Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Data Exposed In Stratfor Compromise Analyzed

Unknown Lamer posted more than 2 years ago | from the forecast-is-for-doom dept.

Privacy 141

wiredmikey writes with an excerpt from an article in Security Week: "Following news that security and intelligence firm Stratfor is downplaying the recent hack of its systems, Identity Finder today shared a detailed analysis of the data released so far by the attackers. Based on the analysis, 50,277 Individual Credit Card Numbers were exposed, but 40,626 are expired, leaving just 9,651 that are not expired. In terms of emails, 86,594 Email addresses were claimed to be exposed by the hackers, but only 47,680 were unique. The hackers have released personal information for Stratfor subscribers whose first names begin with A through M, with N through Z expected to be released soon. In addition to the presently published data compromised during the attack, the attackers claim that 200GB of company email containing 2.7 million emails was captured as well." As of posting, Stratfor's website is still down.

Sorry! There are no comments related to the filter you selected.

"Donations" to Charities (4, Informative)

InterestingFella (2537066) | more than 2 years ago | (#38517318)

The credit card numbers they stole and exposed were used to make over one million dollars worth of "donations" to different charities like Red Cross, Save the Children and CARE. Good job Anonymous!

Except that they were all reversed with chargebacks, which not only took back all the money given, it actually cost the charities around $250 000 in chargeback fees which are now off from what other, legit people donated. Awesome job there! Idiots...

Re:"Donations" to Charities (3, Insightful)

Herkum01 (592704) | more than 2 years ago | (#38517432)

I highly doubt that Charities are getting charged chargeback fees for something that they did not do themselves and you made up the amount of 250,000 because there is no way the banks would be able to justify the fees for a quarter of the total amount.

Re:"Donations" to Charities (3, Informative)

InterestingFella (2537066) | more than 2 years ago | (#38517474)

Do you really think that it will be banks covering the costs? That never happens. It's always the merchant. Charity or not. The 250,000 comes from my knowledge of chargeback fees being $25-40 for merchants. With around 10,000 current credit cards exploited, I actually took the lowest possibility of $25 per chargeback and didn't even account for multiple donations per card. The fees can be much higher too, but it is at least $250,000.

Re:"Donations" to Charities (1)

InterestingFella (2537066) | more than 2 years ago | (#38517558)

Like the anonymous coward below notes, I actually took it too low. AIDG gets charged $35 per chargeback [twitter.com] , so it's probably more like $350,000 or more.

Re:"Donations" to Charities (0)

Anonymous Coward | more than 2 years ago | (#38517640)

In this case, it would be good PR for a bank to cover it for the charities. Heck, the banks could probably even write it off as a donation.

Re:"Donations" to Charities (3, Insightful)

rmstar (114746) | more than 2 years ago | (#38517864)

In this case, it would be good PR for a bank to cover it for the charities. Heck, the banks could probably even write it off as a donation.

Good PR? Give me a break. Banks don't give a rats ass about PR because they mostly 0wn this planet, and there is literally nothing that will stop them from 0wning it more. I mean, they seriously damaged the world economy, put lots of people into excruciating hardship in the US, and there they are. PR didn't really play a role in this.

So no, they will take the money for the backcharge, and if a charity goes broke, then that will be it.

Re:"Donations" to Charities (1)

Anonymous Coward | more than 2 years ago | (#38518092)

You know, if you stopped spelling own with a 0, people might take you seriously... still, it's better than spelling it with a p I suppose.

Re:"Donations" to Charities (1, Troll)

MichaelKristopeit421 (2018882) | more than 2 years ago | (#38518424)

if you stopped cowering in anonymity, people might take you seriously... but i wouldn't be so boldly ignorant as to claim i speak for all "people".

you're an ignorant hypocrite... anything would be better i suppose.

you're an idiot.

Re:"Donations" to Charities (0)

Anonymous Coward | more than 2 years ago | (#38519036)

seriously. rmstar more like rmstard.

Re:"Donations" to Charities (5, Funny)

SmurfButcher Bob (313810) | more than 2 years ago | (#38518028)

In related news, I know a PR guy who's looking for a job...

Re:"Donations" to Charities (1)

Minwee (522556) | more than 2 years ago | (#38518400)

In related news, I know a PR guy who's looking for a job...

I know that guy, he's pretty good. He wwebsite as on the internet when you were a sperm in your daddys balls, and is a good friend of Cliffy B, Scott Lowe, the guys from Penny Arcade and the mayor of Boston.

Think it through a little more thoroughly: (2)

Hartree (191324) | more than 2 years ago | (#38518306)

"it would be good PR for a bank to cover it for the charities"

You don't understand. The smart PR move is to let the charges stand without comment. That way the charities talk about it to their donors when asking for more funds to make up the difference.

The banks are already not well thought of currently. This makes no difference to them.

Net result: A lot of people who had never heard of Anonymous before their favorite charity mentioned them now hate their guts.

Re:"Donations" to Charities (0)

Anonymous Coward | more than 2 years ago | (#38518516)

Bankers are so evil, that Satan hangs around them to look like a good guy.

Nothing is more evil than a banker. Even the Taliban are nice guys compared to them.

Re:"Donations" to Charities (1)

RoknrolZombie (2504888) | more than 2 years ago | (#38519600)

Yes, and they'd manage to leverage other fees to make up for their "loss"...so it still gets passed on to someone that's completely not involved with the situation.

