Tuesday, December 27, 2011

Anonymous: On a holiday roll with Stratfor and the hashtag subpoena

Anonymous on a holiday roll with Stratfor and the hashtag subpoena

By Brenda Norrell
Censored News
http://www.bsnorrell.blogspot.com

Update Wed: AntiSec hacks SpecialForces.com and posts credit card info:
http://www.pcworld.com/article/247072/anonymous_hacks_specialforcescom_posts_passwords_and_credit_card_data.html
Now: Millions of Stratfor e-mails to be published, including those from military and intelligence organizations
Update Friday: ACLU: Judge seals documents in hashtag subpoena case:
http://www.aclum.org/news_12.29.11

The Antisec, Anonymous and Lulz crews have been busy this holiday. In one of the biggest exposures now underway, the hacktivists have a large amount of data from Stratfor, a global security think tank, whose clients include the military and intelligence.
SpecialForces.com was hacked, with credit card information exposed.At the same time on Tues., Dec. 27, a Twitter message said 3.3million of Stratfor e-mails from some of the world's most powerful people would soon be published. Those e-mails would include Stratfor clients ranging from the military to intelligence organizations. On Wednesday, the number of e-mails being prepared for release increased to 5 million.
Already, last summer, Lulzsec hacked the Arizona police department and exposed a detailed intelligence report by Stratfor on the drug cartels in Mexico, including the notorious Zetas, and named names in each cartel. The question now is what those millions of e-mails will expose.
As Stratfor was hacked, and SpecialForces.com targeted, AntiSec hacktivists said, "Oh, and by the way: Did Bradley Manning get his fancy holiday meal yet? Might want to hurry up before we hit even more targets."
The Stratfor website was still down today, Wed., Dec. 28.
When Stratfor was hacked, the hactivists said that Stratfor was to blame, for Stratfor had posted client data unencrypted on the web on an insecure server, making it easy pickings.
On Christmas eve, the announcement on Twitter said: "Over 90,000 Credit cards from LEA, journalists, intelligence community and whitehats leaked and used for over a million dollars in donations."
Stratfor issued its own statement: "On December 24th an unauthorized party disclosed personally identifiable information and related credit card data of some of our members. We have reason to believe that your personal and credit card data could have been included in the information that was illegally obtained and disclosed.
"Also publicly released was a list of our members which the unauthorized party claimed to be Stratfor's 'private clients.'" However, Stratfor continued that the hacked names were from a list of subcriber services.
"We have also retained the services of a leading identity theft protection and monitoring service on behalf of the Stratfor members that have been impacted by these events."

Relentless, Anonymous and others followed with comments on Stratfor's Facebook, suggesting that Stratfor should hire Lulzsec to do their security.
On Stratfor’s Facebook, the comments kept coming, like this one: “Intelligence company? Hahaha...and if you think the people who did this are amateurs, what does that say about Stratfor if they got hacked by them? Shoot yourself in the foot some more. Keep flapping our gums. It's not over.”
On Facebook, some Stratfor clients said they were never informed of the hack until the bank called them about their credit card. "Not a word from Stratfor."
On Facebook, Stratfor commenters advised others to search Antisec posts to see if their credit card and password info was there.
The AntiSec message for Stratfor was posted on pastebin and circulated on Twitter:



