The Purpose of the Stratfor Hacking and Potential Consequences
Posted on Tue Dec 27, 2011 at 08:02:00 AM EST
Tags: Stratfor, Anonymous (all tags)
You may remember Barrett Brown from the recent dust-up over the plan by some members of Anonymous to out those believed providing assistance to the Mexican drug cartels. The plan was off-again, on again, with Barrett being the major spokesman.
He's back, now weighing in on the Stratfor hacking of its subscriber and e-mail databases. He says the purpose of the attack was not to obtain the credit card info, but the email database. [More...]
Stratfor was not breached in order to obtain customer credit card numbers, which the hackers in question could not have expected to be as easily obtainable as they were. Rather, the operation was pursued in order to obtain the 2.7 million e-mails that exist on the firm's servers. This wealth of data includes correspondence with untold thousands of contacts who have spoken to Stratfor's employees off the record over more than a decade. Many of those contacts work for major corporations within the intelligence and military contracting sectors, government agencies, and other institutions for which Anonymous and associated parties have developed an interest since February of 2011, when another hack against the intelligence contractor/security firm HBGary revealed, among many other things, a widespread conspiracy by the Justice Department, Bank of America, and other parties to attack and discredit Wikileaks and other activist groups.
Since that time, many of us in the movement have dedicated our lives to investigating this state-corporate alliance against the free information movement. For this and other reasons, operations have been conducted against Booz Allen Hamilton, Unveillance, NATO, and other relevant institutions. The bulk of what we've uncovered thus far may be reviewed at a wiki maintained by my group Project PM, echelon2.org. (My emphasis.)
Since supposedly no one speaks for Anonymous because it is decentralized and has no leaders or individuals who can speak for it, it's unclear whether those who conceived of and conducted the Stratfor attack -- who identify themselves as members of Anonymous -- agree with Barrett or even had a voice in the selection of Stratfor as a target. Then again, with OpCartel, Barrett said the group voted on the idea.
After it was cancelled we got to talking about it, and the video got a whole lot of views. [Members of Anonymous] had a vote amongst themselves and decided to go ahead."
More interesting to me, as a defense lawyer, is that Barrett Brown is so willing to use his real name and associate himself with the Stratfor hack. It's one thing to approve of it, it's another to speak of it as a part of an ongoing joint effort. Even if he's just expressing his endorsement of the act, given his direct communication with those involved, you'd think he'd at least be wary of a subpoena. He's not. He said days ago, about a different subpoena effort,
Reminder: If you get a subpoena or anything of the sort, we have free, high-caliber legal aid for you.
Brown is also, reportedly with the approval of those who conducted the attack, trying to submit a proposal to Stratfor to minimize the collateral damage of exposure of credit card details of "innocents".
I've been authorized by @AnonymouSabu and others involved in #Stratfor hack to begin dialog with the firm. We'll see if they agree.
The feds are not going to take this attack lying down. There are several pending indictments of Anonymous and Lulzsec members in various federal districts. Lulzsec is frequently described as a splinter group or off-shoot of Anonymous. For example, Anonymous, in denying it was involved in the Sony Play Station hacking effort, issued a release stating:
"If a legitimate and honest investigation into the credit card is conducted, Anonymous will not be found liable. While we are a distributed and decentralized group, our 'leadership' does not condone credit card theft. We are concerned with erosion of privacy and fair use, the spread of corporate feudalism, the abuse of power and the justifications of executives and leaders who believe themselves immune personally and financially for the actions they undertake in the name of corporations and public office."
LulzSec later took credit for [a different] Sony hack. Similarly, Barrett Brown wrote in the Guardian about the Sony [Play Station] hack:
But those observers who are most familiar with who Anonymous is – such as the dozens of journalists who have been free to watch us at work in our operational venues – tend to agree with us that the circumstances of this incident are highly suspicious, and that any investigation into the crime in question must take into account the natural question of who might benefit from such an act – in other words, a party or parties who would have an interest in smearing Anonymous.
One of the indictments (San Jose) is here. One of the charges of intentional damage to a protected computer in that case carries a maximum penalty of 10 years in prison and a $250,000 fine. Conspiracy to intentionally damage a protected computer carries a maximum penalty of five years in prison and a $250,000 fine.
From the DOJ Press Release:
Also today, a related complaint unsealed in the District of New Jersey charges Lance Moore, 21, of Las Cruces, N.M., with allegedly stealing confidential business information stored on AT&T’s servers and posting it on a public file sharing site. ... Moore is charged in with one count of accessing a protected computer without authorization.
According to the New Jersey complaint, Moore, a customer support contractor, exceeded his authorized access to AT&T’s servers and downloaded thousands of documents, applications and other files that, on the same day, he allegedly posted on a public file hosting site that promises user anonymity. According to the complaint, on June 25, 2011, the computer hacking group LulzSec publicized that they had obtained confidential AT&T documents and made them publicly available on the Internet.....
