backtop


Print 59 comment(s) - last by Keeir.. on Jul 18 at 7:23 PM


AntiSec has successfully attacked security contractor Booz Allen Hamilton, who it accuses of social engineering.  (Source: Booz Allen Hamilton)

As part of the attack AntiSec exposed the usernames and passwords of U.S. soldiers.  (Source: AP Photo)

Members of parent group Anonymous are also attacking agriculture giant Monsanto.  (Source: Food Freedom)
Ex-LulzSec members and their new help from Anonymous continue to wreak havoc on the web

AntiSec, first a project launched by infamous hacker group LulzSec [1][2][3][4][5][6][7][8][9][10][11][12][13][14], and later the name of a new hacker collective formed by members of the now-defunct LulzSec, continues to strike.  Its mission is to attack international governments and corporate interests.

I. Who is Booz Hamilton and Why Were They Hacked?

Much like the February attack on HBGary by Anonymous, or the late May attack on Infragard -- a private sector affiliate of the U.S. Federal Bureau of Investigation -- the latest attack focused not on official government servers, but on a contractor with weaker security.

This time around AntiSec's victim was Booz Allen Hamilton, a prestigious contractor with hundreds of millions of dollars of contracts in its name.  Booz Hamilton employs former U.S. Central Intelligence Agency director Robert James Woolsey Jr. and former U.S. National Security Agency director John Michael "Mike" McConnell.

AntiSec says it targeted the group for a couple of reasons.  First, it points to the company's alleged complicity in monitoring private sector financial transactions during the SWIFT investigation.  Second, it writes about a secret social engineering project which HBGary and Booz Hamilton cooperated on, stating:

One of the more interesting, and sadly overlooked, stories to emerge from HBGary's email server (a fine example to its customers of how NOT to secure their own email systems) was a military project - dubbed Operation Metal Gear by Anonymous for lack of an official title - designed to manipulate social media. The main aims of the project were two fold: Firstly, to allow a lone operator to control multiple false virtual identities, or "sockpuppets". This would allow them to infiltrate discussions groups, online polls, activist forums, etc and attempt to influence discussions or paint a false representation of public opinion using the highly sophisticated sockpuppet software. The second aspect of the project was to destroy the concept of online anonymity, essentially attempting to match various personas and accounts to a single person through recognition shared of writing styles, timing of online
posts, and other factors. This, again, would be used presumably against any perceived online opponent or activist.

HBGary Federal was just one of several companies involved in proposing software solutions for this project. Another company involved was Booz Allen Hamilton. Anonymous has been investigating them for some time, and has uncovered all sorts of other shady practices by the company, including potentially illegal surveillance systems, corruption between company and government officials, warrantless wiretapping, and several other questionable surveillance projects. All of this, of course, taking place behind closed doors, free from any public knowledge or scrutiny.

II. What Was Stolen?

So what did AntiSec take from Booz Hamilton?  The contents of the heist are available here, courtesy of a torrent hosted by The Pirate Bay.

First, AntiSec made off with 90,000 logins of both private and public sector employees, which include members of the U.S. Military.  Members of US CENTCOM, SOCOM, the Marine Corps, various Air Force facilities, Homeland Security, State Department staff, and what looks like private sector contractors were all exposed.

The passwords are hashed, but they use a very weak unsalted MD5 hash (128-bit), meaning that they should be available in rainbow tables, which these days are even available online.

This breach is very serious, given how people recycle their passwords in numerous locations.  Given the number of exposed logins, it's likely that it will expose at least some soldiers to possible malicious attacks.

Additionally AntiSec claims to have run a shell and used it to delete source code on the company's SVN server.  Honestly, this isn't exactly something they should be lauding, as virtually all defense contractors use extensive tape backups and likely can restore the code without much difficulty.  Ultimately this amounts to a mere annoyance, and perhaps a few lost hours of productivity.

In the more significant department, AntiSec claims to have obtained "maps and keys" to other security contractors.  This could lead to additional attacks, so contractors who could be a target should definitely take a look at the distributed file.

