Military Meltdown Monday: 90,000 military email profiles released by AntiSec

Because of the nature of this particular breach, I’m limited in what details I can provide to you. However, here’s a story in Stars & Stripes that provides some added information.

The hacker group AntiSec infiltrated the systems of military contractor Booz Allen Hamiliton and retrieved a tremendous amount of data that should have been secured. According to the group:

We infiltrated a server on their network that basically had no security measures in place. We were able to run our own application, which turned out to be a shell and began plundering some booty. Most shiny is probably a list of roughly 90,000 military emails and password hashes (md5, non-salted of course!).

Snap analysis

I continue to be dismayed and shocked at the absolutely poorest practices we’re seeing in data security management throughout large corporations and government organizations. As many of you know, I got started in government security through my work with Presidential email security and some worst-practices I found in the Bush White House Executive Office of the President.

MD5, for example, is a nice little encryption mechanism, but it’s easy to break. Nothing secure should be based on simple MD5 strings, and the IT guys at Booz Allen Hamiliton should have known better.

While many government IT operations are run by some of the smartest people on the planet, many other are quite sloppy. Contractors are also guilty of exceptional sloppiness.

While I certainly don’t condone the actions of these hacker groups, perhaps the shockingly ongoing ease of their penetrations will finally wake up those who think that IT security is just one more annoying “to-do” item and make it the priority it must be to protect our security into the future.