
Anonymous hacks Booz Allen Hamilton, US military contractor, 90k logins dumped - JonnieCache
http://thepiratebay.org/torrent/6533009
======
rdtsc
Ah Booz|Allen|Hamilton ... or also known in the govt. contracting world as "we
put warm bodies in seats and charge you tens of millions for it".

Anonymous rant about them is essentially correct, it is just a un-official
wing of the government that shelters yesterdays' generals and other big
figures from government institutions. If it weren't for the ol'govt'boys
network and for all the nepotism and favoritism, there would be a large
opportunity for small startups to undercut these large, wasteful, stupid and
taxpayer moneysucking behemoths.

~~~
callahad
_If it weren't for the ol'govt'boys network and for all the nepotism and
favoritism, there would be a large opportunity for small startups to undercut
these large, wasteful, stupid and taxpayer moneysucking behemoths._

That concern is exactly why the U.S. Small Business Administration exists. The
federal government actively works to award ~23% of prime federal contracts to
small businesses each year. Moreover, that quota contains specific goals for
awarding contracts to Women-Owned Small Businesses (WOSB), Service-Disabled
Veteran-Owned (SDVO) small businesses, other "small disadvantaged businesses,"
and businesses in "Historically Underutilized Business Zones" (HUBZones).

If you actually try to "undercut these large, wasteful, stupid and taxpayer
moneysucking behemoths," you'll have federal policy at your back.

Furthermore, "[f]or all procurement actions expected to exceed the $150,000
simplified acquisition threshold, prime contractors are required to make a
"best effort' attempt to make use of small disadvantaged businesses, SDVOs,
and WOSBs as subcontractors if the opportunity exists under the contract. For
procurement actions expected to exceed $650,000 ($1.5 million for
construction), the winning contractor is required to provide the agency
contracting officer with a written plan that establishes a small business
subcontracting goal. The plan details how the winning contractor will make use
of small business in each subcontract category and provide for timely
payments." [0]

[0]: <http://www.sba.gov/content/about-government-contracting>

~~~
MarkPNeyer
"[f]or all procurement actions expected to exceed the $150,000 simplified
acquisition threshold, prime contractors are required to make a "best effort'
attempt to make use of small disadvantaged businesses, SDVOs, and WOSBs as
subcontractors if the opportunity exists under the contract"

My dad has a small software company that sells statistical analysis software.
He told me that he often gets buyers from minority owned businesses that exist
solely to exploit that regulation. Say BigCorp wants to score a sweet
government contract, and they need to use my dad's software. The CEO of
BigCorp talks to his buddy at IAmAMinorityCorp and says "We want the Neyer-D
Optimal Test Suite from Neyer Software." IAmAMinorityCorp buys the software,
then resells it to BigCorp for 2x what they paid, pocketing the difference.

The system is heavily broken. Anyone who thinks otherwise needs to get their
head out of the sand or their hands out of my wallet, preferrably both.

~~~
el_chapitan
The system is flawed.

However, the system also does some very good work by forcing more work into
smaller companies. I have had the pleasure of working for two companies doing
business with the government. One doing research through the SBIR program, and
another just winning contracts as a small business.

On the good side, both of these companies did very good work and didn't do the
"IP shuffle" as you described above. In fact, I'd say the biggest impediment
to us getting stuff done was either the government moving slow, or some other
company we were forced to work with slowing us down. In fact, the kiss of
productivity death for any project was getting involved in a project with one
of the bigger consulting companies (BAH, Accenture, etc).

On the other side, the title of "woman owned" and "minority owned" are
completely taken advantage of at all times. Both companies I worked for were
"woman owned", which in practice meant that the wives of the bosses owned the
company (or at least some of it), but really didn't take part in anything
other than showing up for Christmas parties. I am not aware, however, of any
real advantage the "woman owned" and "minority owned" titles got us, though.

~~~
bostonOU
In all my experience, the SBIR program was one of the biggest scams around. At
the end of project, you only have to produce "proof that you researched" the
problem. It's completely ok for you to spend all the money to simply determine
that the project is not feasible (i.e. we watched movies all day and did a few
google searches during the previews).

In theory, the government would stop giving projects to companies that never
produced anything. I personally never saw that happen.