Re:"Donations" to Charities (2)

gl4ss (559668) | more than 2 years ago | (#38518210)

what you're saying is that you could have bankrupted any company with the cards.

this is high profile enough to just end up as a special case, with the transactions reversed in one large batch by the affected cc processors.

anyhow, it's up to the card owners to dispute.

the real wtf is what the hell were they storing the card data for? this means stratfor should lose any possibility to do cc payments in future, having vastly fucked up following guidelines.

Re:"Donations" to Charities (2)

cdrguru (88047) | more than 2 years ago | (#38518404)

The only way someone gets bankrupted is if they didn't validate the cards properly.

Now validation costs money to do properly, but failing to validate can cost a lot more. It is like $0.30 plus staff time to do proper validation vs. $25 or $35 to deal with a chargeback.

See, validation makes sense, especially if you are subject to lots of fraud. Anytime a credit card number is taken on the Internet you can assume at least 20% of the entries are fraudulent and you better handle that - because if you submit more than 1-2% fraudulent transactions you aren't going to be submitting any more.

Re:"Donations" to Charities (4, Informative)

cdrguru (88047) | more than 2 years ago | (#38518374)

Banks? There are no "banks" involved with chargeback fees.

When you sign up for a merchant account , you are contracting with a "merchant services provider". They are the ones that are handling the credit card transaction processing. When you get paid, they put money into the transfer account as per your agreement - then a bank is involved. Until the, you are dealing with a reseller (probably) and some place like First Data which is not in any respect "a bank".

You might be able to get your merchant services provider to back off on some massive fraud and not charge you the full $25 for each and every single chargeback. However, a lot of this is dictated not by your merchant services provider and not even by First Data but relates to the fact that people get involved at both the bank (where your money got put) and also with the customer card accounts themselves. When First Data processes a charge in error and it shows up on some poor customer's statement, they likely have to pay a service fee to the customer's credit card processing company to get the charge taken off. Now that might be a bank.

So the likelyhood of getting the charges waived is pretty low. It costs real money to screw with credit cards and if you aren't properly valididating the transactions - before submitting them - you are going to run up some big bills. Did these charities do proper validation and find out they were being scammed? Hope so, because then it would not have cost them anything. If they ran the charges through, they are likely going to have to pay.

Re:"Donations" to Charities (0)

Anonymous Coward | more than 2 years ago | (#38518796)

banks own major cc processors. not a secret.

Re:"Donations" to Charities (1)

deKernel (65640) | more than 2 years ago | (#38519010)

Excellent representation of the processing of transactions. Most people don't realize that processing of credit card transactions in the US don't really involve banks other than authorizing of the transaction (meaning there is either money in a checking account for debit cards typically or credit available on a credit account) and acting as the receiver of the transfer for the merchant once the transactions are settled.
Interested in a job :)

Re:"Donations" to Charities (1)

jroysdon (201893) | more than 2 years ago | (#38519644)

Banks can be service providers as well. I know for a fact that Wells Fargo is. Perhaps a different unit of Wells Fargo from their core banking unit, but still Wells Fargo, a bank.

Re:"Donations" to Charities (5, Informative)

JWSmythe (446288) | more than 2 years ago | (#38517646)

It doesn't matter if they're a charity or not. They may have managed to talk the bank out of some of the fines, but that'd be about it.

One place I worked, which did high volume CC transactions, the typical sale was $25. A chargeback resulted in the bank taking back the full amount ($25) plus fine ($35).

We worked hard to avoid chargebacks. As I recall, you can lose your merchant account if you exceed 1% chargebacks. Before the chargeback is done, the merchant is given a "chargeback notification". At that point, we can dispute, refund, or ignore it. Since we were an online company, we didn't have a physically signed receipt to prove that the person was actually the purchaser.

With a signed receipt and someone to confirm that they visually verified the identification, you can dispute.

We opted to refund, and cancel their account. That way, we simply didn't make the value of the sale, but there were no fines applied. So +$25 on the transaction. -$25 on the refund. $0 total.

Finally, is the option of ignoring it. +25 transaction, -$25 refund, -$35 fine. -$35 total.

Typically, the consumer would call first, before the chargeback. We'd assist them in finding out the details of the transaction. We'd give them the time, date, information about the IP, and email address used with it. Most of the time, we could positively say that the transaction occurred in their location (by the IP and ISP). They'd recognize the email address as belonging to someone else in their household. If they wanted, we would cancel the account and refund the full amount. I'd say refunds occurred about 50% of the time. They'd talk to their family members, and find out that they had done the transaction, the card holder just didn't know, but they allowed it anyways.

For us, it didn't matter that much. We handled millions of dollars a year. Who cared about a few dozen refunds in the same period. It was cheaper to refund and make the consumer happy, than dispute and risk incurring the fines, and risking our merchant account status.

I know people will stolen card information will test it by donating a small amount to charity. People won't generally notice a $1 or $5 charge on their card, if it's frequently used. They'll catch on when the card is used the second time for a high dollar transaction. The idea of the test transaction is only to verify the card. It's easy, and they don't have to provide a valid delivery address for merchandise. They aren't doing it out of good will, they're exploiting the system a bit more.

Re:"Donations" to Charities (1)

sjames (1099) | more than 2 years ago | (#38518274)

So, in other words the charities can take option 2 (and probably have standing orders to that effect) and be out nothing.

Re:"Donations" to Charities (0)

Anonymous Coward | more than 2 years ago | (#38517696)

You don't deal with credit card companies very much, do you? Their fees have nothing to do with what you do yourself, or what's justified.

They charge whatever they decide to charge, and if you don't like it you need to a) find a processor who won't charge you the same or more (good luck), and if you do find someone you get to pay the expenses to integrate with another processor's APIs.

