Forensic report into LulzSec Stratfor hack leaked

Security and intelligence firm Stratfor was vulnerable to attack prior to a hack and subsequent data breach of customer email messages and credit card details in 2011, according to an IT security audit leaked today.

The forensic report, dated February 2012, was authored by three Verizon Business security consultants and marked proprietary and confidential. It is not known who uploaded the report to the public internet.

Verizon's consultants outline a long list of major security misses at Stratfor, most of which support claims by hacktivist group LulzSec that the security and intelligence firm's systems were almost completly open and unprotected.

These include a lack of file integrity monitoring that allowed the hackers to upload and execute malicious scripts without being detected, and further that the affected systems repeatedly allowed insecure remote access via the Secure Shell (SSH) protocol or Windows Remote Desktop.

Stratfor did not use a stateful packet inspection firewall at the perimeter of its e-commerce system, the report noted. This allowed the attackers to send and receive any data without restrictions to and from the affected systems.

Logging of systems events was also "insufficient" or did not exist, the report said, making it difficult to detect any abnormal activity. In fact, Stratfor did not have any security monitoring to detect anomalies, according to the report.

Stratfor's network design at the time of the Anonymous hack.

Verizon's audit further noted that the database driving Stratfor's customer facing website contained a large amount of sensitive information in plain text. This included, among other things, customer names, email addresses, primary account number of credit cards along with expiration dates and CVC2/CVV2 security digits.

In total, the hackers got away with over 79,000 credit card details, which were used to make donations to charities.

The hackers tried to remove evidence of their activities by executing the UNIX 'rm-rf' command at the top level root directory, and succeeded in deleting the data on it and disabling the Stratfor web server. Prior to that, the Stratfor webserver was defaced by Anonymous.

United States law enforcement have arrested most of the LulzSec Anonymous hacktivists involved in the Stratfor hack. 

One, Hector Xavier Monsegur ("Sabu"), turned informant for the Federal Bureau of Investigation, and ratted out his fellow Anonymous members.

Lulzsec member Jeremy Hammond received a ten-year prison sentence in November last year after pleading guilty to taking part in the hacking campaign.

Sabu on the other hand was rewarded by the authorities for his collaboration, and was freed in May this year. 

The full text of the Stratfor Investigation by Verizon is pasted below.