Hacker News new | past | comments | ask | show | jobs | submit login
Anonymous hacks Booz Allen Hamilton, US military contractor, 90k logins dumped (thepiratebay.org)
168 points by JonnieCache on July 11, 2011 | hide | past | web | favorite | 82 comments



Ah Booz|Allen|Hamilton ... or also known in the govt. contracting world as "we put warm bodies in seats and charge you tens of millions for it".

Anonymous rant about them is essentially correct, it is just a un-official wing of the government that shelters yesterdays' generals and other big figures from government institutions. If it weren't for the ol'govt'boys network and for all the nepotism and favoritism, there would be a large opportunity for small startups to undercut these large, wasteful, stupid and taxpayer moneysucking behemoths.


If it weren't for the ol'govt'boys network and for all the nepotism and favoritism, there would be a large opportunity for small startups to undercut these large, wasteful, stupid and taxpayer moneysucking behemoths.

That concern is exactly why the U.S. Small Business Administration exists. The federal government actively works to award ~23% of prime federal contracts to small businesses each year. Moreover, that quota contains specific goals for awarding contracts to Women-Owned Small Businesses (WOSB), Service-Disabled Veteran-Owned (SDVO) small businesses, other "small disadvantaged businesses," and businesses in "Historically Underutilized Business Zones" (HUBZones).

If you actually try to "undercut these large, wasteful, stupid and taxpayer moneysucking behemoths," you'll have federal policy at your back.

Furthermore, "[f]or all procurement actions expected to exceed the $150,000 simplified acquisition threshold, prime contractors are required to make a "best effort' attempt to make use of small disadvantaged businesses, SDVOs, and WOSBs as subcontractors if the opportunity exists under the contract. For procurement actions expected to exceed $650,000 ($1.5 million for construction), the winning contractor is required to provide the agency contracting officer with a written plan that establishes a small business subcontracting goal. The plan details how the winning contractor will make use of small business in each subcontract category and provide for timely payments." [0]

[0]: http://www.sba.gov/content/about-government-contracting


"[f]or all procurement actions expected to exceed the $150,000 simplified acquisition threshold, prime contractors are required to make a "best effort' attempt to make use of small disadvantaged businesses, SDVOs, and WOSBs as subcontractors if the opportunity exists under the contract"

My dad has a small software company that sells statistical analysis software. He told me that he often gets buyers from minority owned businesses that exist solely to exploit that regulation. Say BigCorp wants to score a sweet government contract, and they need to use my dad's software. The CEO of BigCorp talks to his buddy at IAmAMinorityCorp and says "We want the Neyer-D Optimal Test Suite from Neyer Software." IAmAMinorityCorp buys the software, then resells it to BigCorp for 2x what they paid, pocketing the difference.

The system is heavily broken. Anyone who thinks otherwise needs to get their head out of the sand or their hands out of my wallet, preferrably both.


The system is flawed.

However, the system also does some very good work by forcing more work into smaller companies. I have had the pleasure of working for two companies doing business with the government. One doing research through the SBIR program, and another just winning contracts as a small business.

On the good side, both of these companies did very good work and didn't do the "IP shuffle" as you described above. In fact, I'd say the biggest impediment to us getting stuff done was either the government moving slow, or some other company we were forced to work with slowing us down. In fact, the kiss of productivity death for any project was getting involved in a project with one of the bigger consulting companies (BAH, Accenture, etc).

On the other side, the title of "woman owned" and "minority owned" are completely taken advantage of at all times. Both companies I worked for were "woman owned", which in practice meant that the wives of the bosses owned the company (or at least some of it), but really didn't take part in anything other than showing up for Christmas parties. I am not aware, however, of any real advantage the "woman owned" and "minority owned" titles got us, though.


In all my experience, the SBIR program was one of the biggest scams around. At the end of project, you only have to produce "proof that you researched" the problem. It's completely ok for you to spend all the money to simply determine that the project is not feasible (i.e. we watched movies all day and did a few google searches during the previews).

In theory, the government would stop giving projects to companies that never produced anything. I personally never saw that happen.

If a company is really on the up and up, the SBIR program could be a great opportunity. However, it's way too easy to game the system.


Mostly true.

