backtop


Print 59 comment(s) - last by Keeir.. on Jul 18 at 7:23 PM


AntiSec has successfully attacked security contractor Booz Allen Hamilton, who it accuses of social engineering.  (Source: Booz Allen Hamilton)

As part of the attack AntiSec exposed the usernames and passwords of U.S. soldiers.  (Source: AP Photo)

Members of parent group Anonymous are also attacking agriculture giant Monsanto.  (Source: Food Freedom)
Ex-LulzSec members and their new help from Anonymous continue to wreak havoc on the web

AntiSec, first a project launched by infamous hacker group LulzSec [1][2][3][4][5][6][7][8][9][10][11][12][13][14], and later the name of a new hacker collective formed by members of the now-defunct LulzSec, continues to strike.  Its mission is to attack international governments and corporate interests.

I. Who is Booz Hamilton and Why Were They Hacked?

Much like the February attack on HBGary by Anonymous, or the late May attack on Infragard -- a private sector affiliate of the U.S. Federal Bureau of Investigation -- the latest attack focused not on official government servers, but on a contractor with weaker security.

This time around AntiSec's victim was Booz Allen Hamilton, a prestigious contractor with hundreds of millions of dollars of contracts in its name.  Booz Hamilton employs former U.S. Central Intelligence Agency director Robert James Woolsey Jr. and former U.S. National Security Agency director John Michael "Mike" McConnell.

AntiSec says it targeted the group for a couple of reasons.  First, it points to the company's alleged complicity in monitoring private sector financial transactions during the SWIFT investigation.  Second, it writes about a secret social engineering project which HBGary and Booz Hamilton cooperated on, stating:

One of the more interesting, and sadly overlooked, stories to emerge from HBGary's email server (a fine example to its customers of how NOT to secure their own email systems) was a military project - dubbed Operation Metal Gear by Anonymous for lack of an official title - designed to manipulate social media. The main aims of the project were two fold: Firstly, to allow a lone operator to control multiple false virtual identities, or "sockpuppets". This would allow them to infiltrate discussions groups, online polls, activist forums, etc and attempt to influence discussions or paint a false representation of public opinion using the highly sophisticated sockpuppet software. The second aspect of the project was to destroy the concept of online anonymity, essentially attempting to match various personas and accounts to a single person through recognition shared of writing styles, timing of online
posts, and other factors. This, again, would be used presumably against any perceived online opponent or activist.

HBGary Federal was just one of several companies involved in proposing software solutions for this project. Another company involved was Booz Allen Hamilton. Anonymous has been investigating them for some time, and has uncovered all sorts of other shady practices by the company, including potentially illegal surveillance systems, corruption between company and government officials, warrantless wiretapping, and several other questionable surveillance projects. All of this, of course, taking place behind closed doors, free from any public knowledge or scrutiny.

II. What Was Stolen?

So what did AntiSec take from Booz Hamilton?  The contents of the heist are available here, courtesy of a torrent hosted by The Pirate Bay.

First, AntiSec made off with 90,000 logins of both private and public sector employees, which include members of the U.S. Military.  Members of US CENTCOM, SOCOM, the Marine Corps, various Air Force facilities, Homeland Security, State Department staff, and what looks like private sector contractors were all exposed.

The passwords are hashed, but they use a very weak unsalted MD5 hash (128-bit), meaning that they should be available in rainbow tables, which these days are even available online.

This breach is very serious, given how people recycle their passwords in numerous locations.  Given the number of exposed logins, it's likely that it will expose at least some soldiers to possible malicious attacks.

Additionally AntiSec claims to have run a shell and used it to delete source code on the company's SVN server.  Honestly, this isn't exactly something they should be lauding, as virtually all defense contractors use extensive tape backups and likely can restore the code without much difficulty.  Ultimately this amounts to a mere annoyance, and perhaps a few lost hours of productivity.

In the more significant department, AntiSec claims to have obtained "maps and keys" to other security contractors.  This could lead to additional attacks, so contractors who could be a target should definitely take a look at the distributed file.

III. Hacktivism?

Again it's hard to condone the kind of social engineering that Booz Hamilton is accused of conducting, but the way that AntiSec went about its intrusion seems rather unfortunate and childish.  Rather than gain access to email, which could actually prove such allegations and put them in context, it instead attacked U.S. soldiers, who already have their hands full.

Even if Booz Hamilton indeed engaged in social engineering, it's unclear who exactly it directed those efforts against.  Obviously, if it was trolling jihadist forums in an attempt to subvert them, that would be significantly different than, say, trolling U.S. political forums.

So was the attack on Booz Hamilton justified?  That depends on your perspective.

That said, Booz Hamilton committed some very poor practices here, which should bring its contracts into question.  First, it clearly did not properly protect its gateway machine.  Second, much like Bitcoin-mega exchange Mt. Gox, it used an unacceptably weak level of encryption, exposing its users to harm.  Third, it failed to code its databases to avoid SQL injection attacks, which should be mandatory for any contractor working with classified materials.

IV. Monsanto Attacked

In related news, Anonymous vowed Monday to step up attacks on contractor Monsanto Comp. (MON).  

Monsanto is a firm with a long and controversial history.  It is accused of abusing intellectual property rights to sue small farms (allowing its patented crops to blow seeds onto their properties, then suing them); trying to bribe officials in Canada and Indonesia [1][2]; and suing dairy farmers who advertise that their milk doesn't contain growth hormones.  And they also were the company responsible for spraying Agent Orange all over soldiers in Vietnam, which is thought to have led to cancer and other ailments.