Re:"Donations" to Charities (1)

Marxist Hacker 42 (638312) | more than 2 years ago | (#38517778)

Didn't the Great Banking Coup of September 2008 teach you anything? Banks can justify whatever they want, and we all have to take it, because there is no regulatory oversight anymore.

Re:"Donations" to Charities (2)

frisket (149522) | more than 2 years ago | (#38518266)

They don't even have to justify anything. Banks in the UK used to charge customers a fee for replying to a letter :-)

Re:"Donations" to Charities (0)

Anonymous Coward | more than 2 years ago | (#38518608)

Thank the FUCKING republicans for that.

Damned Assholes, and all the scumbag Democrats that also voted yes on that abortion of legislation.

Re:"Donations" to Charities (2)

gmack (197796) | more than 2 years ago | (#38517848)

After 10 years working in the credit card industry I can tell you that banks rarely pass up and opportunity to hit merchants with fees and charities are nothing more than merchants to them. The theory they go by is that merchants should be able to tell what transactions are fraudulent but really it's just an excuse to charge for the trouble of having to deal with charge backs (and make a little extra money on the side)

Re:"Donations" to Charities (1)

MichaelKristopeit421 (2018882) | more than 2 years ago | (#38518362)

I highly doubt that Charities are getting charged chargeback fees for something that they did not do themselves and you made up the amount of 250,000 because there is no way the banks would be able to justify the fees for a quarter of the total amount.

I highly doubt that Charities are getting charged chargeback fees for something that they did not do themselves and you made up the amount of 250,000 because there is no way the banks would be able to justify the fees for a quarter of the total amount.

i highly doubt that you, or any of the idiots that moderated your ignorant comment as "insightful" know anything about how e-commerce works. if you accept payments, you are charged a fee. there is no getting around that fee.

if no fee was assessed for chargebacks, then anyone could stress the payment gateway systems, possibly disabling them, by flooding the system with payments and matching chargebacks. there is no way the moderators could justify their claim that your comment was insightful.

you're an idiot.

Re:"Donations" to Charities (0)

Anonymous Coward | more than 2 years ago | (#38519854)

That's exactly why merchants pay chargeback fees and their "discount rate." If you get too many charge backs, your discount rate also increases to cover exactly what happened; fraud. So chances are, not only did they cost charities a shitload of money, they likely now are facing higher costs to process transactions - PER transaction.

Anonymous is a bunch of fucktards. The one time they publicly stated they would actually do some good (fight crime via Mexican Mafia), they backed down once the Mafia made it clear they'd kill their piece of shit worthless asses.

These people are morons, idiots, and criminals. Shooting and jail time is all they deserve.

Re:"Donations" to Charities (4, Funny)

vlm (69642) | more than 2 years ago | (#38517442)

yeah yeah about that, do you have the URL for donation pages for RIAA and MPAA?

Re:"Donations" to Charities (3, Informative)

Anonymous Coward | more than 2 years ago | (#38517526)

Stratfor Global has us worried. Pls don't donate to AIDG with stolen credit cards, we get hit $35 per fraudulent transaction! #anonymous RT

Indeed. Good job, Anonymous! [twitter.com]

Re:"Donations" to Charities (1)

Karmashock (2415832) | more than 2 years ago | (#38517850)

That's kind of messed up. If I were the banks... I'd try to find some way to 'forgive" that or charge the whole incident to the credit card fraud department. Credit cards charge such high interest in part to pay for such things. Just tap that fund for this and leave the poor charities alone.

Charities? (1)

Hartree (191324) | more than 2 years ago | (#38518412)

I hopped over to Stratfor's Facebook page and one of the people who posted on it said their credit card info from Stratfor had been used at the well known charity called the Blizzard Store. ;)

Re:"Donations" to Charities (1)

poetmatt (793785) | more than 2 years ago | (#38518444)

Where does this even come from? The credit card numbers were given to stratfor. That's for security analysis. Where do you make up this collateral damage crap here?

Do you really use the same credit card to sign up for security analysis as you do for donating to red cross, even if you're the government? I doubt it.

Re:"Donations" to Charities (2)

eulernet (1132389) | more than 2 years ago | (#38518518)

From the ArsTechnica article:

According to Antisec, Stratfor was using the e-commerce suite Ubercart to handle customer information. The software has built-in encryption, but Stratfor apparently used custom modules that stored customer data in cleartext. Additionally, Stratfor appears to have stored the card security code of its customers, a practice generally prohibited by credit card companies.

Why the hell did Stratfor store credit card numbers in plain text ?
They totally deserve what happens to them, I hope they'll have to pay all charges for the credit card changes.
This is not the first time a company has this kind of problem, but we are now (almost) in 2012, so this problem should have disappeared a long time ago.
Did they audit their security ? It's pretty sure, but they probably didn't show their custom modules, so it's totally their fault here.

Would you prefer that their server was hacked by some group other than Anonymous, so that nobody would ever know that there was a problem ?
Security by obscurity is never good.

They can try to blame Anonymous, but it's Stratfor's entire fault !

Who will take the blame ?

Re:"Donations" to Charities (1)

dbIII (701233) | more than 2 years ago | (#38519166)

Why the hell did Stratfor store credit card numbers in plain text

Because they are a useless parking lot for political "science" graduates that can't get a job anywhere else but are handy as campaign workers each election. When is the USA going to wake up and understand that the "think tanks" are full of rejects instead of experts.

Re:"Donations" to Charities (4, Insightful)

flyingsquid (813711) | more than 2 years ago | (#38519070)

Anonymous is nothing more than a bunch of irresponsible children. What the fuck is up with targeting Stratfor? It's not some shadowy clandestine service, it's just a think tank formed by a former politics professor that does analysis. Now, I suppose if your entire worldview is informed by children's cartoons and Hollywood blockbuster movies, that's enough to make them the "baddies" and you the "goodies", but the world doesn't really work that way. Let me explain this to you Anonymous children in terms you can understand: if Batman is walking down the street and sees a guy with a strange costume, he doesn't just beat the shit out of the guy. He goes back to the Batcave, and does his homework, and does some sleuthing, and only after he has figured out that the guy is, in fact, engaged in criminal behavior, *then* Batman beats the shit out of him. See, if you break the law to stop a criminal act, then you're a vigilante. Like Batman. But if you break the law and attack people when you don't have any evidence that they are engaged in criminal activity... then you're not Batman. You're just a fucking criminal.

Re:"Donations" to Charities (1)

dbIII (701233) | more than 2 years ago | (#38519346)

The irresponsible children bit is ruined slightly by writing about Batman as if he's real :)
From one perspective parasitic noisemakers that pretend to be far more than they are such as "think tanks" are an obvious target for people that want to stir up trouble and not get hurt. By pretending to be like a competent well staffed intelligence bureau without actually having the resources of a small newspaper they would look like a juicy target to somebody that would really like to give the CIA or NSA some embarrassment but is not entirely insane. The PR that inflates them to pretend to be far more than they are makes them an easy bubble to burst.
A more adult analogy is that it's like squeezing the pus out of a pimple without taking any care to stop it getting infected afterwards. It makes more sense to ignore the pimple instead because it's no big deal and it will go away on it's own.

Attacking the American Intelligence Community (2, Insightful)

Anonymous Coward | more than 2 years ago | (#38517438)

A special Category in the Darwin Awards.

Re:Attacking the American Intelligence Community (1)

gl4ss (559668) | more than 2 years ago | (#38518428)

storing credit card numbers attached to account data doesn't sound like intelligence community, sounds more like some douches who went out to find some guys and said "hey you're really smart! give us your cc number and some cash!" to some slobs they found.

real funny shit is how "TEH OFFICIAL ANONYMOUS" is claiming they didn't do it, which is a bit of a what the fuck too, don't they realize they're anonymous - there's no core, there's no agenda, if you don't like it form a hacking group like lulzsec.

but you know why stratfors client list is secret? because when it is secret they can claim that there's all sorts of cool persons there and not just peons, they're an image and guesswork company first and actual security provider second(or 4th or 6th, more probably 666th on the list..). that's why you get to spam them with stupid questions if you're a sub. it's like subbing to a nigerian information minister who happens to know english and reads the news.

why would they do that?(act more poshy than they are) well, to fool new clients into buying their newsletters and analysis - like "if you publish a picture of mohammed having sex with kids you might get suicide bombed" and "if you deal nuke technology to iran don't tell to isrealis unless you're finnish and have immunity and even then don't tell until you have the money in the bank".

Re:Attacking the American Intelligence Community (1)

sycodon (149926) | more than 2 years ago | (#38519164)

Add on 9,651 charges of credit card fraud.

Re:Attacking the American Intelligence Community (1)

dbIII (701233) | more than 2 years ago | (#38519390)

This lot and similar only pretend to be intelligent - hence the simple doubleplusgood label "think tanks". This incident highlights that better than anything else.

Re:Attacking the American Intelligence Community (0)

Anonymous Coward | more than 2 years ago | (#38519814)

Unlike your average Slashdot troll such as yourself.

But I guess you have convinced over 10,000 people and organizations to pay you money for your thoughts. What? No?

Another Linux using server compromised? LMAO! (-1, Troll)

Anonymous Coward | more than 2 years ago | (#38517450)

http://uptime.netcraft.com/up/graph?site=www.stratfor.com [netcraft.com]

* Let the facts speak for themselves in 2011 that support my subject-line...

(Especially regarding what we heard for YEARS here on /. as "penguin 'FUD'" of "Linux = Secure" b.s.!)

APK

P.S.=> This does the rest: It's more such current information, & along the same lines (E.G.-> Linux servers being breached, ANDROID Linux variant phones being nuked too, security failures & exploitations, galore, etc./et al):

KERNEL.ORG COMPROMISED:

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised [slashdot.org]

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/ [theregister.co.uk]

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware [slashdot.org]

---

Linux's showing in CA's breached recently too? Ok:

http://uptime.netcraft.com/up/graph?site=StartCom.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=GlobalSign.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=Comodo.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=DigiCert.com [netcraft.com]

http://uptime.netcraft.com/up/graph?site=www.gemnet.nl [netcraft.com]

The list of CA Servers BREACHED that RUN LINUX (StartCom, GlobalSign, DigiCert, Comodo, GemNet)... per these articles verifying that:

http://itproafrica.com/technology/security/cas-hacked/ [itproafrica.com]

&

http://threatpost.com/en_us/blogs/site-dutch-ca-gemnet-offline-after-web-server-attack-120811 [threatpost.com]

---

Toss ANDROID (yes, a Linux since it uses a Linux kernel) in also, since it's being "shredded" on the mobile phone security-front rampantly for years now?

You get the picture...

