API tools faq
paste
Guest User

military meltdown #antisec

a guest
Jul 11th, 2011
2,109
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.70 KB
raw download clone embed print report
  1. _ _ __ __
  2. __| || |__ _____ _____/ |_|__| ______ ____ ____ #antisec
  3. \ __ / \__ \ / \ __\ |/ ___// __ \_/ ___\ #anonops
  4. | || | / __ \| | \ | | |\___ \\ ___/\ \___ #laughing
  5. /_ ~~ _\ (____ /___| /__| |__/____ \ \___ \ \___ | #at_your
  6. |_||_| \/ \/ \/ \/ \/ #security
  7.  
  8. /*******************************************************************************
  9. *** MILITARY MELTDOWN MONDAY: MANGLING BOOZ ALLEN HAMILTON ***
  10. *******************************************************************************/
  11.  
  12.  
  13. Hello Thar!
  14.  
  15. Today we want to turn our attention to Booz Allen Hamilton, whose core business
  16. is contractual work completed on behalf of the US federal government, foremost
  17. on defense and homeland security matters, and limited engagements of foreign
  18. governments specific to U.S. military assistance programs.
  19.  
  20. So in this line of work you'd expect them to sail the seven proxseas with a
  21. state- of-the-art battleship, right? Well you may be as surprised as we were
  22. when we found their vessel being a puny wooden barge.
  23.  
  24. We infiltrated a server on their network that basically had no security
  25. measures in place. We were able to run our own application, which turned out to
  26. be a shell and began plundering some booty. Most shiny is probably a list of
  27. roughly 90,000 military emails and password hashes (md5, non-salted of course!).
  28. We also added the complete sqldump, compressed ~50mb, for a good measure.
  29.  
  30. We also were able to access their svn, grabbing 4gb of source code. But this
  31. was deemed insignificant and a waste of valuable space, so we merely grabbed
  32. it, and wiped it from their system.
  33.  
  34. Additionally we found some related datas on different servers we got access to
  35. after finding credentials in the Booz Allen System. We added anything which
  36. could be interesting.
  37.  
  38. And last but not least we found maps and keys for various other treasure chests
  39. buried on the islands of government agencies, federal contractors and shady
  40. whitehat companies. This material surely will keep our blackhat friends busy
  41. for a while.
  42.  
  43. A shoutout to all friendly vessels: Always remember, let it flow!
  44. #AntiSec
  45.  
  46. /*******************************************************************************
  47. *** BONUS ROUND: BOOZ ALLEN HAMILTON KEY FACTS ***
  48. *******************************************************************************/
  49.  
  50. For the Lazy we have assembled some facts about Booz Allen. First let's take a
  51. quick look of who these guys are. Some key personnel:
  52.  
  53. * John Michael "Mike" McConnell, Executive Vice President of Booz Allen and
  54. former Director of the National Security Agency (NSA) and former Director of
  55. National Intelligence.
  56.  
  57. * James R. Clapper, Jr., current Director of National Intelligence, former
  58. Director of Defense Intelligence.
  59.  
  60. * Robert James Woolsey Jr, former Director of National Intelligence and head
  61. of the Central Intelligence Agency (CIA).
  62.  
  63. * Melissa Hathaway, Current Acting Senior Director for Cyberspace for the
  64. National Security and Homeland Security Councils
  65.  
  66. Now let's check out what these guys have been doing:
  67.  
  68. * Questionable involvement in the U.S. government's SWIFT surveillance program;
  69. acting as auditors of a government program, when that contractor is heavily
  70. involved with those same agencies on other contracts. Beyond that, the
  71. implication was also made that Booz Allen may be complicit in a program
  72. (electronic surveillance of SWIFT) that may be deemed illegal by the EC.
  73.  
  74. http://www.aclu.org/national-security/booz-allens-extensive-ties-government
  75. -raise-more-questions-about-swift-surveillanc
  76.  
  77. https://www.privacyinternational.org/article/pi-and-aclu-show-swift-auditor-
  78. has-extensive-ties-us-government
  79.  
  80. * Through investigation of Booz Allen employees, Tim Shorrock of Democracy Now!
  81. asserts that there is a sort of revolving-door conflict of interest between
  82. Booz Allen and the U.S. government, and between multiple other contractors and
  83. the U.S. government in general. Regarding Booz Allen, Shorrock referred to such
  84. people as John M. McConnell, R. James Woolsey, Jr., and James R. Clapper, all
  85. of whom have gone back and forth between government and industry (Booz Allen in
  86. particular), and who may present the appearance that certain government
  87. contractors receive undue or unlawful business from the government, and that
  88. certain government contractors may exert undue or unlawful influence on
  89. government. Shorrock further relates that Booz Allen was a sub-contractor with
  90. two programs at the U.S. National Security Agency (NSA), called Trailblazer and
  91. Pioneer Groundbreaker.
  92.  
  93. http://www.democracynow.org/article.pl?sid=07/01/12/151224
  94.  
  95. If you haven't heard about Pioneer Groundbreaker, we recommend the following
  96. Wikipedia article:
  97.  
  98. "The NSA warrantless surveillance controversy (AKA "Warrantless Wiretapping")
  99. concerns surveillance of persons within the United States during the collection
  100. of foreign intelligence by the U.S. National Security Agency (NSA) as part of
  101. the war on terror."