III. Hacktivism?

Again it's hard to condone the kind of social engineering that Booz Hamilton is accused of conducting, but the way that AntiSec went about its intrusion seems rather unfortunate and childish.  Rather than gain access to email, which could actually prove such allegations and put them in context, it instead attacked U.S. soldiers, who already have their hands full.

Even if Booz Hamilton indeed engaged in social engineering, it's unclear who exactly it directed those efforts against.  Obviously, if it was trolling jihadist forums in an attempt to subvert them, that would be significantly different than, say, trolling U.S. political forums.

So was the attack on Booz Hamilton justified?  That depends on your perspective.

That said, Booz Hamilton committed some very poor practices here, which should bring its contracts into question.  First, it clearly did not properly protect its gateway machine.  Second, much like Bitcoin-mega exchange Mt. Gox, it used an unacceptably weak level of encryption, exposing its users to harm.  Third, it failed to code its databases to avoid SQL injection attacks, which should be mandatory for any contractor working with classified materials.

IV. Monsanto Attacked

In related news, Anonymous vowed Monday to step up attacks on contractor Monsanto Comp. (MON).  

Monsanto is a firm with a long and controversial history.  It is accused of abusing intellectual property rights to sue small farms (allowing its patented crops to blow seeds onto their properties, then suing them); trying to bribe officials in Canada and Indonesia [1][2]; and suing dairy farmers who advertise that their milk doesn't contain growth hormones.  And they also were the company responsible for spraying Agent Orange all over soldiers in Vietnam, which is thought to have led to cancer and other ailments.

Anonymous broke the news of new possible attacks, writing:

@MonsatoCo is now suing small dairy farmers for advertising that they use no growth hormones.  For NOT using their product.

The operation's Twitter account "OpMonsanto", posted on June 26:

We're going to hit @MonsantoCo with something a little bit more serious than a DDoS this time around. Fuck 'em. #ExpectUs

It posted a brief press release, writing:

Over the last 2 months we have pushed the exposure of hundreds of pages of articles detailing Monsanto's corrupt, unethical, and downright evil business practices. We've created a nice go-to reference guide on piratepad/anonpad(anonpad.org/opmonsanto, backed up elsewhere), where anyone can read up on and add their own info about MonsantoCo.

We blasted their web infrastructure to shit for 2 days straight, crippling all 3 of their mail servers as well as taking down their main websites world-wide. We dropped dox on 2500+ employees and associates, including full names, addresses, phone numbers, and exactly where they work. We are also in the process of setting up a wiki, to try and get all collected information in a more centralized and stable environment. Not bad for 2 months, I'd say.

What's next? Not sure... it might have something to do with that open 6666 IRC port on their nexus server though ;)

Expect Us

It indeed "doxed" Monsanto's employees -- in fact it appears to have exposed the names and addresses of 2,500+ of them.  How this information might be used/abused is unknown, but it could lead to at least some minor harassment.

V. Who is Anonymous/AntiSec/Etc. Again?

Anonymous is a group without a leader.  The group has tens of thousands of members worldwide.  However, not all members are skilled hackers.

Hackers with Anonymous have a tendency to break off into smaller subgroups.  For example LulzSec, who conducted much griefing of gamers in recent months, was one such group.  AntiSec, who targets governments and corporations, is another such group.

Nobody "leads" Anonymous or its subgroups.  Someone simply suggests a target and willing members participate in the attack.

The mass media has had much difficulty wrapping its head around the concept of Anonymous, though it appears most are finally starting to get it.

Anonymous arose via people who met via the image-board site 4Chan, but today the group has grown well outside the confines of that site.  The tricky thing when dealing with Anonymous or its subgroups is that the opinions or actions of one member are not necessarily those shared by another member.

This year Anonymous has been extremely active.  Among other efforts, it helped to influence the revolutions in the Middle East and drive them along.

Ultimately much of what Anonymous and its subgroups do can be viewed as hacktivism of sorts.  However, whether the ends justify the means is a topic of much debate.


Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Who are the bigger douchbags?
By Desslok on 7/12/2011 12:32:34 PM , Rating: 2
Say what you will about Monsanto, but come on leave the troops alone! They have enough to worry about like getting blown up or shot. They shouldn't have to worry about some group screwing with their credit etc.




RE: Who are the bigger douchbags?
By BailoutBenny on 7/12/11, Rating: 0
RE: Who are the bigger douchbags?
By Reclaimer77 on 7/12/11, Rating: -1
RE: Who are the bigger douchbags?
By BailoutBenny on 7/13/2011 9:08:53 AM , Rating: 1
Treasonous words? You mean like Sedition? As in the Alien and Sedition acts? Fuck you.

I don't respect a military made up of people who won't question immoral orders. The Nazis used the excuse that they were just following orders too. The military is not protecting anything but the wealth of a few powerful people. Get off your fucking high horse of treating the military as some sacred entity. It isn't sacred and there is always room for criticism. Every individual should be using their head instead of just following orders.

There is a guy you should look up, Smedley Butler. Most decorated Marine in the U.S. He wrote a book, "War is a racket," I'd suggest you read it and learn why we really fucking have our endless wars.

I don't have a problem fighting a real immediate danger. I have a problem with our interventionist foreign policy and so should anyone else who actually believes in freedom. Since people volunteer for the military, no one is forcing them in. They are willing joining a military in a time of no occupation or threat thereof and have witnessed our most recent interventions. The onus is on the volunteers for still joining such an organization.

There was a real fear of standing armies when the constitution was written which is why Article I, Section 8 has this (fairly toothless, but important to the point) clause:

To raise and support armies, but no appropriation of money to that use shall be for a longer term than two years;

A professional standing army is the bane of liberty everywhere and this clause doesn't cap the threat but it was intended to force people to think about that army in their backyard (or around the world, in our current case) every 2 years and whether it really is necessary.


RE: Who are the bigger douchbags?
By tng on 7/13/2011 10:26:19 AM , Rating: 2
quote:
....a military made up of people who won't question immoral orders.
quote:
I don't have a problem fighting a real immediate danger.
Here is where you have a miss-understanding. The military is a team, for even a small squad of solders to work together in combat successfully, they can't debate orders or the larger question of the war they are fighting each time they go into combat. Just doesn't work. Sounds nice to think that you can analyze each order to see if it is moral or not, but it really doesn't work well in the real world.

quote:
To raise and support armies, but no appropriation of money to that use shall be for a longer term than two years;
Can you imagine if it we had to defend an invasion from say, Mexico, and we had to raise, equip and train people to defend the country? Think that is done overnight? The world moves much faster today than it did back in the day when sails powered ships.

Also lest face facts, the military is there for primarily two purposes, to kill people/break things and intimidation. There is plenty of room for abuse in the military and yes it happens, but it is not some feel good jobs program and abuse is limited because of the morality of the individuals in it.

I don't think that you would be happy with even a part time military.


RE: Who are the bigger douchbags?
By inperfectdarkness on 7/12/11, Rating: 0
By inperfectdarkness on 7/14/2011 3:28:31 PM , Rating: 2
wow. sarcasm meters must be broken on DT today...


RE: Who are the bigger douchbags?
By Bad-Karma on 7/13/2011 12:50:18 AM , Rating: 1
I can't think of a single instance where myself or any other service member decided on their own to go kill people.

We've always been deployed by the orders of the President and Congress. Our elected civilian leaders.


RE: Who are the bigger douchbags?
By Bad-Karma on 7/13/2011 12:46:06 AM , Rating: 2
I realize it was just a training database, but you think AntiSec would be a bit smarter than to fool with the personal information of military personnel.

It wouldn't take a whole lot of prodding to get a operations type to pay the members of AntiSec a very personal visit.


"So, I think the same thing of the music industry. They can't say that they're losing money, you know what I'm saying. They just probably don't have the same surplus that they had." -- Wu-Tang Clan founder RZA














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki