It is becoming a cliché, but security professionals will tell you until they are blue in the face if an attacker wants to break into your system, he will. Apparently, the hacker group AntiSec is living proof.
This time the targets were government contractors Booz Allen Hamilton and IRC Federal.
In the Booz Allen case, AntiSec posted what it said are 90,000 military email addresses and passwords from the contractor online.
While this time it was government contractors feeling the brunt end of the attack, this case is an example of how a targeted hack can occur at any time against any company in any industry.
AntiSec, a spinoff from the Anonymous and now-defunct LulzSec hacker teams, made a posting on the Pirate Bay calling the hack “Military Meltdown Monday: Mangling Booz Allen Hamilton.” It was the second attack on a government defense contractor in nearly as many days.
Regarding the Booz Allen attack, AntiSec criticized the lack of security it encountered when trying to infiltrate a server on the Booz Allen network, claiming it “basically had no security measures in place.” In its work with the Department of Defense (DOD) and the Department of Homeland Security (DHS), Booz Allen contractors maintain high government security clearances.
“In this line of work you’d expect them to sail the seven ‘proxseas’ with a state-of-the-art battleship, right?” the group wrote. “Well you may be as surprised as we were when we found their vessel being a puny wooden barge.”
The group said it ran its own application on the network to collect data at will. AntiSec said it also was able to steal 4 GB of source code; however, “this was deemed insignificant and a waste of valuable space, so we merely grabbed it, and wiped it from their system.”
Additionally, the group used the credentials it lifted from the system to take various data from other servers, as well as found what it claimed are clues to infiltrating other government agencies and federal contractors that it may pass on to other hackers, it said.
AntiSec has embarked on an international hacking spree in the last month as part of an “Operation Anti Security” campaign which it said is targeting government corruption around the world.
IRC confirmed the breach of its network, Booz Allen declined to confirm or deny AntiSec’s claims, saying as part of the company’s security policy, “we generally do not comment on specific threats or actions taken against our systems.”
In the IRC attack, “We laid nuclear waste to their systems, owning their pathetic Windows box, dropping their databases and private emails, and defaced their professional looking website,” according to AntiSec’s Pastebin post. The group said it targeted IRC for “selling out their ‘skills’ to the U.S. empire.”
IRC works with the Army, Navy, NASA, and Department of Justice, among other organizations.
Extracts of the material stolen from IRC went up on the text-snippet-sharing website Pastebin. Meanwhile, a more complete, 107-MB torrent file went out via the Pirate Bay.
AntiSec said it compromised the site via a SQL injection attack, which enabled it to retrieve an administrator’s login credentials. AntiSec then used other techniques to grab database information and emails, in part thanks to some administrators having reused their passwords across various systems.
The AntiSec attack against IRC Federal follows recent warnings from auditors over the poor state of government agencies’ database security. Notably, government auditors found that numerous Department of Homeland Security databases, storing sensitive citizen data and defense information, were improperly configured or running with known bugs. Likewise, auditors found that despite the $1.1 million it’s recently spent on database security tools, nearly all of the IRS’s 2,200 databases sport serious security problems.
As illustrated by the attack against IRC, incorrectly configured databases, or databases with known vulnerabilities, give malicious insiders or outsiders an opportunity to steal, alter, or delete the information stored in the database.