Military Meltdown Monday: 90,000 military email profiles released by AntiSec

Military Meltdown Monday: 90,000 military email profiles released by AntiSec

Summary: Perhaps the shockingly ongoing ease of their penetrations will finally wake up those who think that IT security is just one more annoying "to-do" item.

SHARE:
24

Because of the nature of this particular breach, I'm limited in what details I can provide to you. However, here's a story in Stars & Stripes that provides some added information.

The hacker group AntiSec infiltrated the systems of military contractor Booz Allen Hamiliton and retrieved a tremendous amount of data that should have been secured. According to the group:

We infiltrated a server on their network that basically had no security measures in place. We were able to run our own application, which turned out to be a shell and began plundering some booty. Most shiny is probably a list of roughly 90,000 military emails and password hashes (md5, non-salted of course!).

Snap analysis

I continue to be dismayed and shocked at the absolutely poorest practices we're seeing in data security management throughout large corporations and government organizations. As many of you know, I got started in government security through my work with Presidential email security and some worst-practices I found in the Bush White House Executive Office of the President.

MD5, for example, is a nice little encryption mechanism, but it's easy to break. Nothing secure should be based on simple MD5 strings, and the IT guys at Booz Allen Hamiliton should have known better.

While many government IT operations are run by some of the smartest people on the planet, many other are quite sloppy. Contractors are also guilty of exceptional sloppiness.

While I certainly don't condone the actions of these hacker groups, perhaps the shockingly ongoing ease of their penetrations will finally wake up those who think that IT security is just one more annoying "to-do" item and make it the priority it must be to protect our security into the future.

Topics: Collaboration, Security

About

David Gewirtz, Distinguished Lecturer at CBS Interactive, is an author, U.S. policy advisor, and computer scientist. He is featured in the History Channel special The President's Book of Secrets and is a member of the National Press Club.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

24 comments
Log in or register to join the discussion
  • RE: Military Meltdown Monday: 90,000 military email profiles released by AntiSec

    "military email" is **NOT** operational or mission critical emails.

    It is simply the email service that is provided by the military to allow freinds and family to be able to communicate with people who are serving.

    They are forbidden to use that service for operational, or mission or even logistics or management purposes.

    It is also a totally seperate system to the formal and fully encrypted military internal communications networks.

    This is much like 'hacking' the whitehouse !,

    sure you might hack the web server that the White house uses but you will go no where near anything operational, or secure.. its just how it works..
    Aussie_Troll
    • Maybe so but...

      @Aussie_Troll You can say that but the reality is that many military members share info over unsecured email that they shouldn't.
      jrcbali
      • RE: Military Meltdown Monday: 90,000 military email profiles released by AntiSec

        @jrcbali And they can face court-martial or jail for doing so.
        blueskip
      • RE: Military Meltdown Monday: 90,000 military email profiles released by AntiSec

        @jrcbali
        No they don't! Military people are not as weak as some try and make them out to be. That being said, every organization have their "sluggs."
        eargasm
    • RE: Military Meltdown Monday: 90,000 military email profiles released by AntiSec

      @Aussie_Troll
      military email doesn't need to hold operational information to garner good information. Spear phishing of the right individual can do that. Besides, how do you think character profiles are developed? Answer: By understanding to whom a person(s) communicates. Any good hacker knows how to put seemingly innocuous information together to make good, exploitable "intelligence". This hack is very, very bad!!!!! Think about it....
      richardanelson000
  • RE: Military Meltdown Monday: 90,000 military email profiles released by AntiSec

    @Aussie_Troll

    >sure you might hack the web server that the White >house uses but you will go no where near anything >operational, or secure.. its just how it works..

    Yeah right! ... until someone actually does hack the secure part to.

    Heard of id_theft?
    wait until you can no longer prove you are who you are just because someone is pretending to be you.
    ethermind
    • RE: Military Meltdown Monday: 90,000 military email profiles released by AntiSec

      @ethermind says "until someone actually does hack the secure part to."

      Pretty sure government/military operational email systems are not accessible via the Internet, only via secure, closed networks.
      dh1760
      • RE: Military Meltdown Monday: 90,000 military email profiles released by AntiSec

        @dh1760 Pretty sure you're wrong about that unfortunately.
        blueskip
    • RE: Military Meltdown Monday: 90,000 military email profiles released by AntiSec

      @ethermind
      Id theft at some five and dime department store is not on the same planet as military secure information!
      eargasm
  • Pathetic Nerd Terds

    These misguided hackers, who imagine themselves as brilliant, are not. They think of their hacking as serving a higher purpose, it does not. They are sad, immature dorks who sit in isolation furiously typing away, breaking into private and secure information sources hoping their illegal activities will get someone, anyone - to acknowledge the pathetic existence of their empty, nerdy lives. Sad
    jpr75_z
    • RE: Military Meltdown Monday: 90,000 military email profiles released by AntiSec

      @jpr75_z AMEN. I'm sure it gives them purpose, but rational people realize nothing more than sad pathetic common thieves. They get out of their mother basements and go have a life they would see there is more than that.
      ItsTheBottomLine
    • RE: Military Meltdown Monday: 90,000 military email profiles released by AntiSec

      @jpr75_z They're not even breaking into secure information sources - just poorly secured information services.
      jgm@...
  • The profit motive gone amok

    My guess is that management ordered the the admins to use the cheapest encryption possible and that the DOD people supervising them didn't understand or care about the issue.

    Usually, the professionals on the ground want to do the best job possible, but are under pressure from management to save money.
    John L. Ries
    • RE: Military Meltdown Monday: 90,000 military email profiles released by AntiSec

      @John L. Ries
      This seems like the best possible explanation
      Aztec
    • RE: Military Meltdown Monday: 90,000 military email profiles released by AntiSec

      @John L. Ries It's an algorithm... there's no cost involved in using a more secure encryption methodology.
      jgm@...
      • Good point...

        @jgm@...
        ...but there are time considerations as well.
        John L. Ries
  • MD5 is not...

    MD5 is not an encryption algorithm! Statements like this are what lead people to believe it is! MD5 is a cryptographic hash function. Its commonly used to generate the pseudorandom key/password which is used by an encryption algorithm. i.e. a md5 hash IS the password!
    cabdriverjim
    • RE: Military Meltdown Monday: 90,000 military email profiles released by AntiSec

      @cabdriverjim so simple? http://tools.ietf.org/html/rfc1321
      Eeem
    • RE: Military Meltdown Monday: 90,000 military email profiles released by AntiSec

      @cabdriverjim well... it just tells you that the person who reports this has no idea what the f..k he is talking about. This is not the first time it is pretty clear that Mr. David Gewirtz's area of expertise is not computer science.
      pupkin_z
  • 90k accounts in searchable list

    For military personnel to check if your account was leaked,?http://dazzlepod.com/boozallen/
    ayeowch@...