Anonymous Reveals STRATFOR’S Deep Seated Insecurities

Being booked solid on Friday from seven-thirty a.m. through well past six in the evening, I felt perfectly justified in setting aside an hour and fifteen minutes for lunch.  But I had to cancel my reservation and send out instead, because Mooney from STRATFOR had spent most of Thursday afternoon and Friday morning pestering Gretchen for an appointment.
“Want some?” I offered, gesturing at an ample assortment of sashimi pieces, nigiri and maki as Mooney flopped down, discouraged and disheveled, on the couch by the picture window looking out on the White House.
“Sushi?” Mooney asked skeptically.  “We have a word for that stuff down in Texas.”
“Oh,” I goaded with a wry smile, “you do?”
“Uh-huh,” he nodded.  “We call it ‘bait.’  No thanks.”
“Suit yourself,” I shrugged as I used chopsticks to dip a delicate stack of salmon roe on rice wrapped in nori seaweed topped with the yolk of a quail egg and a small slice of pink pickled ginger in a paste of soy sauce and wasabi horseradish.  “What’s so urgent you can’t wait for an appointment next week?”
“Anonymous!” Mooney exclaimed, becoming obviously upset. 
“Ah yes,” I confirmed, “Anonymous hacked STRATFOR on Christmas Eve – or at least somebody claiming to represent Anonymous took credit for it.  Then, of course, other sources claiming to represent Anonymous denied it…”
“And now,” he interrupted, “regardless of who’s to blame for stealing the information, the credit card numbers and personal data for thousands of STRATFOR customers have been published on the Internet!”
“Over ninety thousand credit cards,” I observed, “from the Justice Department, Interpol, the federal and international intelligence community, Fortune 500 corporations, journalists and the Department of Defense.  And you, I take it, are the designated fall guy…”
“I’m the chief information technology security officer!” Mooney protested.  “I report directly to Frank Ginac, STRATFOR IT Chief Manager, who reports to Fred Burton, the STRATFOR VP of Corporate Security!”
“And, apparently, what Anonymous – or somebody like them – gave you for Christmas,” I japed, “was a quick name change from ‘Mooney’ to ‘Mudd.’  And, I suppose, you want to do something about it.”
“That would be nice,” he quickly agreed, “very nice.”
“The irony here,” I commented, “is so thick, you’d need a chain saw to cut it.  STRATFOR – officially known as ‘Strategic Forecasting, Incorporated,’ specializes in what it calls ‘global intelligence.’  And aside from alpha geeks like you, it’s staffed primarily with former spies, spooks, undercover agents and international men of mystery.  At STRATFOR, you can’t swing a dead cat without hitting a retired double zero from MI6 or a former black ops CIA station chief.  You guys at STRATFOR have everything from decommissioned KGB colonels to NSA directors doing a turn around the revolving door working for you.  And here a bunch of punks with Guy Fawkes masks from a cheesy movie – based on a comic book, no less – most of whom can’t get a date and still live in their parent’s basements, make you all look like a bunch of Girl Scouts.  No, wait – I apologize to the Girl Scouts for saying that.  The Girl Scouts of America probably have enough sense to encrypt their members’ personal and credit card data, and from what I’ve heard, STRATFOR stored all of their subscribers’ personal and credit card data in the clear.  And that’s true – what I’ve heard – isn’t it?”
“I can neither confirm or deny…” he began.
“That STRATFOR in general,” I interjected, “and its security managers in particular, allowed such egregious stupidity.  I know, I know – you could never bring yourselves to admit that.  I mean, really, think what that would do to your reputation.  On the other hand, however, given that the credit card data released has been demonstrated to be genuine…”
“Some of it’s out of date,” Mooney insisted, rather lamely.
“Yes,” I conceded, “the data are not entirely current in every case, but are demonstrably current in quite a few – and all genuine, you must admit.”
“Okay,” he heavily sighed, “yeah, it’s real STRATFOR customer credit card data, no doubt about that, anyway.”
“So,” I elaborated, “that being the case, either you guys stored it in the clear or Anonymous has such mad hacker skills that they can break whatever presumably heavy-duty encryption STRATFOR was using.  In either case, it sure does make what’s supposed to be a high-priced, world-class think tank staffed by top-notch intelligence experts appear to be nothing but a farcical circus of bumbling, incompetent nincompoops lead by a preening troupe of pretentious, idiotic charlatans.”
“Which makes it different,” Mooney indignantly demanded, “from every other high-priced think tank in what way?”
“Well,” I observed, “you have your Brookings Institution and your Cato Institute and so on and so forth, and while yes, those are, admittedly, high-priced think tanks staffed by bumbling, incompetent nincompoops lead by preening troupes of pretentious, idiotic charlatans, your typical example of such a business does not proclaim itself to be a citadel of wisdom with respect to security issues.  STRATFOR, on the other hand, does.  Tell me, is it true that your access protocols allowed for passwords such as the name of the user’s subscribing institution, the system administrator’s birthday, the senior accountant’s cat’s name or even the word ‘STRATFOR’ itself?”
“Uh, I cannot…” he weakly responded.
“Right,” I shot back.  “Of course you can’t.  Security considerations, after all.  Tell me though, the database access password string wasn’t actually ‘Swordfish,’ was it?”
