Want more features on Pastebin? Sign Up, it's FREE!

Military Meltdown Monday: Mangling Booz Allen Hamilton

By: a guest on Jul 11th, 2011  |  syntax: None  |  size: 10.75 KB  |  views: 1,875  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. TPB Link: http://thepiratebay.org/torrent/6533009
  2.       _  _                   __   __      
  3.    __| || |__ _____    _____/  |_|__| ______ ____   ____        #antisec  
  4.    \   __   / \__  \  /    \   __\  |/  ___// __ \_/ ___\       #anonops    
  5.     |  ||  |   / __ \|   |  \  | |  |\___ \\  ___/\  \___       #laughing        
  6.    /_  ~~  _\ (____  /___|  /__| |__/____ \ \___ \ \___  |      #at_your      
  7.      |_||_|        \/     \/             \/     \/     \/       #security
  9. /*******************************************************************************
  11. *******************************************************************************/
  14. Hello Thar!
  16. Today we want to turn our attention to Booz Allen Hamilton, whose core business
  17. is contractual work completed on behalf of the US federal government, foremost
  18. on defense and homeland security matters, and limited engagements of foreign
  19. governments specific to U.S. military assistance programs.
  21. So in this line of work you'd expect them to sail the seven proxseas with a
  22. state- of-the-art battleship, right? Well you may be as surprised as we were
  23. when we found their vessel being a puny wooden barge.
  25. We infiltrated a server on their network that basically had no security
  26. measures in place. We were able to run our own application, which turned out to
  27. be a shell and began plundering some booty. Most shiny is probably a list of
  28. roughly 90,000 military emails and password hashes (md5, non-salted of course!).
  29. We also added the complete sqldump, compressed ~50mb, for a good measure.
  31. We also were able to access their svn, grabbing 4gb of source code. But this
  32. was deemed insignificant and a waste of valuable space, so we merely grabbed
  33. it, and wiped it from their system.
  35. Additionally we found some related datas on different servers we got access to
  36. after finding credentials in the Booz Allen System. We added anything which
  37. could be interesting.
  39. And last but not least we found maps and keys for various other treasure chests
  40. buried on the islands of government agencies, federal contractors and shady
  41. whitehat companies. This material surely will keep our blackhat friends busy
  42. for a while.
  44. A shoutout to all friendly vessels: Always remember, let it flow!
  45. #AntiSec
  47. /*******************************************************************************
  48. ***                BONUS ROUND: BOOZ ALLEN HAMILTON KEY FACTS                ***
  49. *******************************************************************************/
  51. For the Lazy we have assembled some facts about Booz Allen. First let's take a
  52. quick look of who these guys are. Some key personnel:
  54. * John Michael "Mike" McConnell, Executive Vice President of Booz Allen and
  55. former Director of the National Security Agency (NSA) and former Director of
  56. National Intelligence.
  58. * James R. Clapper, Jr., current Director of National Intelligence, former
  59. Director of Defense Intelligence.
  61. * Robert James Woolsey Jr, former Director of National Intelligence and head
  62. of the Central Intelligence Agency (CIA).
  64. * Melissa Hathaway, Current Acting Senior Director for Cyberspace for the
  65. National Security and Homeland Security Councils
  67. Now let's check out what these guys have been doing:
  69. * Questionable involvement in the U.S. government's SWIFT surveillance program;
  70. acting as auditors of a government program, when that contractor is heavily
  71. involved with those same agencies on other contracts. Beyond that, the
  72. implication was also made that Booz Allen may be complicit in a program
  73. (electronic surveillance of SWIFT) that may be deemed illegal by the EC.
  75. http://www.aclu.org/national-security/booz-allens-extensive-ties-government
  76. -raise-more-questions-about-swift-surveillanc
  78. https://www.privacyinternational.org/article/pi-and-aclu-show-swift-auditor-
  79. has-extensive-ties-us-government
  81. * Through investigation of Booz Allen employees, Tim Shorrock of Democracy Now!
  82. asserts that there is a sort of revolving-door conflict of interest between
  83. Booz Allen and the U.S. government, and between multiple other contractors and
  84. the U.S. government in general. Regarding Booz Allen, Shorrock referred to such
  85. people as John M. McConnell, R. James Woolsey, Jr., and James R. Clapper, all
  86. of whom have gone back and forth between government and industry (Booz Allen in
  87. particular), and who may present the appearance that certain government
  88. contractors receive undue or unlawful business from the government, and that
  89. certain government contractors may exert undue or unlawful influence on
  90. government. Shorrock further relates that Booz Allen was a sub-contractor with
  91. two programs at the U.S. National Security Agency (NSA), called Trailblazer and
  92. Pioneer Groundbreaker.
  94. http://www.democracynow.org/article.pl?sid=07/01/12/151224
  96. If you haven't heard about Pioneer Groundbreaker, we recommend the following
  97. Wikipedia article:
  99. "The NSA warrantless surveillance controversy (AKA "Warrantless Wiretapping")
  100. concerns surveillance of persons within the United States during the collection
  101. of foreign intelligence by the U.S. National Security Agency (NSA) as part of
  102. the war on terror."
