out on your compromised email list.
Stratfor may be trying, but they're still doing some seriously newbie things as far as customer contact let alone the glaring errors the initial security of the servers and credit card data that were hacked.
Re:Another Linux using server compromised? LMAO! by HBI · 2011-12-29 05:55 · Score: 1

Well, thanks for the info. I haven't touched a RPM based distro in about 10 years, too much RPM hell with shared libraries and nonworking compilers on RH distros. Forgot about their tendency to backport, thereby creating dependence on RH.

--
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Re:Another Linux using server compromised? LMAO! by fnj · 2011-12-29 07:09 · Score: 1

I don't think it makes any difference in principle what the distro is, apart from rolling releases. For example debian squeeze:
root@testvm:~# dpkg-query -p apache2 | grep Version
Version: 2.2.16-6+squeeze4
I'd be surprised if that did not include the latest security patches.
Re:Another Linux using server compromised? LMAO! by HBI · 2011-12-29 09:13 · Score: 1

I don't use anything that doesn't just pass on the upstream, so I wouldn't know.
I'd rather just have the Apache (or whatever) release and not have to deal with the delay and potential for problems associated with someone else modifying and redistributing the upstream. The idea that, if I don't like the package maintainer's speed or choices, that I can just grab the upstream directly, compile, and slide it into my distro with minimal reconfiguration is fairly appealing also.

--
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.