Phase I requirements are typically (but not always) that you have to produce a report that you did feasibility research on the problem. Sometimes a working prototype is the Phase I deliverable. Usually Phase II is where the working prototype is and Phase III is a delivered working system (though for larger projects, Phase III is just the prototype or improvements to Phase II's prototype).

Typical payouts for the phases:

Phase I - 75-100K

Phase II - 750K

Phase III - 2 mil

Most of these projects are challenging enough that for 75K, you're not going to be able to deliver much more than a report. Once you factor in overhead, that's about 4-6 man-months.

I agree with you wholeheartedly, though, that it is greatly taken advantage of -- on a very large scale, and the relationship between companies and granting Program Managers is a big, big deal.

There are definitely companies that play the "we'll do nearly anything" open-ended engineering game and pay themselves using Phase I's.

I have seem some legitimately great work come out of NSF SBIRs, which are similar, but quite a different game in many ways from military SBIRs.

I worked for a company writing military SBIRs for 10 months. Worst job of my life, probably. It was also mind-blowing how OK with all of this that most people of all levels of that chain were.

EDIT: formatting, minor content


What you're saying is true.

In a Phase II, the deliverable is normally a prototype. But since it is by definition research, it's expected that some of these projects come against problems that are not reasonably solvable. Therefore, you can fail on your deliverable and have that be completely ok.


I worked for a Woman/Minority Owned Small Business. Believe me, it was the ol'govt'boys network, just at a smaller scale. We had a lady who's job description basically boiled down to being something pretty for our money/government guy to look at.

After $17 million-ish in projects, we produced nothing but a bunch of 'research'. And trust me, there were a few of us developers that really tried to do something useful. Management had no interest in what was produced other than more proposals to get more money. Your bonus/promotion was totally tied to how many proposals you wrote (and this was a software company). Your bonus/promotion had zero to do with how much or how well you wrote code.


Every single time I've come across a WOSB, SDVO, or HUBZone business, it's essentially been a scam, using some technicality to just barely qualify for the program while the contractor is actually run as the standard good ol' boys club that they usually are.


I own a Service-Disabled Veteran Owned Small Business (SDVOSB) and am also a "minority" Hispanic/East Asian female.

From years of experience in Iraq in particular, I believe I am in the minority of small businesses that do not abuse certifying programs like 8(a) for profit in the world of defense contracting.


Yeah, I worked for a small tech company in Illinois whose owner's Asian wife became the owner for the right contracts and who put the minority receptionist in a suit and introduced him as a... president (I think it was) for different state contracts.

Very impressive program.


If you actually try to "undercut these large, wasteful, stupid and taxpayer moneysucking behemoths," you'll have federal policy at your back.

What about the billions of no-bid contracts awarded to the likes of Halliburton? The kind of companies you would be competing with have a revolving door to the freaking whitehouse!


> That concern is exactly why the U.S. Small Business Administration exists.

Good point, it exists and it is a good thing. I see a lot of bids from companies specifically tagged as being those entities. Sometimes they get the contract sometimes they don't.

> winning contractor is required to provide the agency contracting officer with a written plan that establishes a small business subcontracting goal.

So they have to find a way to recruit all their college buddies, cousins and friends. Yes on paper it all looks legit, no doubt, it is the loopholes and what goes around the paper trail that makes the difference.

For example for contract jobs there are written requirements, then there are the real requirements. If you don't know the real requirements (which you find out by knowing so-and-so from back-in-the-day ...) you won't get the contract. When it comes to pick the bid surprise! they made a "best effort" but alas, this other bidder "just happened to guess exactly what we need". Well that other bidder might turn out to be a neighbor who needed a favor returned and so on.


> "we put warm bodies in seats and charge you tens of millions for it".

Are there any defense contractors this doesn't apply to?

> If it weren't for the ol'govt'boys network and for all the nepotism and favoritism, there would be a large opportunity for small startups to undercut these large, wasteful, stupid and taxpayer moneysucking behemoths.

I think the reason is more that the big companies understand the byzantine government processes and have things like CMMI/ISO certifications and certified-secure locations than pure corruption


No. I have worked with and seen small, lean defense contractors and those who are smart enough in the govt. (and there are some of those as hard as it maybe to believe) know where to find those companies.

