Tag Archives: security

Wikileaks to release emails from Stratfor hack

In December, members of the Antisec wing of the collective Anonymous claimed to have downloaded the email spools of the private intelligence firm Stratfor.  Today, Wikileaks held a press conference in which they announced that over 20 media organizations had been secretly analyzing the 5 million+ emails, and they would now begin releasing the emails.  A few stories in mainstream western media have now appeared (e.g., Forbes, Wired).  I’ve followed this hack a bit, and I played the video of the Wikileaks press conference in the background this morning.  Here are a few things that interested me about the press conference that I haven’t seen in media reports.

Most striking to me was how differently reporters assessed the accuracy of Stratfor’s intel, depending on geography.  Apparently, Stratfor investigated PETA on behalf of Coca-Cola, and investigated Bhopal activists on behalf of Dow Chemical.  While some might find this concerning, I didn’t hear any indication that the information obtained by those efforts was false.  In contrast, two reporters from the Al Akhbar newspaper in Lebanon stated that much of the information gathered about the situation in Beiruit was false.

The Al Akhbar reporters said this situation was a particular problem, because the CIA was recently forced to shut down its intelligence operations in Lebanon.  This increased US reliance on a private firm like Stratfor.  Apparently, though, Stratfor, to maximize profits, provided a lot of intel on Lebanon by using Google Translate to read open source material written in Arabic, literally losing the meaning in translation, instead of hiring analysts fluent in the language.  Further, their evaluation of sources was, according to one reporter, “racist” in the sense that if an ideologically extreme Arab made a statement and an ideologically extreme Israeli made a different statement, Stratfor analysts would discount the Arab and take the Israeli seriously.

I’ve read only a few of the emails myself, and I can’t speak to the accuracy of any claim.  However, it does seem clear that the notion of Stratfor just being a service that reads and analyzes open-source material is incorrect.  Unless the released emails are heavily fabricated, Stratfor initiated intelligence gathering operations on the ground, bribed confidential informants around the world, and encouraged their employees to control sources by “psychological” or “sexual” means.

Finally, no matter your personal political persuasion, Stratfor’s internal glossary of intelligence terms is hilarious.  I will close with some definitions from it.

Backgrounder: General analysis that gives the customer better situational awareness. The customer never actually reads the Backgrounder. Its primary use is as cover when the customer screws something up. Backgrounders are the basic intelligence tool for shifting blame to the customer.

or

He Won the Cold War: Egomaniacal Bullshitter

and

He Won the Vietnam War: Deranged Egomaniacal Bulshitter

and, in conclusion, a definition made more intriguing by (and perhaps at odds with) the claims of the Al Akhbar reporters:

Duplicitous Little Bastards: Israeli intelligence

A few Tweets

I joined Twitter at the end of December 2011 because I realized that I was using my computer less and less, and my smart phone more and more, relatively speaking — and I was using my phone to find and read content that intrigued me.  I plan to use my Twitter account almost as a note-taking service — I will tweet news articles, etc., that intrigue me and that I might want to come back to later.

My account is @aaron_sterling, and you can see it in the rightmost column of this blog.  Here are three items that are good examples of things I found interesting, but which, after today, I won’t be “elevating” to the status of a blog entry.

  1. The computer security company McAfee has produced a document titled 2012 Threat Predictions (pdf file).  I skipped over some of it, but the parts I read were fascinating.  For example, they see BitCoin as an extremely insecure currency, they believe illegal spam will diminish and be replaced by “legal spam” (equally annoying), and they think far more attackers will target hardware exploits instead of the traditional software exploits.  Worth a look.
  2. Enrique Zabala has produced a Flash animation that explains Rijndael/AES visually.  It is beautiful.
  3. Rajarshi Guha and co-authors are designing a type-ahead chemical substructure search engine.  This addresses a longstanding open problem in cheminformatics, which is: searching for chemicals in a database is slow (in worst case probably exponential because the Subgraph Isomorphism Problem is NP-complete), but can it be made faster?  At least for important special cases, this tool seems to be competitive in speed with Google’s type-ahead search engine for other content: it provides the chemist suggestions, given the prefix of the input available, before the chemist even hits the enter key.

