March 29, 2024

Hacker Attacks Like Stratfor’s Require Fast Response

In the film “Pulp Fiction,” Harvey Keitel plays the Wolf, a fast-talking and meticulous man who is called in to deal with the aftermath of an accidental shooting.

In the messy world of computer security breaches, Kevin Mandia is something like the Wolf. Mr. Mandia has spent his entire career cleaning up problems much like the recent breach at Stratfor, the security group based in Austin, Tex., that was hacked over the Christmas weekend.

Hackers claiming to be members of the collective known as Anonymous defaced Stratfor’s Web site and published over 50,000 of its customers’ credit card numbers online. They have threatened to release more card details and a trove of 3.3 million e-mails between Stratfor and its clients, which include Goldman Sachs, the Defense Department, Los Alamos National Laboratory and the United Nations.

That means Stratfor is in the position of trying to recover from a potentially devastating attack without knowing whether the worst is over.

“They’re in a bad place,” said Mr. Mandia, who is not involved in the Stratfor case. “If the attacker is going to release their e-mails, there’s no way to shut them down.”

Stratfor joins a list of other hapless prominent organizations that have recently been breached by so-called hacktivists — hackers whose goal is to embarrass and expose them. Among its predecessors are Sony, the security company HBGary and the Arizona Department of Public Safety.

Unlike extortion cases, in which hackers typically demand a fee for not disclosing specific proprietary information, attacks by hacktivists put companies in a potentially more precarious and vulnerable waiting mode. The companies do not know precisely what has been stolen, how destructive its disclosure will be, when it will be dumped online or even whether the hackers are still roaming through their internal networks. All the while, they must reassure anxious clients and try to minimize the inevitable public relations fallout.

“We call it a three-alarm fire,” said Jamie May, chief investigator at Debix, the identity protection company that was hired by Sony after its breach earlier this year.

“It’s easy for companies to get ahead of themselves and rush into bad decisions that make a situation worse,” she said, “which is why it is often helpful to work with a company that has done this before.”

The breach at Stratfor, which markets its security expertise, could be particularly embarrassing if hackers can prove their claims that they were able to gain access to the company’s sensitive data because it was not encrypted — a basic first step in data protection.

Stratfor has not clarified whether its data was encrypted, and did not respond to requests for comment. With its Web site still down, the company has been using its Facebook page to share updates about matters like its offer of identity-theft protection for customers. But some customers have left comments on the page complaining that they did not hear directly from Stratfor about the breach, and found out that their card information was compromised only when their banks notified them of unauthorized charges.

Mr. Mandia’s computer security and forensics firm, Mandiant, has responded to breaches, extortion attacks and economic espionage campaigns at 22 companies in the Fortune 100 in the last two years alone, Mr. Mandia said. He calls the first hour he spends with companies “upchuck hour.”

“I need to get as much data as I can get. I come in and say ‘Get me your firewall logs. Give me your Web logs. Tell me what you know so far. Who do you think might have done this? Give me your e-mails,’ ” he said. “Everybody’s vomiting information on a table. It’s never pretty and it’s always unstructured.”

Time is of the essence. “Every minute you take to figure this out, you could be losing more e-mails and more credit data,” he said. The goal is to determine quickly the “fingerprint” of the intrusion and its scope, Mr. Mandia said: “How did the guy break in? What did he take? When did he break in? And, how do I stop this?”

The first thing a forensics team will do is try to get the hackers off the company’s network, which entails simultaneously plugging any security holes, removing any back doors into the company’s network that the intruders might have installed, and changing all the company’s passwords.

“This is something most people fail at,” Mr. Mandia said. “It’s like removing cancer. You have to remove it all at once. If you only remove the cancer in your leg, but you have it in your arm, you might as well have not had the operation on your leg.”

Likewise, if a company misses one back door or one compromised password, the intruders can immediately come back in.

Once the network has been secured, a forensics team will comb through a company’s data to determine the impact of the breach, so it can begin notifying affected customers, determine its liability and try to get ahead of the news cycle.

But in a hacktivist case like Stratfor’s, in which hackers are threatening to disburse more credit card details and sensitive correspondence, Mr. Mandia said there comes a point when “you just have to sit back and hope.”

“If anybody was any good at preventing leaks, we would have never seen WikiLeaks,” Mr. Mandia said. “The U.S. government would have stopped it and that data would never have been dumped.”

Meanwhile, Stratfor’s hackers have taken to Twitter to announce that they plan to release more Stratfor data over the next several days.

That may offer at least one possible silver lining. In the world of computer security, experts say, the most dangerous breaches are the quiet ones — the ones in which hackers make off with a company’s intellectual property and leave no trace.

“The hacks that do the most damage,” Mr. Mandia said, “don’t have Twitter feeds.”

Article source: http://feeds.nytimes.com/click.phdo?i=e0a94b901d0335f48c476aea969c680e