> I think the reason is more that the big companies understand the byzantine government processes and have things like CMMI/ISO certifications and certified-secure locations than pure corruption

True. You need someone full-time basically to navigate all those ATOs,ISO, certification, security requirements, etc. So someone who worked on the 'other' side or with the 'other' side is needed. But then you just 30% in only. You need to know people to get the other 70%. Don't you think it is funny that most of these CEOs are ex-generals and ex-heads of CIA, NSA other large departments and then they turn around and sell their service to their old buddies, when their old buddies retire they find similar position to sell stuff to their buddies. Interesting correlation isn't it. Well what it is, is a huge conflict of interesest and an environment ready for rampant corruption and nepotism.


I wonder if we are seeing the beginnings of a new revolutionary movement that transcends borders, yet has the ability to cause drastic change within borders. This has the potential to get very interesting for people like me who think the government has overstepped its bounds in the electronic age.

Anonymous may become catalyst, if nothing else.


It could be. This is the consequences of ignoring 20 years of warnings by security experts. #antisec is actually the best thing that could happen to the US govt. They are malevolent just enough to get media coverage but not enough to make serious damages. They will force reorganization and maybe the firing of some incompetent people.


Seems like a real stretch to me. HBGary like _targeted_intrusions_ with corresponding broad private information disclosures might have a bit of claim to that theory.

But as far as I can tell you just saw a couple of script kiddies run automated scans against whoever & whatever, happen to see a flaw at BAH, get in a dump a SQL database and then brag about how awesome they are. Big fucking deal?

Disclosing password hashes isn't going to bring down shit. It's like the hacker equivalent of the special olympics.


I'm not sure why so many people jump to calling members of these groups "script kiddies" -- perhaps because it's in the vogue and makes one feel more important than others? It's been shown that a few of the 0days these guys are using are from their own findings. A handful of members of different groups (of Antisec fame and some not) seem to take great interest in cryptography, reverse engineering, etc. As immature as their ways may be, as misguided as their goals may seem to you, they're not certainly not script kiddies and they're certainly pretty clever if they've managed to not get caught yet.


Lol, wait what? Which 0-days has it been shown they're using, let alone ones they developed themselves? I think the phrase here is citation needed. If you're using private zero days to break into systems you're almost assuredly not telling anyone about them - and the flip side is probably true as well.


So unless you are using zero-days you are a script kiddy?


Nope definitely not, there is a wide gulf between the two. It's just if they were using their own zero days then it'd be pretty obvious that I was wrong.


With the password hashes being unsalted MD5 and estimates of password reuse averaging from 12% this is valuable information that could be used to gain access to more sensitive systems. Sure it may be as simple as running an automated scan, but if a script kiddie could do that and get this information it's likely this information may well have been compromised before now, we just haven't heard of it.

[1] "A large-scale study of web password habits" http://portal.acm.org/citation.cfm?id=1242572.1242661 via http://www.lightbluetouchpaper.org/2011/02/09/measuring-pass...


but if a script kiddie could do that and get this information it's likely this information may well have been compromised before now, we just haven't heard of it.

Hi. This happens all the time. There is evidence of far more significant data breeches nearly every day in the press - Byzantine Hades, RSA, Aurora, Night dragon, the list goes on and on. Probably the best argument for why this specific sql database with web app passwords hasn't been compromised in the past is that it's of very questionable value.

The people holding up convenience stores aren't revolutionaries. And that's true even if you try to spin a yarn where removing the funds from a tax paying business might lead to an eventual budget shortfall.


For what it's worth, I just started a service based on the high password reuse you mentioned: http://www.emailambush.com

I figure finding out the moment your email account is compromised is worth investing in, especially in these most recent days of hackers running wild.


The best part is the invoice.

  Enclosed is the invoice for our audit of your security systems [...]

  4 hours of man power: $40.00
  Network auditing: $35.00
  Web-app auditing: $35.00
  Network infiltration*: $0.00
  Password and SQL dumping**: $200.00
  Decryption of data***: $0.00
  Media and press****: $0.00

  Total bill: $310.00


$10/hr - clearly they don't know the going rate for security researchers and pen-testers. Or perhaps I should circulate this to the guys I use, to get them down a bit :)


They were just quoting extremely discounted rates. You know, for their favorite government.