* TOP THAT ALL OFF W/ DUQU ROOTKIT/BOTNET BEING SERVED FROM LINUX SERVERS, PER THIS ARTICLE (very recent):

http://it.slashdot.org/story/11/11/30/1610228/duqu-attackers-managed-to-wipe-cc-servers [slashdot.org]

... apk Linux servers being breached, ANDROID Linux variant phones being nuked too, security failures

Re:Another Linux using server compromised? LMAO! (1)

HBI (604924) | more than 2 years ago | (#38517528)

The stratfor guys might have been in better shape if they'd kept their systems patched. Just sayin'

2.2.15 is not the latest. 2.2.21 is.

Re:Another Linux using server compromised? LMAO! (1)

tibit (1762298) | more than 2 years ago | (#38517644)

+1 funny as hell.

Perhaps, & perhaps not... apk (0)

Anonymous Coward | more than 2 years ago | (#38517652)

Is Linux's latest kernel proof to what got statfor pwned? If not, that wouldn't have helped, & what about any other software/libs etc. used/affected that runs on Linux to do it??

APK

Re:Perhaps, & perhaps not... apk (0)

Anonymous Coward | more than 2 years ago | (#38518686)

Apache != Linux. That's an important distinction to make here.

Breach happened on Linux (4 a security-firm too) (0)

Anonymous Coward | more than 2 years ago | (#38519306)

"Apache != Linux." - by Anonymous Coward on Wednesday December 28, @03:16PM (#38518686)

I know that: Why I noted other wares! This breach occurred on Linux that ran Apache though, no matter HOW you try to "spin it"!

Heh - funniest part is, you'd think the penguins running it would have known how to patch OR @ least work-around "mitigate" it! Especially security guys... lol! So much for them doing 'security' & in their choice in LINUX for it... lol!

(For instance, for the unpatched security vulnerabilities posted @ SECUNIA.COM for both Windows 7 &/or Windows Server 2008 - I can work-around any unpatched REMOTE (dangerous kind) unpatched ones listed there - Windows also has 5x less unpatched security vulnerabilities shown there than Linux does (which its KERNEL ALONE, mind you, not an entire distro, also bears REMOTELY EXPLOITABLE BUGS in it unpatched in its "mainstream/base build").

APK

P.S.=> However - the "bottom-line" here, is this: What matters most is that it happened on Linux, just as the numerous other exploits I noted in 2011 that did for various reasons on servers (& on a massively used by typical end-users type too, on smartphones, in ANDROID (a Linux variant))...

... apk

Re:Another Linux using server compromised? LMAO! (0)

Anonymous Coward | more than 2 years ago | (#38517878)

LOL. Are you serious? Where they like 1 week out of date or something?

Re:Another Linux using server compromised? LMAO! (2)

HBI (604924) | more than 2 years ago | (#38518102)

Apache 2.2.15 was released 3/6/10 [apache.org] .
Apache 2.2.21 was released 9/13/11 [apache.org] .

So yeah, they were almost 2 years out of date.

Re:Another Linux using server compromised? LMAO! (3, Informative)

fnj (64210) | more than 2 years ago | (#38520118)

Bzzzt. Thank you for playing. The 2.2.15 doesn't tell you the patch level. Here's from a completely up to date RHEL6 system:

[fnj@baldur ~]$ rpm -qa | grep httpd
httpd-tools-2.2.15-15.el6.x86_64
httpd-2.2.15-15.el6.x86_64

The -15 tells you the patch level. 2.2.15-15.el6.x86_64 was issued this month. As long as Redhat supports RHEL6, and that will be for a goodly number of years more, they will issue security and other patches. For example, their kernel is presently 2.6.32-220.2.1.el6.x86_64, but they track and backport not only the latest security patches but also a lot of hardware support and new feature improvements.

Re:Another Linux using server compromised? LMAO! (1)

ArhcAngel (247594) | more than 2 years ago | (#38518012)

The reason the authorities can't catch anonymous is that they're all chicks! They go around acting like nerd groupies fawning over admins in a socially engineered hack where they get the root password from the unsuspecting admin. The authorities can't catch them because the only description they get from the admin is "she was purty and soft".

Re:Another Linux using server compromised? LMAO! (0)

Anonymous Coward | more than 2 years ago | (#38518300)

You're good at remembering the failures of your "enemies". Are you fair or just a fanboy, though? Can you produce a similar list for other platforms?

I'm interested to see how the numbers stack up, because I'm not convinced that any high profile target would fare differently if they had a different OS.

I merely post facts (0)

Anonymous Coward | more than 2 years ago | (#38518388)

From reputable & verifiable sources: That's all. Seems to have ruffled a few feathers though (but, the editors @ /. here love me, lol, I "generate controversy" which = more page views for webmasters).

* There you go...

APK

P.S.=> Bottom-Line though: If others don't like it - don't read it then, & especially if it offends your sensibilities or not, it's just truths...

Apparently some don't, modding me down, with no technical justifications why.

Others modded me up too though!

(A "0 Troll" rating's impossible without that happening (& that's what my posts rated right now))...

...apk

Re:I merely post facts (1)

Anonymous Coward | more than 2 years ago | (#38518490)

You can't moderate AND post. Slashdot doesn't allow that. It is impossible for anyone to explain why they moderated any particular way.

Moderation is largely about your presentation of your argument, which is earning you a lot of that mess. It still looks like you cherry-pick the facts that are convenient for your argument, regardless of whether you're actually doing so. There are undoubtedly facts that don't make your argument look as solid. That's what I'm asking: do you, or don't you pay attention to the facts against other OSes? I want the whole truth, not just part of it, and you'd get a lot better moderation if you would post the rest.