  102.  
  103. http://en.wikipedia.org/wiki/Pioneer_Groundbreaker
  104.  
  105. * A June 28, 2007 Washington Post article related how a U.S. Department of
  106. Homeland Security contract with Booz Allen increased from $2 million to more
  107. than $70 million through two no-bid contracts, one occurring after the DHS's
  108. legal office had advised DHS not to continue the contract until after a review.
  109. A Government Accountability Office (GAO) report on the contract characterized
  110. it as not well-planned and lacking any measure for assuring valuable work to be
  111. completed.
  112.  
  113. http://www.washingtonpost.com/wp-dyn/content/article/2007/06/27/
  114. AR2007062702988.html
  115.  
  116. * Known as PISCES (Personal Identification Secure Comparison and Evaluation
  117. System), the ΓΓé¼┼ôterrorist interdiction systemΓΓé¼┬¥ matches passengers inbound for the
  118. United States against facial images, fingerprints and biographical information
  119. at airports in high-risk countries. A high-speed data network permits U.S.
  120. authorities to be informed of problems with inbound passengers. Although PISCES
  121. was operational in the months prior to September 11, it apparently failed to
  122. detect any of the terrorists involved in the attack.
  123.  
  124. Privacy advocates have alleged that the PISCES system is deployed in various
  125. countries that are known for human rights abuses (ie Pakistan and Iraq) and
  126. that facilitating them with an advanced database system capable of storing
  127. biometric details of travelers (often without consent of their own nationals)
  128. poses a danger to human rights activists and government opponents.
  129.  
  130. http://multinationalmonitor.org/mm2002/02march/march02corp3.html
  131.  
  132. /*******************************************************************************
  133. *** BONUS ROUND TWO: ANONYMOUS INTERESTS ***
  134. *******************************************************************************/
  135.  
  136. Back in February, as many may recall, Anonymous was challenged by security
  137. company HBGary. One month later - after many grandiose claims and several pages
  138. of dox on "members" of Anonymous which were factually accurate in no way
  139. whatsoever - HBGary and its leadership were busy ruing the day they ever
  140. tangled with Anonymous, and Anonymous was busy toasting another epic trolling.
  141. And there was much rejoicing. However, celebration soon gave way to
  142. fascination, followed by horror, as scandal after scandal radiated from the
  143. company's internal files, scandals spanning the government, corporate and
  144. financial spheres. This was no mere trolling. Anonymous had uncovered a
  145. monster.
  146.  
  147. One of the more interesting, and sadly overlooked, stories to emerge from
  148. HBGary's email server (a fine example to its customers of how NOT to secure
  149. their own email systems) was a military project - dubbed Operation Metal Gear
  150. by Anonymous for lack of an official title - designed to manipulate social
  151. media. The main aims of the project were two fold: Firstly, to allow a lone
  152. operator to control multiple false virtual identities, or "sockpuppets". This
  153. would allow them to infiltrate discussions groups, online polls, activist
  154. forums, etc and attempt to influence discussions or paint a false
  155. representation of public opinion using the highly sophisticated sockpuppet
  156. software. The second aspect of the project was to destroy the concept of online
  157. anonymity, essentially attempting to match various personas and accounts to a
  158. single person through recognition shared of writing styles, timing of online
  159. posts, and other factors. This, again, would be used presumably against any
  160. perceived online opponent or activist.
  161.  
  162. HBGary Federal was just one of several companies involved in proposing software
  163. solutions for this project. Another company involved was Booz Allen Hamilton.
  164. Anonymous has been investigating them for some time, and has uncovered all
  165. sorts of other shady practices by the company, including potentially illegal
  166. surveillance systems, corruption between company and government officials,
  167. warrantless wiretapping, and several other questionable surveillance projects.
  168. All of this, of course, taking place behind closed doors, free from any public
  169. knowledge or scrutiny.
  170.  
  171. You would think the words "Expect Us" would have been enough to prevent another
  172. epic security fail, wouldn't you?
  173.  
  174. Well, you'd be wrong. And thanks to the gross incompetence at Booz Allen
  175. Hamilton probably all military mersonnel of the U.S. will now have to change
  176. their passwords.
  177.  
  178. Let it flow!
  179.  
  180.  
  181. /*******************************************************************************
  182. *** INVOICE ***
  183. *******************************************************************************/
  184.  
  185. Enclosed is the invoice for our audit of your security systems, as well as the
  186. auditor's conclusion.
  187.  
  188. 4 hours of man power: $40.00
  189. Network auditing: $35.00
  190. Web-app auditing: $35.00
  191. Network infiltration*: $0.00
  192. Password and SQL dumping**: $200.00
  193. Decryption of data***: $0.00
  194. Media and press****: $0.00
  195.  
  196. Total bill: $310.00
  197.  
  198. *Price is based on the amount of effort required.
  199. **Price is based on the amount of badly secured data to be dumped, which in
  200. this case was a substantial figure.
  201. ***No security in place, no effort for intrusion needed.
  202. ****Trolling is our specialty, we provide this service free of charge.
  203.  
  204. Auditor's closing remarks: Pwned. U mad, bro?
  205.  
  206. We are Anonymous.
  207. We are Legion.
  208. We are Antisec.
  209. We do not forgive.
  210. We do not forget.
  211. Expect us.
RAW Paste Data
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!