Looks like they grabbed some sort of online course system's DB. I am guessing it isn't as secure as some of their other servers and it has independent authentication. So it isn't their main user/password database, but looks like people using their email address to login.


Yea, the data is not very interesting at all. Looks like it might be the DB for this site http://jko.jfcom.mil/

The app is definitely over-engineered with 613 tables and few users. I bet Booze Allen charged millions of dollars for building that garbage.


I'd prefer if HN only got followup articles about such breaches, which have some analysis.

Voting the actual raw data-dumps up emphasizes the other meaning of 'hacker' and almost looks like cheerleading.


I'm not sure if I agree. One thing that's nice about HN is that I so often get the story early, otherwise I would use one of the weekly/daily best-of aggregators anyway.

The front-page is big enough that I can handle there being one post for the original raw-data, and a subsequent post for the Ars analysis.

Your other point about "cheerleading" is well taken, It is easy to get caught up in the David vs. Goliath sentiment.


If we're waiting for Ars Technica to do an in-depth article, we'll be as late to the table as everyone else. I like learning about these things as they happen.


And no doubt the Ars article will be posted on HN once it's been written.


Right. Ars has a pretty solid reputation for taking its time to do an in-depth story. I'm happy to have both the quick version now and the Ars version later, and I don't mind both hitting the frontpage if the story is big enough.


I haven't seen this (yet) in any local media, and it's at least given me the opportunity to email all the Booz employees I know and urge them to at least change their passwords.

Having the information quickly is advantageous to both sides.


We had this discussion about ~12 years ago with the attrition.org defacements gallery.


I'd say it's newsworthy and interesting, so I don't see a problem with it.


The thing is that it is also the main source of the "official" antisec statement. I prefer to read their direct humorous prose, it is less likely to leave important informations out.


If you can live with all that business bullshit on "hacker" news you certainly can live with some security related data dumps.


4 hours? Cripes! I hope they're kidding about how long that took them. I knew security was bad out there, but that's ridiculous.


Unsalted MD5 as well. And looking at the list of people apparently in their employ, this could lead to some serious drama.

Seriously though, unsalted MD5? Again? Like they say in the release, anonymous can't be any more explicit. Their slogan is "expect us." That should be a clue.


At this point, I think these guys should be given a job. If they can exploit these vulnerabilities then it's almost certain that our enemies already are exploiting them.


Sadly, exploitation is often much easier than protection. They only need to find one hole - the defender must secure everything.

Oh, and it's probably not good to encourage this kind of thing either.


But it's worse to hide and ignore the problem. The other poster hit the nail on the head. This stuff is happening on a much larger scale - it's only because of lulzsec/anonymous that anyone even has a clue how bad the situation really is.


Actually, I don't disagree with you - it's a good thing (for a certain value of "good" - in a perfect world, things would all be secure, and we'd ride unicorns everywhere) that this kind of stuff is exposed.

What I disagree with is the "giving them a job" bit. I don't think that rewarding these kinds of people with employment is right - part of working in computer security is having a certain code of ethics. Whereas I'd much prefer that this kind of stuff be made public, giving them a job is similar to rewarding a thief with a job as a cop.

People are free to disagree, of course :P


Due to the anonymous nature of these things, some of these recent attacks could easily be from within the USA's govt, just like the anthrax letters were.

It does seem clear, though, that we all have a lot to learn about protecting information...


Yeah, "defender's advantage" does not apply in the wacky world of computer security.


I'm not encouraging the act, I'm just saying the companies should respond pro-actively not just pretend the problem(s) don't exist. Doing nothing is the absolute worst option.


Their habits show that they would not be interested in a job at the targets of their hacks, and a good portion of them are likely employed in the infosec industry already.

These aren't kids.


> At this point, I think these guys should be given a job.

Who says they haven't been offered some?


Or, even more frightening, what if this is their job?


Or already have one and these are their Weekend Projects.


Funny, but I imagine that this would be a really really good way to be fired and blacklisted in the security penetration community.

Somewhat akin to having a day job installing security systems, and by night, breaking into houses secured by your competitors.


No, they're probably infosec and just don't go around blabbing about their night activities.