Password analysis from the Stratfor hack

I will return to blogging about theoretical computer science and algorithm-related mathematics next week, but I wanted to take a few minutes today to mention a rare research opportunity that has arisen as a result of the hack of the private global intelligence company Stratfor.  This opportunity is the list of 860,000 (MD5 hashed) passwords to accounts of people in journalism, government contracting, the military, etc. — in short, people who “should” know how to create and maintain strong passwords.  Most of the MD5 hashes have now been cracked, and preliminary analysis indicates that even people who “know what they are doing” use weak passwords.

Stratfor, by the way, finally has their website back online, with a Hacking News section, in which they tell their side of the story.  (They verify that they stored credit card information in cleartext, as Anonymous had claimed, and they state that they were working with the FBI on an investigation into a hack of their systems before the hack went public on Christmas Eve.)  About a week ago, the hackers released a zine which includes a press release about the Stratfor hack and two others, and a log of the hacks themselves.

Continue reading

“Shadow CIA” apparently stored credit card information in cleartext

I had not planned to post until January, but I decided to say something briefly about a news story that relates to one of the first posts on this blog, about security firm HBGary’s insecure storage of data.  This story, as I am sure many of you have already guessed, is the hacking of Strategic Forecasting, Inc., better known as Stratfor, by the group Anonymous.

Stratfor is a private intelligence-gathering firm whose principals have close ties to the US intelligence community.  Stratfor has been called the “shadow CIA.”  Anonymous claims to have obtained 200 GB of data, including 2.7 million private emails and 4000 credit cards.  While big media worldwide have focused so far on the “Operation Robin Hood” nature of the attack — the hackers claim to have made $1 million in donations to charities using the credit card information — one Anonymous member has stated that the real reason for the attack was to obtain the emails, and the hackers did not expect the credit card information would be as easy to obtain as it was.

Perhaps the most interesting writing I have seen on this subject is at the site databreaches.net, which provides a timeline of the hack, and suggests that it had been going on for a week or more, without Stratfor’s knowledge.  Databreaches.net also asks the reasonable question whether Stratfor might be legally liable for the compromise of credit card data, because it appears that both Texas law (where Stratfor is based) and Stratfor’s own privacy policy prohibit the storage of credit card information in cleartext.  Moreover, Stratfor apparently stored the 3-digit security codes of credit cards in cleartext also, and standard security procedure is not to store those codes at all.

This situation reminded me of a comment Peter Taylor made on an answer of Peter Shor on CSTheory.  Shor was answering a question about what would happen if it turned out that factoring could be solved in polynomial time.  Among other things, he said, “as soon as it was known that factoring was in P, the banks would switch to some other system.”  Taylor responded:

A bit off-topic, but as soon as it was known that factoring was in P, the banks would switch to some other system is largely wishful thinking. I discovered in December that a company which doesn’t do anything except process credit card details was using a variant of Vigenère with a key shorter than some runs of known plaintext. Worse, the technical director of the company wouldn’t believe me that it was insecure until I sent him some attack code. MD5, despite being widely considered broken, is still used heavily in banking.

For as long as I have been reading computer science theory blogs, commenters have left a lot of critical comments, along the lines of, “The result you are getting excited about is a very small advance, and has nothing to do with the real needs of industry.”   At a political level, similar arguments are used to reduce funding to theoretical research of all kinds, including theoretical CS.  I believe these arguments are completely incorrect, because the much more pressing problem is that industry doesn’t use fully-implementable techniques that theorists discovered years ago.  In the cases of HBGary and Stratfor, this may well have been because the principals considered themselves “too important” to take mundane steps, but there is no doubt that data insecurity, extremely suboptimal algorithm design, etc., is rampant in the business sector.  An industry, and a government, that dismisses the importance of theory, will pay heavy prices in the long run.

