Anonymous Releases 90,000 US Military Passwords
July 12, 2011 by Fahmida Y Rashid
Anonymous has disclosed log-ins for 90,000 military employees as part of ‘military meltdown Monday’
The
hacking collective Anonymous released documents it claims were stolen
from government contractor Booz Allen Hamilton as part of its anti-government AntiSec campaign.
The
documents Anonymous released on 11 July on The Pirate Bay contained
personal and official email addresses and passwords of an estimated
90,000 United States military employees. Anonymous announced the massive
data dump on its Twitter feed as part of “Military Meltdown Monday“.
US military departments
The
approximately 190MB data torrent included log-in information of
personnel from US CENTCOM, SOCOM, the Marine Corps, Air Force
facilities, Department of Homeland Security, Department of State and
other private-sector contractors. The passwords were unsalted SHA1
hashes stored as a text string, making them vulnerable to being cracked
using brute-force methods, Alex Rothacker, director of security research
for Application Security’s TeamSHATTER, told eWEEK.
“It’s slightly better than MD5, but still considered easily crackable with the tools available today,” Rothacker said.
The group also claimed to have uncovered “maps and keys for various other treasure chests buried on the islands of government agencies,
federal contractors and shady whitehat companies”. Anonymous also stole
4GB of source code from its Subversion code repository and erased it
from the servers.
Despite working with the federal government on
“defence and homeland security matters”, Booz Allen Hamilton was more
like a “puny wooden barge” and not a “state-of-the-art battleship” when
it came to network security, Anonymous said in its statement posted on
Pirate Bay.
The server it compromised “had no security measures in
place”, allowing the attackers to run its own application on the box
and dump the SQL database. During the four-hour-long intrusion,
Anonymous gained access to other unspecified servers uncovering
credentials.
“As part of @BoozAllen security policy, we generally
do not comment on specific threats or actions taken against our
systems,” the consulting giant posted on Twitter.
The group
claimed to have targeted Booz Allen Hamilton partially for its
participation in government surveillance and intelligence-gathering
programmes as well as for potential illegal activities.
Social media manipulation
Anonymous
linked Booz Allen Hamilton with HB Gary Federal, and claimed both
companies were working on a project to “manipulate social media”. The
hacker collective uncovered HB Gary Federal’s activities after breaching
the company’s systems and stealing all its emails in February, when the
company’s chief executive claimed to have unmasked the group’s top
members.
The Booz Allen data release followed the data dump on 8
July from IRC Federal, a contractor that works with the Army, Navy,
NASA, the Department of Justice and other government agencies. Anonymous
found emails with information about various contracts, development
schematics, internal proposals and various log-in credentials.
Snippets
were posted on text-sharing site Pastebin, and a complete 107MB torrent
file was posted onto Pirate Bay. Anonymous said it obtained an
administrator’s log-in credentials via a SQL injection attack on the
website to first gain a foothold in the network. It used other
techniques to grab database information and emails. The attack was
helped along by the fact that some administrators reused their passwords
across various systems.
‘Nuclear waste’
“So we laid
nuclear waste to their systems, owning their pathetic Windows box,
dropping their databases and private emails, and defaced their
professional-looking website,” Anonymous wrote on Pastebin.
Anonymous
is doing exactly what many security experts have warned: By
compromising one server, the attackers transform themselves from
intruders to trusted insiders. Attackers often go after “softer, easier
targets” to gain a foothold in the network, Josh Shaul, CTO of
Application Security, told eWEEK. Once the attackers are inside the
network, they can look for other user accounts to gain access to more
critical and valuable systems, Shaul said.
The group LulzSec
launched the AntiSec campaign with Anonymous against private-sector
firms and government agencies, with the stated purpose of exposing their
alleged corruption. LulzSec disbanded in late June after 50 days of
data-breach mayhem. But Anonymous has continued the attacks. It appears
that some of the LulzSec members have just switched names and are
continuing their activities under the Anonymous banner.
Comments