  1. How is everybody enjoying Lulzxmas so far? Did you enjoy the epic defacement and destruction of Stratfor's websites? Hey George Friedman, did you ever figure out how much of your subscriber data was compromised yet? If you haven't yet, then allow us to clue you in.
  2. Attached are ~4000 credit cards, md5 passwords, and home addresses to just a few of Stratfor's "private client list". Not as many as you expected? Worry not, fellow pirates and robin hoods. These are just the "A"s.
  3. While the rich and powerful are enjoying themselves with all their bourgeois gifts and lavish meals, our comrade Bradley Manning is not having that great of a time in federal custody. Instead of being heralded as a fighter for free information and government transparency, he is criminalized, marginalized, and incarcerated, threatened with life imprisonment.
  4. We hereby ask that Bradley Manning be given a delicious meal this Lulzxmas, and no, not the "holiday special" in the prison chow hall. We want him out on the streets at a fancy restaurant of his choosing, and we want this to happen in less than five hours. Continues at: http://pastebin.com/bQ2YHDdw
Although initially a disinfo press release confused some, Anonymous confirmed that the Antisec crew had hacked Stratfor.
Barrett Brown explained why Stratfor was targeted:
Stratfor was not breached in order to obtain customer credit card numbers, which the hackers in question could not have expected to be as easily obtainable as they were. Rather, the operation was pursued in order to obtain the 2.7 million e-mails that exist on the firm's servers. This wealth of data includes correspondence with untold thousands of contacts who have spoken to Stratfor's employees off the record over more than a decade. Many of those contacts work for major corporations within the intelligence and military contracting sectors, government agencies, and other institutions for which Anonymous and associated parties have developed an interest since February of 2011, when another hack against the intelligence contractor/security firm HBGary revealed, among many other things, a widespread conspiracy by the Justice Department, Bank of America, and other parties to attack and discredit Wikileaks and other activist groups. Since that time, many of us in the movement have dedicated our lives to investigating this state-corporate alliance against the free information movement. For this and other reasons, operations have been conducted against Booz Allen Hamilton, Unveillance, NATO, and other relevant institutions. The bulk of what we've uncovered thus far may be reviewed at a wiki maintained by my group Project PM, echelon2.org.
Read more from this statement: http://pastebin.com/WPE73rhy
The Hashtag Subpoena
In other breaking news, the Boston Police Department is running a three-legged race trying to outsmart Anonymous. The Suffolk Massachusetts District Attorney's office issued an ill-fated subpoena seeking hashtag # users on Twitter, which continues to be the source of jokes. ("Are you a hashtag?")
Boston police asked Twitter not to tell anyone, which would have violated Twitter's terms of service.
The hashtag subpoena comes after Anonymous published personal info about Boston police as part of OpPigRoast and DoxCak3 (You can't have your cake and eat it too.) These actions follow the police brutality in Boston and elsewhere, of the Occupy Movement.
Here's how one member of Anonymous on Twitter responds today to the infamous hashtag subpoena:

Anonymous responds to hashtag subpoena
http://pastebin.com/gL0bcxEa
- It has recently come to my attention that you have deemed it necessary to issue an Administrative Subpoena for my Twitter account along with a few #hashtags. Not only do I find it funny that you issued subpoenas for hashtags, I find it even funnier that you failed to read Twitters terms of service stating that they inform users of people requesting information on their accounts. Let me just quote that for you.
- " In accordance with our Privacy Policy and Terms of Service, non-public information about Twitter users is not released except as lawfully required by appropriate legal process such as a subpoena, court order, or other valid legal process document. Some information we store is automatically collected, while other information is provided at the user’s discretion. Though we do store this information, it may not be accurate if the user has created a fake or anonymous profile. Twitter doesn’t require email verification or identity authentication. Twitter's policy is to notify users of requests for their information prior to disclosure unless we are prohibited from doing so by statute or court order. "
- And fortunately enough for me, your "administrative subpoena" does not fall under the category of a "Court order" Therefor Twitter notified me of your request and conveniently attached a PDF file of the subpoena. Now as I'm sure you know this document has been spread all over the web. So I ask you, how's the "Confidentiality and integrity" of your "Ongoing criminal investigation"  working out? Not so confidential huh?
- Anyways this is just my official statement to you letting you know your subpoenas will not shake me. So do whatever you think you can to try and stop Anonymous, but you will learn fast. One of us is not nearly as harsh as all of us. You cannot arrest an idea. You cannot subpoena a hashtag.
We are Anonymous.
We are Legion.
We do not forgive.
We do not forget.
Don't expect us.
We're already here.
#Anonymous #Antisec #CabinCr3w #doxcak3 #OpPigRoast

UPDATE TUESDAY NIGHT:
http://pastebin.com/vuMypejL

  1.                                                                       #AntiSec
  2.                                                                      
  3. Greetings fellow global pirates,
  4. The halls are decked with lulz, AnonSanta’s battle sleigh is re-filled, and lulz lizards worldwide are awaiting his arrival. Wait no longer, good denizens of the Internet, it’s time for another round of the LulzXmas festivities.
  5. But first, tell us, have you enjoyed the complete obliteration of Stratfor live on IRC and Twitter? We have. We also laughed heartily whilst these so-called protectors of private property scrambled desperately to recover the sensitive information of all the customers who they wronged by failing to use proper security precautions. Stratfor’s Terms of Service stated, “Security: The personally identifiable information we collect about you is stored in limited access servers. We will maintain safeguards to protect the security of these servers and your personally identifiable information.” Yet Stratfor lazily stored credit card information and corresponding data unencrypted. Is the irony palpable yet?
  6. Continuing the week long celebration of wreaking utter havoc on global financial systems, militaries, and governments, we are announcing our next target: the online piggie supply store SpecialForces.com. Their customer base is comprised primarily of military and law enforcement affiliated individuals, who have for too long enjoyed purchasing tactical combat equipment from their slick and “professional” looking website. What’s that, officer? You get a kick out of pepper-spraying peaceful protesters in public parks? You like to recreationally taser kids? You have a fetish for putting people in plastic zip ties?
  7. We had to contain our laughter when we saw these two "hacker proof" logos plastered on the SpecialForces.com website: "Scanned by GoDaddy.com: secured website" and "McAfee SECURE sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses, and online scams.”  Despite the almighty powers of GoDaddy and McAfee's logos and some reassuring words, SpecialForces.com was just no match for our hella wicked black hat voodoo. We have just one question before we continue: You mad, officer?
  8. To be fair, at least SpecialForces.com DID store their customers’ credit card information using blowfish encryption (unlike the global intelligence and security industry "professionals" at Stratfor, who apparently remain confused as to whether their customers’ information was even encrypted or not). Nevertheless, our voodoo prevailed and we were quickly able to break back into the military supplier’s server and steal their encryption keys. We then wrote a few simple functions to recover the cleartext passwords, credit card numbers, and expiration dates to all their customers’ cards. That’s how we roll.
  9. In reality, for the past few months, we have been in possession of approximately 14,000 passwords and 8000 credit cards from SpecialForces.com. Unfortunately a former comrade leaked the password list early, and the full story on this owning will be told in our upcoming zine. Until then, feast upon one hell of a juicy text file.
  10. We’ll continue to have ourselves a merry LulzXmas at the expense of capitalist pigs, corrupt public officials and all those third parties who cater to the continued oligarchic elite worldwide. We are your secretaries, your janitors, your babysitters, your IT guys, your bus drivers, your maids, your hard-working, driven and determined fellow humans. We could be sitting next to you in a coffee shop, scanning your goods at a department store or even fixing your busted-ass computer. We are here to stay, and by now, you had better damn well expect us, cause the time for simple “lulz” is long past.
  11. Oh, and by the way: Did Bradley Manning get his fancy holiday meal yet? Might want to hurry up before we hit even more targets.



Also see: Twitter ignored request to keep subpoena under wraps:
https://www.readwriteweb.com/archives/twitter_ignored_request_to_keep_subpoena_under_wraps.php
UPDATE WEDNESDAY NIGHT: STRATFOR OFFERS FREE IDENTITY THEFT PROTECTION TO MEMBERS
Although Stratfor offered member free identity theft protection, one commenter on Facebook warned: "Be careful before you accept anything from Stratfor, make sure you read fine print as to not give up the right to enter into lawsuits. They were criminally negligent in how they stored their customer data."

And, of course, there was the expected Anonymous response: "U mad bro?"

No comments: