February 28, 2012
Yesterday, WikiLeaks released emails taken in the highly-publicized Stratfor data breach. While many of the emails are innocuous, such as accusations regarding a stolen lunch from the company refrigerator; others are potentially highly embarrassing to both Stratfor and their corporate clients. The emails reveal some messy corporate spycraft that is usually seen in the movies and rarely is illumined in real life. For example, one email suggests that Stratfor is working on behalf of Coca-Cola to uncover information to determine if PETA was planning on disrupting the 2010 Vancouver Olympic Games.
While Stratfor’s response suggests that some of the emails may have been tampered with, this is not the point. As the soon-to-be infamous “Lunch Theft” email shows, that might be merely what the email calls Fred's rule # 2: “Admit nothing, deny everything and make counter-accusations.”
The value of this breach for the larger InfoSec community is that it underscores the need for more ubiquitous data encryption. In my recent report “Killing Data” I postulate that the future default data state will be encrypted. WikiLeaks/Stratfor just puts one more nail in clear-text’s coffin. Had Stratfor encrypted its email stores, this breach would not have been a breach at all, as encrypted data (in the absence of keying material) is not data – it is merely gobbledygook. They would have saved themselves a ton of embarrassment – not to mention all of the costs associated with the breach – had they deployed encryption on their toxic data stores. Compared to all of the costs, hassles, embarrassment, and brand damage, the cost to do enterprise quality encryption would have been trivial.
Here’s hoping we all learn a lesson.