Postscripts

  1. Jonathan Katz recently blogged about an upcoming workshop: “Is Cryptographic Theory Practically Relevant?”
  2. There is a short CSTheory community wiki on the difference between the theory and practice of security and cryptography.
  3. Databreaches.net reports that there is a series of hacks taking place in China right now, perhaps to protest a move to require the use of real names on the internet.  Over 40 million users have had their information compromised.  I hope everyone reading this blog stays safe, as we enter 2012.

Unsalted passwords can raise your blood pressure

Presentation slide proposing methods to discredit and destroy Wikileaks. Obtained from leaked HBGary emails. Source: ArsTechnica

Looks pretty bad, doesn’t it?  Well, it’s worse.  Not only did the security firm HBGary prepare a package of dirty tricks against Wikileaks, hoping to get paid by Bank of America’s law firm to put them into action, but they also constructed a similar package to use against labor unions, hoping to drum up business from the US Chamber of Commerce.  As I write this, there is no confirmation that either B of A or the US C of C actually paid for these services to be rendered, but the authenticity of the leaked emails does not appear to be in doubt.  The CEO of Palantir, whose company logo appears on the slide I linked, has apologized at least twice, severed all ties with HBGary, and placed on leave the engineer who developed this slide.

The best coverage I have seen of this sordid affair is at Ars Technica.  Many commenters at Ars have stated that Nate Anderson should win a Pulitzer Prize for his coverage of the hack that led to the leaked emails, and the ongoing aftermath.  That’s not hyperbole: this article by Anderson is the most riveting tech news story I have read in years, maybe ever.

A couple months ago, Richard Lipton proposed a method to stop Wikileaks.  Essentially, the method boiled down to this: for every potentially compromising document generated, automatically generate a set of documents that look like it, but are different somehow — statements are contradicted but otherwise identical, numerical values are inflated or deflated, etc.  Then, if the “real” documents are leaked, ensure all the shadow documents are leaked as well, so nobody knows what to believe.  From the Palantir slide’s first bullet point, it appears that practice is keeping abreast of theory, or perhaps leaping ahead: “Create messages around actions to sabotage or discredit the opposing organization.  Submit fake documents and then call out the error.”

More than 70,000 leaked emails from HBGary, HBGary Federal and rootkit.com are available for download and search on at least five mirror sites worldwide.  They got there because Aaron Barr, CEO of HBGary Federal, went to the media with the (incorrect) claim that he had uncovered the identities of key members of the hacker group Anonymous.  In response, Anonymous entered his computers, erased gigabytes of research data, downloaded and decrypted his hashed password database, remotely wiped his iPad, seized control of his LinkedIn profile and Twitter account — and, oh yes, posted 70,000+ emails that tell a story of three companies that specialized in dirty cybertricks, which is why the fallout from this story will be studied for months, or longer.

I took a graduate class in cryptography.  I even did well.  I had heard of salting passwords and dictionary attacks before this, but I didn’t really understand them.  I had an intellectual grasp of them yes, but I’m talking now about the type of understanding that grabs your solar plexus, squeezes and won’t let go until you’ve really really got it.  I believe this Ars Technica article by Peter Bright should be required reading in every cryptography class, and in every CS class when computer security is discussed.  Normally I would also link to Wikipedia articles on “salting passwords,” for example, but not this time, I won’t.  Bright does a superb job of making you feeeeeel how important it is to defend yourself against a dictionary attack, and I don’t want anything to get in the way of that.  Bottom line: security professionals protected themselves like amateurs, and found their defenses easily compromised once their CEO went out of his way to provoke a hacker collective known for its willingness to attack.

It would not surprise me if Lipton’s idea gained traction, very soon.  If nothing else, it would make searching through the email database far more difficult, because naive search algorithms would generate lots of false positives.  It might be worth turning the question around, to ask something I don’t know how to answer: Is there an algorithmic method to separate real documents from shadow documents, assuming they are uploaded together in the same torrent?