18 USC § 1030 prohibits Fraud and related activity in connection with computers. You can read the Moore Complaint here. The Arciszewski Complaint is here. According to the court docket on PACER, Arciszewski will be pleading guilty to a five year offense under 18 USC 1030 on Jan. 12, 2012.
Why do they do it? In a missive relating to the British charges against Lulzsec member Topiary (Jake Davis), they wrote:
Some still wonder why we are not worrying. It is bigger than us all. Individuals do not matter, #AntiSec will move on. We [really] are not scared anymore. Everybody involved knew exactly what [they were] getting into. And we will continue until all battleships are sunk.
"Yes, we steal data. From governments and their contractors. We know it's illegal but we honestly believe it is legitimate. We wish it was not so, but we HAVE to break the law to make a change. The laws need to change otherwise no dice. Should this account become silent, you, FBI, may book a victory. [Still], with every day that passes, we store more of your secrets."
LulzSec called it quits in June. There were more arrests in September. Here's the Cody Kretzinger indictment(aka Recursion), charged in the Sony Pictures attack. (Also arrested in another case were Christopher Doyon and Joshua Covelli of another hacking group, the People's Liberation Front.) And LulzSec member Kayla (who turns out to be a male) was also arrested in Britain in September.
Of the LulzSec members, only Sabu, who says on Twitter he is part of the Stratfor attack, and non-original member Avunit, reportedly from Britain, are still at liberty and uncharged.
Just last month, the Department of Justice told Congress it should make computer fraud/hacking a predicate offense under RICO (the organized crime act.) Here's the Prepared Statement of Deputy Section Chief Richard Downing Before the House Judiciary Subcommittee on Crime, Terrorism and Homeland Security:
We propose updating the Racketeering Influenced and Corrupt Organizations Act (“RICO”) to make CFAA offenses subject to RICO. As computer technology has evolved, it has become a key tool of organized crime. Indeed, criminal organizations are operating today around the world to: hack into public and private computer systems, including systems key to national security and defense; hijack computers for the purpose of stealing identity and financial information; extort lawful businesses with threats to disrupt computers; and commit a range of other cyber crimes. Many of these criminal organizations are similarly tied to traditional Asian and Eastern European organized crime organizations.
DOJ also wants to increase penalties for computer hacking.
some of the CFAA’s sentencing provisions no longer parallel the sentencing provisions for their equivalent traditional crimes. For example, the current maximum punishment for a violation of section 1030(a)(4) (computer hacking in furtherance of a crime of fraud) is five years, but the most analogous “traditional” statutes, 18 U.S.C. §§ 1341 and 1343 (mail and wire fraud), both impose maximum penalties of twenty years.
Indeed, for a serious computer crime offense, it is easy to imagine scenarios in which the appropriate sentence exceeds the current maximum. For example, were a criminal to steal a massive database of credit cards, the maximum penalty under section 1030(a)(2) for that crime is five years in prison, even though the United States Sentencing Guidelines might recommend a much higher sentence. In other words, in such situations, a federal judge would be prevented from sentencing a defendant to an appropriate prison term that will assure proper punishment and promote general deterrence.
Under the DOJ proposal, penalties would be increased to that currently provided for those found guilty of their second offense. More on the provisions of the current act here.
While The last thing we need in this country are increased prison penalties, the Stratfor Hack might just be the impetus Congress needs to adopt DOJ's proposal. Here's the latest totals on the data hack, according to Wired:.
860,000 usernames, emails, and md5-hashed passwords; data from 75,000 credit cards, including security codes used for no card present transactions; and over 2.5 million Stratfor emails, internal Stratfor documents from the company’s intranet, and support tickets from it.stratfor.com.
There undoubtedly will be indictments from the Stratfor attack. It won't be the amorphous groups Anonymous, Antisec or Lulzsec that are indicted, it will be individuals who can be linked to the hacking effort, regardless of their affiliation. While Barrett Brown just tweeted he's received info that Homeland Security has made him a target, he still doesn't sound worried. While I can only guess based upon what he writes, it doesn't sound to me like he was involved in the attack -- only that he is inserting himself into events after the fact. If so, he's more likely to face a subpoena than an Indictment. While he can assert his 5th Amendment privilege to a subpoena, he'll lose that right if they decide to immunize him. If he's immunized and refuses to talk and name names, he'll face jail for the remainder of the grand jury's term. That's nothing to sneeze at, ask Susan McDougal.
As for AnonymousSabu, if as reported, he's been in hiding until recently, the Government will probably seek to detain him without bond if indicted.
All this raises the question, are the hackers brave or naive when it comes to the legal consequences of their acts? I'll let you decide.
Update and Clarification: Barrett Brown responds via Twitter to my quoting of his Guardian article on Sony:
Someone please tell this guy that there was more than one Sony hack and that I was discussing one in particular. http://www.talkleft.com/story....Yes, his article was about the Sony Play Station Hack and there were multiple Sony hacks. (For examples, see here, here, here and here. Here's a Wired article on the first two Sony hacks.)
< Schapelle Corby May Lose Good Time for Skipping Mass | Guantanamo Commander Seeks Access to Attorney-Client Mail > |