If a company is really on the up and up, the SBIR program could be a great
opportunity. However, it's way too easy to game the system.

~~~
Nate75Sanders
Mostly true.

 _Phase I_ requirements are typically (but not always) that you have to
produce a report that you did feasibility research on the problem. Sometimes a
working prototype is the Phase I deliverable. Usually Phase II is where the
working prototype is and Phase III is a delivered working system (though for
larger projects, Phase III is just the prototype or improvements to Phase II's
prototype).

Typical payouts for the phases:

Phase I - 75-100K

Phase II - 750K

Phase III - 2 mil

Most of these projects are challenging enough that for 75K, you're not going
to be able to deliver much more than a report. Once you factor in overhead,
that's about 4-6 man-months.

I agree with you wholeheartedly, though, that it is greatly taken advantage of
-- on a very large scale, and the relationship between companies and granting
Program Managers is a big, big deal.

There are definitely companies that play the "we'll do nearly anything" open-
ended engineering game and pay themselves using Phase I's.

I have seem some legitimately great work come out of NSF SBIRs, which are
similar, but quite a different game in many ways from military SBIRs.

I worked for a company writing military SBIRs for 10 months. Worst job of my
life, probably. It was also mind-blowing how OK with all of this that most
people of all levels of that chain were.

EDIT: formatting, minor content

~~~
bostonOU
What you're saying is true.

In a Phase II, the deliverable is normally a prototype. But since it is by
definition _research_ , it's expected that some of these projects come against
problems that are not reasonably solvable. Therefore, you can fail on your
deliverable and have that be completely ok.

------
SoftwareMaven
I wonder if we are seeing the beginnings of a new revolutionary movement that
transcends borders, yet has the ability to cause drastic change within
borders. This has the potential to get very interesting for people like me who
think the government has overstepped its bounds in the electronic age.

Anonymous may become catalyst, if nothing else.

~~~
trotsky
Seems like a real stretch to me. HBGary like _targeted_intrusions_ with
corresponding broad private information disclosures might have a bit of claim
to that theory.

But as far as I can tell you just saw a couple of script kiddies run automated
scans against whoever & whatever, happen to see a flaw at BAH, get in a dump a
SQL database and then brag about how awesome they are. Big fucking deal?

Disclosing password hashes isn't going to bring down shit. It's like the
hacker equivalent of the special olympics.

~~~
travem
With the password hashes being unsalted MD5 and estimates of password reuse
averaging from 12% this is valuable information that could be used to gain
access to more sensitive systems. Sure it may be as simple as running an
automated scan, but if a script kiddie could do that and get this information
it's likely this information may well have been compromised before now, we
just haven't heard of it.

[1] "A large-scale study of web password habits"
<http://portal.acm.org/citation.cfm?id=1242572.1242661> via
[http://www.lightbluetouchpaper.org/2011/02/09/measuring-
pass...](http://www.lightbluetouchpaper.org/2011/02/09/measuring-password-re-
use-empirically/)

~~~
trotsky
_but if a script kiddie could do that and get this information it's likely
this information may well have been compromised before now, we just haven't
heard of it._

Hi. This happens all the time. There is evidence of far more significant data
breeches nearly every day in the press - Byzantine Hades, RSA, Aurora, Night
dragon, the list goes on and on. Probably the best argument for why this
specific sql database with web app passwords hasn't been compromised in the
past is that it's of very questionable value.

The people holding up convenience stores aren't revolutionaries. And that's
true even if you try to spin a yarn where removing the funds from a tax paying
business might lead to an eventual budget shortfall.

------
KevBurnsJr
The best part is the invoice.

    
    
      Enclosed is the invoice for our audit of your security systems [...]
    
      4 hours of man power: $40.00
      Network auditing: $35.00
      Web-app auditing: $35.00
      Network infiltration*: $0.00
      Password and SQL dumping**: $200.00
      Decryption of data***: $0.00
      Media and press****: $0.00
    
      Total bill: $310.00

~~~
dotBen
$10/hr - clearly they don't know the going rate for security researchers and
pen-testers. Or perhaps I should circulate this to the guys I use, to get them
down a bit :)

~~~
sliverstorm
They were just quoting extremely discounted rates. You know, for their
favorite government.

------
amalag
Looks like they grabbed some sort of online course system's DB. I am guessing
it isn't as secure as some of their other servers and it has independent
authentication. So it isn't their main user/password database, but looks like
people using their email address to login.