Anonymous broke the news of new possible attacks, writing:

@MonsatoCo is now suing small dairy farmers for advertising that they use no growth hormones.  For NOT using their product.

The operation's Twitter account "OpMonsanto", posted on June 26:

We're going to hit @MonsantoCo with something a little bit more serious than a DDoS this time around. Fuck 'em. #ExpectUs

It posted a brief press release, writing:

Over the last 2 months we have pushed the exposure of hundreds of pages of articles detailing Monsanto's corrupt, unethical, and downright evil business practices. We've created a nice go-to reference guide on piratepad/anonpad(anonpad.org/opmonsanto, backed up elsewhere), where anyone can read up on and add their own info about MonsantoCo.

We blasted their web infrastructure to shit for 2 days straight, crippling all 3 of their mail servers as well as taking down their main websites world-wide. We dropped dox on 2500+ employees and associates, including full names, addresses, phone numbers, and exactly where they work. We are also in the process of setting up a wiki, to try and get all collected information in a more centralized and stable environment. Not bad for 2 months, I'd say.

What's next? Not sure... it might have something to do with that open 6666 IRC port on their nexus server though ;)

Expect Us

It indeed "doxed" Monsanto's employees -- in fact it appears to have exposed the names and addresses of 2,500+ of them.  How this information might be used/abused is unknown, but it could lead to at least some minor harassment.

V. Who is Anonymous/AntiSec/Etc. Again?

Anonymous is a group without a leader.  The group has tens of thousands of members worldwide.  However, not all members are skilled hackers.

Hackers with Anonymous have a tendency to break off into smaller subgroups.  For example LulzSec, who conducted much griefing of gamers in recent months, was one such group.  AntiSec, who targets governments and corporations, is another such group.

Nobody "leads" Anonymous or its subgroups.  Someone simply suggests a target and willing members participate in the attack.

The mass media has had much difficulty wrapping its head around the concept of Anonymous, though it appears most are finally starting to get it.

Anonymous arose via people who met via the image-board site 4Chan, but today the group has grown well outside the confines of that site.  The tricky thing when dealing with Anonymous or its subgroups is that the opinions or actions of one member are not necessarily those shared by another member.

This year Anonymous has been extremely active.  Among other efforts, it helped to influence the revolutions in the Middle East and drive them along.

Ultimately much of what Anonymous and its subgroups do can be viewed as hacktivism of sorts.  However, whether the ends justify the means is a topic of much debate.


Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Good for them
By shin0bi272 on 7/12/2011 7:02:33 PM , Rating: 5
one note about DDT though. There was a study done on DDT back in the late 70's or early 80's that fed people 100X the YEARLY recommended dose of DDT on a DAILY basis for 3 or 6 months. No one got sick. And just in case you were going to try saying it was done by monsanto... it was done at that conservative bastion the university of california at Berkley.

But DDT got banned anyway because of environmentalists shouting lies in the streets and now millions have died from mosquitos because of their lies. good job eco freaks.


RE: Good for them
By borismkv on 7/13/2011 1:12:29 AM , Rating: 3
Same thing with Aspartame. Scientists fed the rough equivalent of 1000 pounds of the stuff to lab rats and a couple of them got cancer. You can do anything with (bad) science.


RE: Good for them
By cserwin on 7/13/2011 3:26:31 AM , Rating: 3
I'm no environmentalist, but in the conservative western state where I live, DDT wreaked havoc on our birds of prey population.

I wrote a paper on this in college, a friend of mine was (is) a scientist working on Peregrine restoration at the World Center for Birds of Prey in Boise, Idaho. It seemed interesting.

In the 80's, the Bald Eagle and Peregrine Falcon were both on the brink of extinction, and the Kestrel population was decimated, too. It's not fiction, it really did happen.

The issue is not necessarily toxicity of DDT itself, but toxicity of a by product of DDT called DDE. While the relationship between DDT and raptor reproductive failure is tenuous, the causal relationship between DDE and reproduction failure of some birds is settled science. This study was seminal and replicated: http://www.jstor.org/pss/2402090

It was proper to ban DDT in the US where malaria is not an issue. The Bald Eagle and Peregrine have both recovered.

The anti-regulation types and chemical lobby like to whip people up by stating the case for DDT while conveniently ignoring that it breaks down into DDE.

Also, DDE is pretty nasty for people, too. Enjoy the reading:

http://scholar.google.com/scholar?q=DDT+and+DDE&hl...

Should DDT be used to control Malaria in some part of the world? Probably. But is it appropriate for wide spread use as an agricultural pesticide? No.

I live in Idaho. We're as red as red gets. We don't want DDT in our state.


RE: Good for them
By Reclaimer77 on 7/13/2011 9:13:51 AM , Rating: 1
No study has actually proved DDE causes cancer or other illness in humans. Coffee is 50 times more carcinogenic, that's how low of a risk DDT/DDE is.

http://envirocancer.cornell.edu/FactSheet/Pesticid...

quote:
while conveniently ignoring that it breaks down into DDE.


Ignoring what? That a completely harmless chemical has been found to gather in human and animal tissue? I'm pounding away at Google, and I cannot for the life of me find ONE study that proved DDE is harmful. Or really even "potentially" harmful. You're speaking as if it's an absolute fact, which it's clearly not.

quote:
I'm no environmentalist, but in the conservative western state where I live, DDT wreaked havoc on our birds of prey population.


Hold on, I'm getting all choked up. Let me shed a tear for the birds. Oh in the time it took me to write this, 10 more people just died of Malaria.


"It seems as though my state-funded math degree has failed me. Let the lashings commence." -- DailyTech Editor-in-Chief Kristopher Kubicki














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki