The Stratfor Hack

Soundtrack to the Rev Track #1 - Dead Prez - Hell Yeah

"I know a way we can get paid, you can get down but you can't be afraid
let's go to the DMV and get a ID, the name says you but the face is me
now it's yo' turn take my paperwork, like 1,2,3 let's make it work
fill out the credit card application, it's gonna be bout three weeks of waitin
for American Express, Discover card, Platinum Visa Mastercard,
when we was boostin' shit we was targets, now we walk right up & say charge it
to the game we rockin' brand names, well known at department store chains
even got the boys in the crew a few thangs, Po Po never know who true blame
store after store ya' know we kept rollin' wait 2 weeks report the card stolen
repeat the cycle like a laundrymat, like a glitch in the system hard to catch
comin' out the mall, with the shopping bags, we take 'em right back & get the
cash yeah, get a friend and do it again, damn right that's how we pay the rent

In this release, we will detail the lulzy and agonizing death of Stratfor.com, a premiere "global intelligence" company out of Austin, Texas. Long story short, they got owned hard. Really hard. The sheer amount of destruction we wreaked on Statfor’s servers is the digital equivalent of a nuclear bomb: leveling their systems in such a way that they will never be able to recover. We rooted box after box on their intranet: dumping their mysql databases, stealing their private ssh keys, and copying hundreds of employee mail spools. For weeks we used and abused their customer credit card information (which was all stored in cleartext in their mysql databases), eventually dumping all 75,000 credit cards and 860,000 md5-hashed passwords of their "private client list". And if dumping everything on their employees and clients wasn't enough to guarantee their bankruptcy, we laid waste to their webserver, their mail server, their development server, their clearspace and srm intranet portal and backup archives in such a way that ensures they won't be coming back online anytime soon.

"But why Stratfor?!" came the cries from many butthurt customers, right wingers, confused pacifists, and many others who have never even heard of Stratfor until we blasted their asses off the internet. Now those who are already familiar with Antisec know we have always had a burning hatred for the security and intelligence industries (especially private companies with lucrative federal contracts). After all, these white hat "professionals" work for the corrupt governments and multi-national corporations to develop and protect technology that allow the oligarchical elite to better monitor and repress the general public while plotting for global financial and military dominance. They protect their assets and systems, while providing "accurate" and "non-ideological" intelligence and risk forecasts which the rich depend on to maintain global market stability. Bet they didn't see this coming. Should have expected us. We found out that just like the cracks in the armor of global capitalism, their professional looking website was vulnerable as hell. Despite all their expensive degrees, meaningless certificates, and padded resumes of the elite, they remain woefully clueless in all matters related to security.

Besides the internal email correspondence between Stratfor and their "private clients" (which are sure to be quite revealing and embarrassing), what we were really after was the names, addresses, passwords, and credit cards to their customers. Who really pays $39.95 a month for daily right-wing political spam and access to a shitty drupal site? The DHS, FBI, Army, Navy, Bank of America, Raytheon, BAE, Lockheed Martin, Merrill Lynch, BP, Chevron, Monsanto, KBR, Booz Allen Hamilton, Microsoft, International Monetary Fund, and the World Bank are just a few on this list made up of the mightiest corporations and government institutions that exist. We shook the rotten tree of Stratfor and some ugly ass ducklings tumbled out: notorious war criminals Henry Kissinger, Paul Wolfowitz, ex-Vice President Dan Quayle, former CIA director Jim Woolsey, and many, many more. Australian billionaires Malcolm Turnbull and David Smorgon? They're on it. So is Nick Selby from "Police Led Intelligence" who advises pigs on how to secure their systems. Fuck, even notorious white hat right-wing snitch Thomas Ryan from "Provide Security" is up in this shit. And we're really asked why we hit Stratfor!? About the only person we felt bad about doxing was Harry Shearer. Besides the massive headaches these rich scumbags will have to go through to try to recover all their ill-gotten cash, the password information in these databases will ensure many future ownings of the 1%. So we decided to dump it all - not only because we wanted to share the lulz with everybody, but because we wanted to bring absolute mayhem upon the exploitative capitalist system in which Stratfor and it's clients perpetuate. Suckaa!!!

The question is, will Stratfor ever recover? If they manage to clean up the remains of their charred servers, analyze the source of the breach and attempt to put up new websites with the hopes we won't be back for more, will they ever survive as a corporation? Who will trust them ever again? How are their customers going to feel when they realize how hard they've been owned? Will anyone ever take their analysis and risk predictions seriously again? We're excited to hear all the embarrassment and controversy that will ensue in the fallout of this epic death of a corporation, but we'll let the researchers and journalists handle all that.

We don't normally give out security advice, but here's some for free: next time, consider running a free service.

/************************************************
*** HILARIOUS QUOTES FROM OWNED SYSADMINS !!! ***
************************************************/

// TO KICK IT OFF, SOME INSPIRING WORDS OF WISDOM FROM IT MANAGER FRANK GINAC:

"You do realize how preposterous it is to suggest that stratfor simply shutdown completely for 2 days, right? The plan that you've attached paints a gloom and doom picture claiming no chance that such a move will succeed. Does that really seem a rationale conclusion?"

// YOU DONT EVEN KNOW THE EXTENT OF THE GLOOM AND DOOM WE HAVE PLANNED, FRANK

"Attended the TakeDownCon security conference. Focus of the conference was on wireless and mobile security. No vendors pushing product or service at this conference. Instead, great presentations by renowned white hat hackers (good hackers) and security experts. Bottom line is that no mobile platform is secure, including the Blackberry, but there are best practices that minimize the risk of their use within the enterprise. We will be incorporating these best practices in our operation over the coming months."