~~~
guelo
Yea, the data is not very interesting at all. Looks like it might be the DB
for this site <http://jko.jfcom.mil/>

The app is definitely over-engineered with 613 tables and few users. I bet
Booze Allen charged millions of dollars for building that garbage.

------
gojomo
I'd prefer if HN only got followup articles about such breaches, which have
some analysis.

Voting the actual raw data-dumps up emphasizes the other meaning of 'hacker'
and almost looks like cheerleading.

~~~
redthrowaway
If we're waiting for Ars Technica to do an in-depth article, we'll be as late
to the table as everyone else. I _like_ learning about these things as they
happen.

~~~
w1ntermute
And no doubt the Ars article will be posted on HN once it's been written.

~~~
redthrowaway
Right. Ars has a pretty solid reputation for taking its time to do an in-depth
story. I'm happy to have both the quick version now and the Ars version later,
and I don't mind both hitting the frontpage if the story is big enough.

------
wccrawford
4 hours? Cripes! I hope they're kidding about how long that took them. I knew
security was bad out there, but that's ridiculous.

~~~
JonnieCache
Unsalted MD5 as well. And looking at the list of people apparently in their
employ, this could lead to some serious drama.

Seriously though, unsalted MD5? Again? Like they say in the release, anonymous
can't be any more explicit. Their slogan is "expect us." That should be a
clue.

~~~
diogenescynic
At this point, I think these guys should be given a job. If they can exploit
these vulnerabilities then it's almost certain that our enemies already are
exploiting them.

~~~
someone13
Sadly, exploitation is often much easier than protection. They only need to
find one hole - the defender must secure everything.

Oh, and it's probably not good to encourage this kind of thing either.

~~~
lawnchair_larry
But it's worse to hide and ignore the problem. The other poster hit the nail
on the head. This stuff is happening on a much larger scale - it's only
because of lulzsec/anonymous that anyone even has a clue how bad the situation
really is.

~~~
someone13
Actually, I don't disagree with you - it's a good thing (for a certain value
of "good" - in a perfect world, things would all be secure, and we'd ride
unicorns everywhere) that this kind of stuff is exposed.

What I disagree with is the "giving them a job" bit. I don't think that
rewarding these kinds of people with employment is right - part of working in
computer security is having a certain code of ethics. Whereas I'd much prefer
that this kind of stuff be made public, giving them a job is similar to
rewarding a thief with a job as a cop.

People are free to disagree, of course :P

------
jpulgarin
I'm adding the compromised emails to www.hacknotifier.com - you can check if
you're part of the release there.

------
lhnz
I hope that none of those military contractors re-use their passwords. But
let's be honest with ourselves...

------
burgerbrain
From the page:

    
    
      CORRECTION:
    
      Password hashes are not MD5 but mostly BASE64(sha1(password)); some other hashes may be mixed in. Happy cracking.

~~~
daeken
While storing a straight SHA1 of a password is obviously a Bad Thing (TM),
what does it say about the attackers that they couldn't tell an MD5 from a
Base64'd SHA1? It's not exactly rocket surgery.

~~~
benregenspan
SXQncyBub3Qgc3RyYWlnaHQgU0hBLTEsIGl0J3MgYmFzZTY0LWVuY29kZWQgYWxzbyAtLSB1bmNyYWNrYWJsZSE=

~~~
sitkack
ViBoZnIgZWJnMTMgY3loZiBvbmZyNjQgc2JlIG55eSB6bCByYXBlbGNndmJhIGFycnFmIQ==

------
aubergene
The hashes look like SHA1 to me

~~~
aubergene
Yep, it's unsalted SHA1

echo -n PASSWORD123 | openssl dgst -sha1 -binary | base64
IyZKpiaEiMKQnvgerUngniSNXZE= 12 found

------
8dot5by11
Sucks to be BAH. Yet another consultancy that doesn't practice what it
preaches about security

------
ErikRogneby
some how this doesn't show up on "Booz Allen in the News":
<http://www.boozallen.com/media-center/press-highlights>. I'd call it news.

------
mrspeaker
Seeders: 2, Leachers: 2. People seem to be staying well away from this one ;)

~~~
burgerbrain
Seeders: 36 Leechers: 30. Not counting of course the people who chose not to
seed after completing it.

------
Udo
The media is reporting this as "90k emails leaked", which is thoroughly
misleading.

------
kirbman89
Add

