Defense contactor Booz Allen Hamilton, a shadowy but key player in the schemes revealed by the HBGary break in last February, today got the same treatment from #AntiSec, a successor to the Lulz Security.
I have not had a chance to study the 130 meg torrent they have released, but I’m sure this is going to be another treasure trove for U.S. citizens interested in security and privacy.
And here’s the official statement from the #AntiSec crew.
Today we want to turn our attention to Booz Allen Hamilton, whose core business is contractual work completed on behalf of the US federal government, foremost on defense and homeland security matters, and limited engagements of foreign governments specific to U.S. military assistance programs.
So in this line of work you'd expect them to sail the seven proxseas with a state- of-the-art battleship, right? Well you may be as surprised as we were when we found their vessel being a puny wooden barge.
We infiltrated a server on their network that basically had no security measures in place. We were able to run our own application, which turned out to be a shell and began plundering some booty. Most shiny is probably a list of roughly 90,000 military emails and password hashes (md5, non-salted of course!).We also added the complete sqldump, compressed ~50mb, for a good measure.
We also were able to access their svn, grabbing 4gb of source code. But this was deemed insignificant and a waste of valuable space, so we merely grabbed it, and wiped it from their system.
Additionally we found some related datas on different servers we got access to after finding credentials in the Booz Allen System. We added anything which could be interesting.
And last but not least we found maps and keys for various other treasure chests buried on the islands of government agencies, federal contractors and shady whitehat companies. This material surely will keep our blackhat friends busy for a while.
A shoutout to all friendly vessels: Always remember, let it flow!
The torrent is faster than a new game release – I got all 130 meg in a matter of about three minutes. I haven’t had a chance to even think about examining it yet, but a brief scan shows this is going to take more skill to interpret than the voluminous material from HBGary. I see a SQL server data dump, one file looks to be a bunch of users on a server, apparently shot after all the data was lifted and everything scrubbed but the usernames themselves. They appear to be proving to Booz Allen Hamilton that they’re not kidding and this may be a teaser for a larger dump later once they know what they’ve got.
I haven’t seen where they’re showing 90,000 userids and passwords yet, but I don’t imagine they’re kidding and content like that is worrying – this goes into the wild like it has, and then it’s a free for all as every black hat and nation state actor out there tries to use the opportunity this disclosure provides.