Cheating the mod system here? Easy! (0)

Anonymous Coward | more than 2 years ago | (#38519080)

"You can't moderate AND post. Slashdot doesn't allow that. It is impossible for anyone to explain why they moderated any particular way." -

Per my subject: I caught tomhudson/trolltalk.com crew doing it & explaining HOW they do it (to mod one another up, AND per your quote, how to mod someone down, & post):

---

1.) Mod someone down (as trollish detractors do)

2.) Log out (to preserve your cookie state, & "karma" points)

3.) Troll away as anonymous coward

---

* There you go, easy as pie... trolls that hang around with tomhudson around here do that VERY thing!

---

"It still looks like you cherry-pick the facts that are convenient for your argument," -

They're facts, first of all, & are you saying I should NOT POST FACTS THAT SUPPORT MY STATEMENTS? Please... lol!

Man - hate to clue you in on this but... to NOT do that? Hey - come on: That'd be dumb & IF that's what you do - good luck making your points get across!

APK

P.S.=> Facts, no matter what you say, are facts (especially concrete & easily verified ones I post)...

... apk

APK merely distords facts (0)

Anonymous Coward | more than 2 years ago | (#38519762)

yes he does that all the time. The guy is an (in)famous troll.

for instance from his point of view Windows has a 90% marketshare on Desktop PC because "it's that good" whereas Linux has a (don't know the exact figures) great marketshare in servers, routers, television and phones because it's free/cheap.

note that he doesn't see this as a contradiction or illogical statement. and don't get him started on the millions of window$ hacked because of window$ kernel flaws vs. his linux-based examples mainly due to software out of the linux kernel (some even OS agnostic like apache-MySQL-php, ftp and the like)

there it is I just fed the troll for another months or so. you'll see, he's pretty funny to watch and interact with. he's never tired, present 24/7 on slashdot. hope his boss doesn't find out or he'll get fired

oh, a few recommendations though: don't bother making detailed argument with him, he'll barely read them, rewrite and cut them and reinterpret their meaning so that it fits his "facts". don't ever tell him you're a woman and/or gay he doesn't like "these people". cherry on the cake, if you push him enough an AC with the same specific grammar style but without the weird bold-CAPS-misalignment thing will appear to support him. this is the final boss of the game. no one ever went beyond that level.

You can "distord" a fact? LMAO! (0)

Anonymous Coward | more than 2 years ago | (#38519840)

The rest of what you said is pure "ac stalker troll opinion" as well as off-topic illogical ad hominem attack attempts, which are easily turned aside BECAUSE of what they are (off topic & illogical with no backing whatsoever).

APK

P.S.=> You're the typical troll, that once I put up some facts YOU CANNOT HANDLE, you resort to the same effete useless "tactics" which always fail - just like your writing skills with "distords", lol, in YOUR subject-line... apk

Probably not important... (1)

Oswald (235719) | more than 2 years ago | (#38517542)

...but 74kB per email?

Re:Probably not important... (1)

geek (5680) | more than 2 years ago | (#38517572)

A lot of corporations require long signatures with disclaimers and terms etc. Usually they plant a bunch of corporate logos in there too. The size of the emails sounds about right.

Re:Probably not important... (1)

rrohbeck (944847) | more than 2 years ago | (#38517762)

Just a handful of PowerPoint files will skew the average quite a bit.

A new way to mitigate credit card fraud (2)

Kardos (1348077) | more than 2 years ago | (#38517596)

"Based on the analysis, 50,277 Individual Credit Card Numbers were exposed, but 40,626 are expired, leaving just 9,651 that are not expired"

Sounds like 80% of the problem evapourated based on card expiry. How do we go about making CCs expire more frequently?

Re:A new way to mitigate credit card fraud (0)

Anonymous Coward | more than 2 years ago | (#38517656)

The card numbers are most likely still valid. I remember that most cards had a standard valid limit. So if it's expired just add 4 years or so to the date and the card goes through.

Re:A new way to mitigate credit card fraud (2)

Bucky24 (1943328) | more than 2 years ago | (#38518140)

So if it's expired just add 4 years or so to the date and the card goes through.

Whenever a new card is issued, the CVV changes (or is it CCV). Most online credit card forms require this number in addition to the other info on the card, so just changing the year doesn't work.

Re:A new way to mitigate credit card fraud (4, Informative)

tibit (1762298) | more than 2 years ago | (#38517708)

You must not have any credit cards, then. I haven't had any credit cards (and I have a dozen) that are not renewed with the account number intact. The expiration date is bumped ahead by some predictable number of months (12, 24, 48, etc), and that's it. Those "expired" numbers are as good as unexpired ones: in either case the account could have been closed, but other than that it's a simple thing to brute force the renewed expiration date. You should get it right on 3rd or 4th try at worst. You can then cache the initial expiration date delta with the first 4 digits of the account number as the cache lookup key.

Re:A new way to mitigate credit card fraud (1)

TheNinjaroach (878876) | more than 2 years ago | (#38518182)

Those "expired" numbers are as good as unexpired ones: in either case the account could have been closed, but other than that it's a simple thing to brute force the renewed expiration date.

You're forgetting about the CCV "extended verification" digits on the back of the card, they are rotated along with the expiration date but not in such a predictable pattern.

Brute forcing one of those will almost assuredly have the card locked out before you get a chance to spend any money.

Re:A new way to mitigate credit card fraud (1)

tibit (1762298) | more than 2 years ago | (#38518908)

Hmm, this is insightful. Some places do not need CCV, though. I haven't checked TFA: did they store CCVs?!