// INCORPORATING PRACTICES FROM "GOOD WHITE HAT HACKERS"? HOW'D THAT WORK OUT?

"It blew my mind to discover that our email server backups are being stored on the same physical server. I'm affectionately referring to these little discoveries as 'Mooney turds'."

// SO SAD WE RM'D YOUR MAIL SERVER AND ALL BACKUPS, FRANK

"Most if not all of us use professional and social networking sites like LinkedIn and Facebook. All offer levels of privacy ranging from wide open where everyone can see your profile, activities, and posts to closed allowing only your immediate connections (or friends) access. As a private intelligence company we must all take extra care to protect our personal information from those who would use that information to exploit us personally or professionally. Although we don't have hard and fast rules on how to set your privacy settings nor do we restrict use of such sites, I suggest that you temper your need to share with prudence and consider the business that we are in. It's also important to check your privacy settings regularly to ensure that the sites you use haven't changed the meaning or scope of privacy settings -- we've all heard or read the news regarding this practice at Facebook. I suggest that you never include any information in your profile -- regardless of privacy setting -- that could be used to compromise your identity. Specifically, never include: your birth date, your exact street address (although this information can usually be found on the web quite easily), your cell phone number, SSN or other government issued ID number (that should be obvious), or any other information that someone could use to compromise your identity if your account were compromised."

// EVEN WITH ALL THE BEST SECURITY PRACTICES LEARNED FROM THE "RENOWNED WHITE
// HAT HACKERS" WE STILL MANAGED TO STEAL ALL YOUR PERSONAL INFORMATION. UMAD?
//
// Frank Ginac CC Number: 376792323491009 Expiration: 5/2014 CVV: 9385
// Pass (md5): 6c0e721556401ce239ad454e83f0dc60
// Phone: 512-788-3882 Address: 7901 Bee Caves Road #23 Austin, Texas, 78746

"I've called IT again, about both email problems and the fact that the site's down again. There's a ghost in the machine, apparently. It's been a crazy night. Cheers! " // ^ UJELLY, MITNICK?

// THE SENIOR PROGRAMMER KEVIN GARRY GETS WIND SOMETHING AINT RIGHT

"just logged into prod and seeing this in logs (/var/logs/php/php.log)
[06-Dec-2011 20:33:04] PHP Fatal error: Call to undefined function myshellexec() in /var/www/vhosts/www.stratfor.com/includes/common.inc(1707) : eval()'d code on line 11
last shows a lot of concurrent autobot users - rsyncing get hosed up maybe? df on prod seems fine. can we get a full list of any recent changes please""

// BETTER CALL UP OUR TALENTED NEW SYSADMIN NICK GERON

"Re: changes between 3:15a and 4:30a? Major changes in the cabinet. Please send any IP/hostname/dns/whatever weirdness you see my way and I'll try and track it down. Been fighting this cabinet all night. -Nick"

// HOT ON OUR TRAIL!! HAVE WE BEEN DISCOVERED?

On Dec 9, 2011, at 22:16, Nick wrote:

> Due to an as yet undetermined cause, there was a significant amount of load on www this evening starting sometime after 6:55PM (first alerts just before 7). Cacti graphs for memory and traffic on www and db2 do not indicate that there was an increase in demand. The only anomalous data point is the increase load/queued processes reported. Unfortunately, I have yet to have time to get detailed diagnostic monitoring up and running, otherwise I would likely have been able to pin down the source. Logs may yet reveal something worthwhile.
>
> Once on the system, I discovered apache processes were consuming the majority of CPU and RAM resources - so much so that the host was swapping heavily. After an apache restart, load quickly dropped to normal levels. This is unlikely related to a (D)DoS attack due to the rapid recovery following the restart and the lack of abnormal traffic patterns.
>
> Inspection of the logs revealed that a local process initiated an initialization script driven restart several times. This led me to another Mooney easter egg. There is a script (/root/apacheup.sh) configured to grab robots.txt from the site via wget and if it fails, will stop/kill and start apache. Looking at the times for this scripted activity shows that they line up with nagios reports that the site was down. There is some question in my mind if the way the script is written could have left orphaned processes around, which after three cycles sapped all available resources. That needs more thought. Its hard to say definitely without more evidence.
>
> -Nick"

// NICK'S SECURITY ANALYSIS: WHEN IN DOUBT, MAKE SHIT UP AND BLAME SOMEONE ELSE

"At 10:00 AM Central on Friday (12/16), you will be required to reset your email password. This process will take just a few moments and it is a task you can perform on your own. Follow the procedure below:"

// TOO BAD WE ALREADY COPIED ALL 160GB OF YOUR MAIL SPOOLS,
// BUT THANKS FOR THE HEADS UP WE'LL BE SURE TO CAPTURE THE PLAINTEXTS !!

"-------- Original Message --------
Subject: Re: User accounts on website
Date: Wed, 7 Dec 2011 13:05:32 -0600 (CST)
From: Kevin Garry
To: Frank Ginac
CC: Nick Geron

both are stored in the database.
usernames are plain text, passwords are one-way md5 encrypted.
employee accounts are treated the same as subscribers in the current (intranet+billing+consumer setup)

thanks
__________________________________
Kevin J. Garry
STRATFOR, Sr. Programmer
ph: 512.507.3047
em: kevin.garry@stratfor.com

----- Original Message -----
From: Frank Ginac
To: Nick Geron , Kevin Garry
Sent: Wed, 07 Dec 2011 12:56:18 -0600 (CST)
Subject: User accounts on website

How do we store user login info for accounts on the website? Are usernames and passwords stored in the db? Are passwords encrypted? What about employee accounts?