Sophos Cloud Optix
The latest attack in the infamous “#antisec” movement targeted Booz Allen Hamilton, a consulting firm who works with the US government. Anonymous claims to have infiltrated an unprotected server and were able to steal a significant amount of data.
They claim to have released email addresses belonging to more than 90,000 US military personnel. While many folks downplay the significance of the attack and say “It’s only email addresses”, these particular email addresses may have more value than it would appear.
If we look back at the high-profile Gmail accounts that were hacked earlier this year, there clearly is demand for information about individuals related to the US defense that can be used to compromise their accounts and computers.
As Mila at Contagio blog wrote about the Gmail attack, the purpose isn’t so much to gain access to the email account itself, but rather to use email as the vehicle through which they can infect the host computer with malware.
The bigger problem for Booz Allen Hamilton is that they stored passwords with these email addresses using only a SHA hash. The passwords are not salted, which will likely lead to the majority of the passwords being exposed.
In addition to the emails, Anonymous claims to have erased 4 gigabytes worth of source code and to have discovered information which could help them attack US government and other contractors systems.
While this should certainly be embarrassing to Booz Allen Hamilton, the real impact is on the US military. These 90,000+ individuals will need to reset their passwords, and ensure any systems that they shared these passwords with are changed.
While this isn’t likely to do any good, could I please have the attention of those individuals responsible for collecting user names, passwords and personal information from people? Listening?
Could we please see these hacking attacks as a shot across the bow? Now is the time to secure your data… Encryption is NOT optional. For some helpful advice you may wish to check out our Data Security Toolkit.
Good article!I love your work, Wsniewski. I've been following Sophos since 5th grade.
First, there are a lot of dupes. Only about 55k unique .mil addresses.
Second, these aren't passwords to those email accounts, unless they are re-used for said email accounts (which are typically logged onto via CAC).
Third, meh. It's not about the emails – it's about BAH being clueless (care to guess how much money gets funneled their way to be 'secure'?)
You can be sure the Chinese and Russians are going to thoroughly go through all this information. These Anti-Sec attacks by Anonymous are all aimed towards Western democracies, and likely will compromise them in unforeseeable ways.
A friend of mine who works at the a large US economic agency told me of how a colleague's email address book was tampered with during a government sponsored symposium in Beijing. In the end they suspected the Chinese government planted spyware and bugged their hotel room, a common complaint from many business groups. Getting the identification, not to mention passwords, of contacts is the aim for a lot of shady groups. In the end Anonymous will simply be seen as a helpful tool by groups like the Chinese government, criminal groups, etc.
I haven't checked the actual torrent myself, but the Anonymous "press release" states that the files were hashed with MD5: "Most shiny is probably a list of
roughly 90,000 military emails and password hashes (md5, non-salted of course!).", not a SHA hash as your article states.
For military personnel to check if your account was leaked,  ;http://dazzlepod.com/boozallen/
FALSE FLAG – FALSE FLAG – FALSE FLAG ! The government is at it again – ATTACK ITSELF – make it look like hackers – easily pass legislation to restrict the internet to make it more 'SECURE'