“I… ” he blurted, “Uh… I can’t confirm or deny…”
“At least now,” I observed, “you guys have out-sourced your identity protection follow-up.”
“Um… yeah,” he sheepishly affirmed, “to CSID.  Good company.”
“Anyway,” I told him, “it’s hard to see how they could do a worse job at it than you guys at STRATFOR did protecting your clients’ data in the first place.”
“Well,” he replied, somewhat defensively, “it’s not like Anonymous hacked any of the really important secret information STRATFOR uses to produce its analysis reports and situational forecasts.”
“Why should they bother?” I asked, somewhat rhetorically.  “Bradley Manning gave all of it to Wikileaks back in 2010.”
“He did not!” Mooney indignantly snapped.  “There were plenty of things Manning missed, plus, since then, there’s been lots of new secret stuff generated by all kinds of government agencies.”
“And STRATFOR rigorously maintains separate, unconnected networks for storage of classified material, like government secrets, and unclassified material, like your customers’ credit card numbers,” I dryly stated.  “Correct?”
“Uh… yeah,” he mumbled, “of course… I mean, if we didn’t, it would be a violation of federal law.”
“But weren’t all of your e-mail server backups stored on the same server as your clients’ credit card data?” I inquired.  “And in plain text, at that?”
“Um… yeah,” Mooney glumly confessed.  “But I’m not responsible for that, okay?”
“Then,” I pressed, “who is responsible for it?  Ginac?  Burton?  George Friedman, your founder and Chief Intelligence Officer?”
“Top management,” he glumly assured me, “is never responsible for this kind of situation.  The guys like me down in the trenches get e-mails with fancy memos attached to them, talking about stuff like ‘the tightening economic climate,’ ‘expanding budget constraints,’ ‘the continuing need for increased efficiency,’ ‘making maximum use of existing resources,’ and ‘leveraging information technology assets for optimum profitability.’  Nobody ever says, ‘Forget about that new secure, hardened, classified-data-rated server you requested to back up the e-mail database.  We have other things to spend that money on – such as fat bonuses for us – and if you don’t come up with an alternate solution that doesn’t cost STRATFOR any extra money, we’ll fire you.’  That’s what all the fancy executive-speak in those memos means, though, and everybody at my level in the organization knows it.”
“Therefore,” I surmised, “you just finagled a few extra hard disks and installed them on an unclassified server and backed up the STRATFOR e-mail database there.”
“Er… uh… ah…” Mooney stammered.
“And by ‘you,’” I clarified, “I mean you, personally, did that, in order to keep your job.”
“Yeah,” Mooney sobbed, “I did – and a bunch of other stuff like that, too – cutting corners, putting band-aids on problems, using spit and bailing wire, you name it.  All instead of doing it the right way, because then, if we did, the big kahunas and top honchos in the corner offices might have to tell their spoiled-rotten debutante daughters and lazy, worthless playboy sons they can’t have riding lessons or a new Porsche or whatever.  And now,” he wailed, “those rotten little bastards at Anonymous have… penetrated us… and the guys in charge of STRATFOR are going to need a scapegoat to blame all of this on!”
“Because those e-mails discuss classified subjects,” I concluded, “and never should have been stored on unclassified media.”
“Yeah,” he sniffed, “and it’s going to be me, I just know it!”
“How so?” I asked, seeking to confirm my initial assessment.
“Because,” he slowly choked out, “of a bunch of comments Frank Ginac wrote.”  
“Really?  What comments did he write and where did he write them?” I wondered.
“On the STRATFOR Web site,” Mooney groaned.  “Right after the hack.  He got into a flame war with one of those Anonymous punks.  He taunted them and mocked their claims.  Then he wrote – I have it right here on my lap top –  ‘It blew my mind to discover that our e-mail server backups are being stored on the same physical server,’ and, ‘I’m affectionately referring to these little discoveries as “Mooney turds.”’  That’s it, right there!  I’m ruined, Tom.  I’m toast!  I’m totally, completely and utterly screwed!”
“Perhaps,” I allowed, “but perhaps not.  Yesterday, Anonymous – or maybe Antisec, which is the successor to LulSec, and, in fact, might be the hacker organization which is actually responsible – dumped eight hundred and sixty thousand STRATFOR e-mail user names, addresses and passwords onto the Internet.  So it’s plausible that their next step will be to dump the e-mail content.  And if they do that…”
“I can search those e-mails for evidence!” Mooney exclaimed.  “Tom, that’s brilliant!”
“Thanks,” I acknowledged.  “Now, get ready to start plowing through a mountainous digital haystack of e-mails in search of the needles that will exonerate you.”
“Okay, Tom,” he declared as he rose to shake my hand, “I will!  You don’t know how much this means to me!”
“Ordinarily,” I told him, “I would.  You’d owe me my standard consultation fee.  But in this case, I’m going to waive it.”
“Oh, Jesus,” Mooney huffed in obvious relief, “that’s fantastic!”
“No problem,” I informed him as I shook his hand, “because if Antisec and/or Anonymous don’t dump those e-mails; or, even if they do, and you don’t find those needles in that haystack…”
“Then what?” Mooney whispered as his face fell.
“Then,” I concluded, “you and your family are going to need the money one hell of a lot more than I will.”