It's not always about exploits and vulnerabilities, social engineering can also be extremely dangerous.


Computer disks and USB sticks were dropped in parking lots of government buildings and private contractors, and 60% of the people who picked them up plugged the devices into office computers. And if the drive or CD had an official logo on it, 90% were installed: http://thenextweb.com/industry/2011/06/28/us-govt-plant-usb-...


Remember when Anonymous broke into HBGary and consequently, rootkit.org?

Releasing the emails was just one outcome. The other was that any dangerous knowledge (or digital weaponry) lying around there were ready for the taking.


Every time I see the term "digital weaponry" or a synonym, I think of a bleak future where citizens are jailed for possession of "military grade encryption systems".

I don't know if it's because I'm inside the industry, if software is inherently easier to create and duplicate, or if the damage is somewhat smaller, but I really can't see any software as a weapon.

A tool used in war? Sure. But a weapon? Hardly.


Given Stuxnet's alleged potential, I think classifying certain software as a weapon is a lot more credible now than even a couple years ago.


Have you heard of Stuxnet?

Malware that specifically targeted (inadequately protected) control systems for critical infrastructure (think power/water/transport) would not be unlike an EMP bomb in my opinion.

A weapon is just a type of tool used with intent to harm.


Yes, I have, but thank you for the information.

And yes, software can fit into the dictionary description of "weapon", but the scales are completely different.

Throwing it into the same regulatory basket as firearms just seems misleading and asking for trouble.

But maybe you are right, software can be a weapon, and I'm just afraid of the implications of classifying it as such.


> software can be a weapon, and I'm just afraid of the implications of classifying it as such

http://xkcd.com/504/ ?


>A weapon is just a type of tool used with intent to harm.

While that is correct, it can be extended to pretty much everything. In the end, weapons don't kill people, people kill people.

And while this will probably will get me labeled as conspiracy theorist, I still think that a lot about stuxnet was way too fishy, and it was way too conveniently timed for all the security facists that are raving about "Cyber War".


I think a more accurate description would be "a type of tool created with the intent to harm". You can use your kitchen knife to stab someone, but it's not its main purpose.

Rifles and bombs don't kill people by themselves either, but are a damn good indication of intent and their simple presence facilitates dangerous situations.


I'd say a weapon is a tool whose only use is harm to other men.

The line gets a little blurry around things like guns and knives, but I think it still holds. For example, an AK-47 is a weapon, while a bird shotgun can be used as a weapon.


Then what is LOIC? It has no uses besides DDoS'ing.


LOIC would be a weapon, I guess. Though the utilities that make it up would not be.


I'm adding the compromised emails to www.hacknotifier.com - you can check if you're part of the release there.


I hope that none of those military contractors re-use their passwords. But let's be honest with ourselves...


From the page:

  CORRECTION:

  Password hashes are not MD5 but mostly BASE64(sha1(password)); some other hashes may be mixed in. Happy cracking.


While storing a straight SHA1 of a password is obviously a Bad Thing (TM), what does it say about the attackers that they couldn't tell an MD5 from a Base64'd SHA1? It's not exactly rocket surgery.


SXQncyBub3Qgc3RyYWlnaHQgU0hBLTEsIGl0J3MgYmFzZTY0LWVuY29kZWQgYWxzbyAtLSB1bmNyYWNrYWJsZSE=


ViBoZnIgZWJnMTMgY3loZiBvbmZyNjQgc2JlIG55eSB6bCByYXBlbGNndmJhIGFycnFmIQ==


The hashes look like SHA1 to me


Yep, it's unsalted SHA1

echo -n PASSWORD123 | openssl dgst -sha1 -binary | base64 IyZKpiaEiMKQnvgerUngniSNXZE= 12 found


Sucks to be BAH. Yet another consultancy that doesn't practice what it preaches about security


some how this doesn't show up on "Booz Allen in the News": http://www.boozallen.com/media-center/press-highlights. I'd call it news.


Seeders: 2, Leachers: 2. People seem to be staying well away from this one ;)


Seeders: 36 Leechers: 30. Not counting of course the people who chose not to seed after completing it.


The media is reporting this as "90k emails leaked", which is thoroughly misleading.


Add




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: