The summer of anti-security rolls on.
As part of the spree of data breaches that the loose hacker movement Anonymous is calling AntiSec, the group announced Monday that it had penetrated a server belonging to the defense contractor Booz Allen Hamilton and released what it claims are 90,000 military email addresses, encrypted passwords and an assortment of data related to other companies and government networks. It also claims to have accessed and deleted four gigabytes of the firm's source code.
"In [Booz Allen Hamilton's] line of work you'd expect them to sail the seven proxseas with a state-of-the-art battleship, right? Well you may be as surprised as we were when we found their vessel being a puny wooden barge," reads the group's statement posted to the Pirate Bay. "We infiltrated a server on their network that basically had no security measures in place."
Though the passwords included in the leak are scrambled, Anonymous' statement claims that the passwords are encrypted with an MD5 function that is widely considered to be insecure.
I've contacted Booz Allen Hamilton for comment but haven't yet heard back from the firm. Update: the company writes on its Twitter feed that "as part of @BoozAllen security policy, we generally do not comment on specific threats or actions taken against our systems."
Anonymous and Anonymous splinter group LulzSec have said that the campaign of attacks they're calling "AntiSec" is designed to humiliate companies and agencies that fail to adequately protect consumer and employee data. It's already hit targets ranging from the Arizona State Police to Viacom and Universal Music.
Booz Allen has already been involved in one Anonymous hack earlier this year. When the hacker collective dumped 71,000 emails from the cybersecurity firm HBGary Federal in retaliation for what it interpreted as an attempt to unmask key figures within Anonymous, the emails revealed that HBGary had worked with Booz Allen Hamilton to develop a response plan for Bank of America based on what the bank feared might be an upcoming leak of its internal documents by WikiLeaks. The Anonymous statement also paints the contractor as a revolving door of military-related conflicts of interest, and argues that the firm has been involved in mass surveillance projects.[gallery]
"You would think the words 'Expect Us' would have been enough to prevent another epic security fail, wouldn't you?," Anonymous wrote in its statement. "Well, you'd be wrong. And thanks to the gross incompetence at Booz Allen Hamilton probably all military mersonnel of the U.S. will now have to change
The group ended the statement by invoicing Booz Allen Hamilton $310 for its security audit. "Trolling is our specialty," it added. "We provide this free of charge."