  104. http://en.wikipedia.org/wiki/Pioneer_Groundbreaker
  106. * A June 28, 2007 Washington Post article related how a U.S. Department of
  107. Homeland Security contract with Booz Allen increased from $2 million to more
  108. than $70 million through two no-bid contracts, one occurring after the DHS's
  109. legal office had advised DHS not to continue the contract until after a review.
  110. A Government Accountability Office (GAO) report on the contract characterized
  111. it as not well-planned and lacking any measure for assuring valuable work to be
  112. completed.
  114. http://www.washingtonpost.com/wp-dyn/content/article/2007/06/27/
  115. AR2007062702988.html  
  117. * Known as PISCES (Personal Identification Secure Comparison and Evaluation
  118. System), the ΓΓé¼┼ôterrorist interdiction systemΓΓé¼┬¥ matches passengers inbound for the
  119. United States against facial images, fingerprints and biographical information
  120. at airports in high-risk countries. A high-speed data network permits U.S.
  121. authorities to be informed of problems with inbound passengers. Although PISCES
  122. was operational in the months prior to September 11, it apparently failed to
  123. detect any of the terrorists involved in the attack.
  125. Privacy advocates have alleged that the PISCES system is deployed in various
  126. countries that are known for human rights abuses (ie Pakistan and Iraq) and
  127. that facilitating them with an advanced database system capable of storing
  128. biometric details of travelers (often without consent of their own nationals)
  129. poses a danger to human rights activists and government opponents.
  131. http://multinationalmonitor.org/mm2002/02march/march02corp3.html
  133. /*******************************************************************************
  134. ***                   BONUS ROUND TWO: ANONYMOUS INTERESTS                   ***
  135. *******************************************************************************/
  137. Back in February, as many may recall, Anonymous was challenged by security
  138. company HBGary. One month later - after many grandiose claims and several pages
  139. of dox on "members" of Anonymous which were factually accurate in no way
  140. whatsoever - HBGary and its leadership were busy ruing the day they ever
  141. tangled with Anonymous, and Anonymous was busy toasting another epic trolling.
  142. And there was much rejoicing. However, celebration soon gave way to
  143. fascination, followed by horror, as scandal after scandal radiated from the
  144. company's internal files, scandals spanning the government, corporate and
  145. financial spheres. This was no mere trolling. Anonymous had uncovered a
  146. monster.
  148. One of the more interesting, and sadly overlooked, stories to emerge from
  149. HBGary's email server (a fine example to its customers of how NOT to secure
  150. their own email systems) was a military project - dubbed Operation Metal Gear
  151. by Anonymous for lack of an official title - designed to manipulate social
  152. media. The main aims of the project were two fold: Firstly, to allow a lone
  153. operator to control multiple false virtual identities, or "sockpuppets". This
  154. would allow them to infiltrate discussions groups, online polls, activist
  155. forums, etc and attempt to influence discussions or paint a false
  156. representation of public opinion using the highly sophisticated sockpuppet
  157. software. The second aspect of the project was to destroy the concept of online
  158. anonymity, essentially attempting to match various personas and accounts to a
  159. single person through recognition shared of writing styles, timing of online
  160. posts, and other factors. This, again, would be used presumably against any
  161. perceived online opponent or activist.
  163. HBGary Federal was just one of several companies involved in proposing software
  164. solutions for this project. Another company involved was Booz Allen Hamilton.
  165. Anonymous has been investigating them for some time, and has uncovered all
  166. sorts of other shady practices by the company, including potentially illegal
  167. surveillance systems, corruption between company and government officials,
  168. warrantless wiretapping, and several other questionable surveillance projects.
  169. All of this, of course, taking place behind closed doors, free from any public
  170. knowledge or scrutiny.
  172. You would think the words "Expect Us" would have been enough to prevent another
  173. epic security fail, wouldn't you?
  175. Well, you'd be wrong. And thanks to the gross incompetence at Booz Allen
  176. Hamilton probably all military mersonnel of the U.S. will now have to change
  177. their passwords.
  179. Let it flow!
  182. /*******************************************************************************
  183. ***                                 INVOICE                                  ***
  184. *******************************************************************************/
  186. Enclosed is the invoice for our audit of your security systems, as well as the
  187. auditor's conclusion.
  189. 4 hours of man power: $40.00
  190. Network auditing: $35.00
  191. Web-app auditing: $35.00
  192. Network infiltration*: $0.00
  193. Password and SQL dumping**: $200.00
  194. Decryption of data***: $0.00
  195. Media and press****: $0.00
  197. Total bill: $310.00
  199. *Price is based on the amount of effort required.
  200. **Price is based on the amount of badly secured data to be dumped, which in
  201. this case was a substantial figure.
  202. ***No security in place, no effort for intrusion needed.
  203. ****Trolling is our specialty, we provide this service free of charge.
  205. Auditor's closing remarks: Pwned. U mad, bro?
  207. We are Anonymous.
  208. We are Legion.
  209. We are Antisec.
  210. We do not forgive.
  211. We do not forget.
  212. Expect us.
clone this paste RAW Paste Data