Monday, January 2, 2012

Was Stratfor Breached By An Insider?

While waiting for the other shoe to drop on the Stratfor breach (the release of a few million emails), I took a look at who works for the company in an attempt to understand how they could have made so many mistakes in handling their customer and client data as well as their network security. The adage that a company is only as good as its employees is certainly true about Stratfor.

The company was founded in Austin, TX in 1996 by George Friedman, an academic. LinkedIn has profiles on 63 of its employees. According to those profiles none have a background in information security. The company doesn't have a Chief Information Officer, Chief Security Officer, or Chief Information Security Officer. None of its employees' profiles show that any of them have ever worked at NSA, CIA or any other 3-letter agency. Two senior executives (Fred Burton and Scott Stewart) came from State's Diplomatic Security Service. Many of Stratfor's employees came to the company just after they graduated from college including, most importantly, their IT director for almost 13 years Michael Mooney. Mooney graduated from UT Austin in 1994, joined Stratfor in 1997 and left in September, 2011. I've tried to contact Mr. Mooney by email to find out his side of the story, why he left the company, etc., but so far, no joy. Stratfor's Chief Technology Officer Frank Ginac apparently didn't care for his work based upon his "Mooney's Turds" comment posted by Anonymous:
"It blew my mind to discover that our email server backups are being stored on the same physical server. I'm affectionately referring to these little discoveries as 'Mooney turds'."
If Mooney was fired and held a grudge against Ginac and/or Stratfor, then he would certainly have a motive for payback by helping Anonymous root the company's servers. The timing is certainly interesting. Mooney left the company and a new replacement was found for him almost immediately (October, 2011) which suggests that Ginac was unhappy with Mooney and was looking for a replacement before letting him go. Considering the shabby state of Stratfor's network security, the attacker(s) could have been in there for a few months prior to the December 24th event.

I'm not accusing Michael Mooney of being involved. I am, however, stating that attacks by insiders who hold a grudge against their employer are commonplace and Mooney's position along with the circumstances around his departure will certainly be explored by law enforcement as part of the investigation. Apart from who was allegedly involved, there's no mystery about why Stratfor's network was in the state that it was in. Security wasn't a priority and there was no in-house expertise to make it one. Next comes the consequences to Stratfor's customers, which George Friedman (CEO), Frank Ginac (CTO), and Darryl O'Connor (COO) all need to be held responsible for.

UPDATE (0337PST 03JAN12): According to Stratfor CTO Frank Ginac's Twitter stream, he had been looking to hire a System Administrator (Michael Mooney's job) since January 24, 2011. He repeated his need for a Sys Admin on 28 February and 22 July. It turns out that Michael Mooney wasn't the only Stratfor employee to leave the company in September 2011. So did a Cloud engineer named Trent Geerdes. Neither person has responded to my request for comment.

Ironically, four days before tweeting his first announcement (Jan 24, 2011), Ginac had this to say about security:







UPDATE (1850 PDT 18MAY12): To date there has not been any evidence that an insider was involved in this attack. The FBI has made arrests in the case.

No comments:

Post a Comment