Re:A new way to mitigate credit card fraud (1)

joe_cot (1011355) | more than 2 years ago | (#38519162)

If they stored CVV, they'd be in a hell of a lot of trouble. PCI compliance requires not storing the CVV. However, as stated earlier, a lot of places don't require CVV. *None* of the cards should have CVV stored, so there's no real difference between expired and unexpired.

Re:A new way to mitigate credit card fraud (1)

fnj (64210) | more than 2 years ago | (#38520176)

They did, and they are.

Re:A new way to mitigate credit card fraud (1)

stephanruby (542433) | more than 2 years ago | (#38520250)

Isn't that what the verification code in the back is for? That one has always changed for me (even if the main number doesn't).

Re:A new way to mitigate credit card fraud (0)

Anonymous Coward | more than 2 years ago | (#38517714)

Doesn't help; I worked with a QSA a bit this year and according to him almost every bank re-uses the CC numbers as they cost money, so if you get an expired number the name and number are probably still the same and its just the expiration date you need to guess. From what he said, that's not hard and can be done in 3-5 tries depending on the bank.

Re:A new way to mitigate credit card fraud (1)

Kardos (1348077) | more than 2 years ago | (#38517840)

What about re-using the numbers for different customers... the name *and* number are verified right?

It's called a securid token. (1)

Colin Smith (2679) | more than 2 years ago | (#38518036)

HTH.

Expired? Not Really. (0)

Anonymous Coward | more than 2 years ago | (#38517678)

As long as the CC number is good (usually never changes unless the account is canceled), all you have to do is enter an expiration date sometime in the future.

So it's not big benefit that "40,626 are expired,"

Expired cards (4, Interesting)

nstlgc (945418) | more than 2 years ago | (#38517690)

Where I live, when your card expires, you just get a new one with the same card number but a few years added to the expiration date. Wouldn't this allow the attackers to reuse some of the expired cards?

Re:Expired cards (1)

Baloroth (2370816) | more than 2 years ago | (#38517972)

Unless the CVN changed, which it probably did. Mine does anyways. Which makes it worthless for online purchases. Might still be able to abuse it, but much less easily.

Re:Expired cards (0)

Anonymous Coward | more than 2 years ago | (#38518938)

Unless the CVN changed, which it probably did. Mine does anyways. Which makes it worthless for online purchases. Might still be able to abuse it, but much less easily.

Uh, the CVN is numerical 3 digits. Just how hard do you think it is to figure the new one out?

where to get the information? (0)

Anonymous Coward | more than 2 years ago | (#38517710)

"The hackers have released personal information for Stratfor subscribers whose first names begin with A through M, with N through Z expected to be released soon."

where did this information get released / how can I get it? My information might be in there and I want to check.

They were pwned, that's what counts (1)

Mister Liberty (769145) | more than 2 years ago | (#38517898)

Go anon!

If even strong passwords can get leaked... (1)

Pvt_Waldo (459439) | more than 2 years ago | (#38517926)

...what's the point of having a strong one?

I'm wondering what's the biggest risk with passwords: having it hacked and either stored decrypted or decrypted later, or having someone guess it? I'm starting to think it's the former, which makes me think there's no point in super complex "try and guess THIS one!" passwords.

Re:If even strong passwords can get leaked... (2)

tibit (1762298) | more than 2 years ago | (#38518002)

Cover yourself from both ends: have one password per account (a must!) and have them complex. If you do the former, then you'll need a password manager anyway, so the latter becomes trivial.

Re:If even strong passwords can get leaked... (1)

Midnight_Falcon (2432802) | more than 2 years ago | (#38518064)

Passwords are of course useful but not without their flaws, and they've been around so long that their flaws are long identified. Super complex passwords help for things like hard drive encryption, etc; where brute force is the only viable means of access.

Don't use passwords if possible! Especially on your public web Linux server, unless they're at the application-level and protected by TLS/SSL.
SSH daemon should only respond to key-based authentication queries, and furthermore iptables should lock down the SSH daemon to only known IPs. If your sysadmins don't pay for static IP service at home, they can use full tunnel VPN back to HQ.

Putting in mod_security and keeping SELinux on does a lot to keep apache safe as well.

Re:If even strong passwords can get leaked... (1)

dbIII (701233) | more than 2 years ago | (#38519800)

Having no password and instead using keys makes the stolen laptop problem even worse. Of course a depressingly large number of laptops have sticky notes with VPN or similar passwords on them anyway.

Re:If even strong passwords can get leaked... (1)

Midnight_Falcon (2432802) | more than 2 years ago | (#38520024)

Huh? I was referring to webservers where you don't have physical access and can only be hacked remotely. Of course no one would suggest having no password on your laptop, rather, your laptop should have full disk encryption if possible with a password. Using keyfiles from a smartcard and a password for that is even better.

Re:If even strong passwords can get leaked... (1)

SmurfButcher Bob (313810) | more than 2 years ago | (#38518124)

You're mostly correct - you are mentioning the problem with having a "Global Secret". In that sense, a personal password is little different than a "Global Secret" that hasn't been distributed, yet.

The larger issue is almost always endpoint security, though. Endpoints are *both* ends - your local PC, and the server at the far side. In this case, the cost of engineering a competent solution was more than the cost of a compromise - the bulk of the cost of this hack will be paid by anyone BUT Stratfor execs. Even if the company goes belly up, the execs won't lose a penny - they'll still walk away with a metric truckload of cash - cash that they didn't spend on a competent solution.

Re:If even strong passwords can get leaked... (3, Interesting)

jschottm (317343) | more than 2 years ago | (#38518156)

Use unique passwords for everything important and use a secure but salted password for various sites. Let's say my generic secure password is $sJ55Pm#

I salt the secure password between the fives with the initials of the website alternating caps. So my /. password could be $sJ5Sd5Pm# and my World of Warcraft password could be $sJ5WoW5Pm#.

I only have to remember one good password and a formula. Someone clever enough could hand analyze the passwords and might spot the salting but realistically, very few people are worth that effort.

which makes me think there's no point in super complex "try and guess THIS one!" passwords.

One practices good password habits because they help when a site does things properly. Nothing is going to save you if a site is terribly set up but that doesn't mean you should abandon best practices.

Re:If even strong passwords can get leaked... (1)

expo53d (2511934) | more than 2 years ago | (#38518220)

The advantage of "try and guess THIS one!" type password is not only are they hard to guess, but if they are long enough and hashed properly (SHA1 or similiar) they cannot be unercrypted. (Presuming that the decrpyting party does not have access to a super computer). This is due to the fact that these passwords go through a one-way type hash, thus the only way to crack them is having a list of every single possible hash and its key (or generating such a list). So if one has a password that is 27 characters long, an attacker will need to generate a hash for every password from 1 character long to 27 characters long. Example: 1,2 ... 001, 002 .... goalcar, goalcat, goalcau ... and so on.

Re:If even strong passwords can get leaked... (1)

gl4ss (559668) | more than 2 years ago | (#38518510)

if you're storing customer cc's on the same machine as you're doing your email hosting and web serving from.. what's the point in anything?

Most of you probably know this but ... (1)

dbIII (701233) | more than 2 years ago | (#38519736)

For anything that could cost you money, your job etc you want passwords that you can remember and that are hard to crack even if somebody has a copy of /etc/shadow or similar:
http://xkcd.com/936/
More importantly, don't reuse passwords that you put on anything important. Some idiot may store them in plain text on a blog site, dropbox authentication or whatever useless bunch and then a cracker could use them to get into your bank or wherever else you've used the password.
Now even Facebook passwords could be considered important because HR people love to use the excuse of looking up employees or potential employees so they can spend all day on Facebook.
So I've been led to believe than one unique password per important login is the way to go. For other things that can't be used to establish an online identity for the purposes of fraud (eg. here) it doesn't matter IMHO. I use unique passwords anyway because I've been paranoid about these things ever since my credit card number was used by thieves via carbon copy some years back.

Inhibit Histrionics (1, Offtopic)

Bob9113 (14996) | more than 2 years ago | (#38518270)

I wrote, and rewrote, and rewrote a long and subtle post on the value of contemplating the underlying forces acting in society that lead to events like this, rather than jumping to adulation or condemnation. I came to the conclusion that I could not make it clear that I was advocating contemplation, not support or opposition. That all I would get in response would be some twit turning my post into a straw man then hurling rhetorical vitriol at it.

Then it came to me -- I may be able to extract some value from this thread after all. So, I implore you, read through this thread with this question in mind: Do the histrionic posts add value to the discussion or take it away?

My guess; histrionics cheapen the discussion. An emotional and one-sided post about how Anonymous is a terrorist organization or the savior of true democracy is sound and fury signifying nothing, and a waste of our valuable time.

Inhibit histrionics, however you can. They are pablum for the masses and better left to the professional simpletons in popular media.

Re:Inhibit Histrionics (1)

pdxer (2520686) | more than 2 years ago | (#38518494)

Only terrorists want to inhibit histrionics!

Re:Inhibit Histrionics (0)

Anonymous Coward | more than 2 years ago | (#38518644)

If you really want freedom, histrionics are our savior!

Re:Inhibit Histrionics (1)

RGRistroph (86936) | more than 2 years ago | (#38518724)

I think the best inhibitors of histronics are the long and subtle posts on the value of contemplation of underlying forces acting in society. Post away, ignore the peanut gallery.

Re:Inhibit Histrionics (1)

Bob9113 (14996) | more than 2 years ago | (#38519072)

Post away, ignore the peanut gallery.

Yeah -- you're right, as is the Offtopic mod. Thanks.

Email size? (1)

SimplyGeek (1969734) | more than 2 years ago | (#38518318)

200GB of email? When I see figures like that, I always ask if they include attachments or not. Of so, reduce the figure by at least 80%.

Re:Email size? (1)

frisket (149522) | more than 2 years ago | (#38518376)

In any case, if it's "corporate" email it's probably trivial or ephemeral, concerned with administrative minutiae or the perpetual re-editing of "reports" as if they were something of great value. Out of 200Gb I would expect perhaps half a dozen emails containing something interesting, salacious, or actionable (perhaps all three :-) and that kind of hit rate is barely worth the trouble of pwning their server.

Re:Email size? (1)

gl4ss (559668) | more than 2 years ago | (#38518730)

it's probably customers asking for security strategy advice and tips. that's their business, answering such mails. if they turn out as a joke on quality, they're finished as a business.

Re:Email size? (1)

djdanlib (732853) | more than 2 years ago | (#38518708)

I blame HTML mail. Have you ever seen the source of your average Exchange email thread? The horrors!!

Then there are those people who send BMPs embedded in Word/Excel so they can send you a screenshot! Gaaaack

The future of Stratfor (1)

sgt_doom (655561) | more than 2 years ago | (#38518978)

Stratfor's site will be secure AND up about the same time in the far, far future when American finally catches up with China and buildts a 500-mile-per-hour bullet train. OR NOT................
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?