The Antisec hacker movement, which targets the websites of governments and their agencies worldwide, on Monday hacked into the website of defense contractor Booz Allen Hamilton.
The group posted a 130 MB file of data stolen from Booz Allen’s servers on the Pirate Bay BitTorrent website.
In an accompanying press release, Antisec sneered at Booz Allen’s security and said it had stolen about 90,000 military emails as well as a great deal of passwords. The passwords are protected by the MD5 cryptographic hash function, though that protection can be cracked.
Antisec also said it grabbed 4GB of source code from Booz Allen’s servers and wiped it from the systems.
The hacker community also alluded to other data on various government agencies, federal contractors and white hat security companies that it hinted it would look at.
Booz Allen Hamilton did not respond to requests for response by press time.
Booz Allen and the Hack
Booz Allen is a defense contractor that boasts of providing robust cybersecurity solutions with a multidisciplinary approach to a broad range of clients and industries.
Its top executives, according to the hacker group Anonymous, include John Michael McConnell, former director of the United States National Security Agency and former director of National Intelligence. [*Correction – July 13, 2011]
Antisec claims it infiltrated a server on Booz Allen’s network that basically had no security measures in place. It ran its own application on the server to steal information.
Fallout From the Booz Allen Hack
It could be argued that the data stolen from Booz Allen was not particularly important. After all, the emails were public emails and the passwords are protected.
Further, it’s relatively easy to notify email users to change their login information or accounts, and to change passwords.
However, the situation may be a little more complicated than it appears.
For one thing, the MD5 security standard is not considered suitable for SSL certificates or digital signatures because it’s not collision-resistant, meaning that it’s not hard to find two inputs that give the same output when hashed.
MD5 is a widely used cryptographic hash function that is used in various security applications and is also used to check data integrity.
Over the years, several flaws have been found in the design of MD5, and the United States Computer Emergency Readiness Team has recommended that MD5 should be considered cryptographically broken and unsuitable for further use.
Further, the information that was stolen in the Booz Allen hack “may be trivial, but it’s impossible to know which pieces of a larger puzzle the data helps to fill in,” Randy Abrams, director of technical education at ESET, told TechNewsWorld.
It’s possible that important relational data could be extrapolated from the dump, Abrams suggested.
No Defense Contractor Is an Island
That relational data could lead to extremely important information with a bearing on national security, a possibility that haunts security consultant Charles Dodd.
“If hackers are breaching systems at the defense contractor level, they could get information about our next-generation weapons,” Dodd said. “That’s the fulcrum of our military power.”
Further, the penetration of Booz Allen might open the doors to attacks on other defense contractors because they all work together in a web of alliances.
“There are so many elements of connectivity to business partners that work with Booz Allen, some of them small businesses,” Dodd told TechNewsWorld. “If hackers can see the website of a company that partners with a defense contractor is poorly protected they’ll go after that easy target and then use the trusted connection to go after the bigger fish.”
Is Antisec a Cyberthreat Godzilla or a Gnat?
The hack on Booz Allen’s systems followed one on IRC Federal Friday.
Like Booz Allen, IRC Federal is a government contractor, albeit a much smaller firm. It reportedly works with the Army, Navy, NASA and Department of Justice.
IRC Federal’s website appears to have been taken down.
These attacks are in line with Antisec’s stated purpose of attacking the websites of governments and agencies worldwide.
“Those hackers know defense contracting work is the heart and soul of the U.S. military,” Dodd stated. “What they’re doing is dangerous.”
The Somnolence of Security Gurus
Given that hackers appear to be targeting defense contractors, why didn’t the latest victims, which are supposed to be security experts, taken measures to harden their IT infrastructures?
“That’s something I’m still scratching my head over,” Dodd said.
“Booz Allen does know about cybersecurity,” Dodd stated. “It’s got Mike McConnell and all those people. I get that no network is secure, but there are certain things you just don’t do, like putting things out there for folks to get.”
*ECT News Network editor’s note – July 13, 2011: The original published version of this article identified James R. Clapper Jr., Robert James Woolsey Jr. and Melissa Hathaway as top executives at Booz Allen Hamilton without attribution. On July 12, we corrected the article, attributing that information to Anonymous and noting that we were unable to independently verify it. In actuality, Clapper, Woolsey and Hathaway were once associated with the company, but all three have left, according to Booz Allen.