Posts Tagged ‘encryption’

Anonymous leaks 90,000+ military email addresses stolen from Booz Allen Hamilton

Naked Security

by Chester Wisniewski on July 11, 2011

The latest attack in the infamous “#antisec” movement targeted Booz Allen Hamilton, a consulting firm who works with the US government. Anonymous claims to have infiltrated an unprotected server and were able to steal a significant amount of data.

#antisec banner

They claim to have released email addresses belonging to more than 90,000 US military personnel. While many folks downplay the significance of the attack and say “It’s only email addresses”, these particular email addresses may have more value than it would appear.

If we look back at the high-profile Gmail accounts that were hacked earlier this year, there clearly is demand for information about individuals related to the US defense that can be used to compromise their accounts and computers.

As Mila at Contagio blog wrote about the Gmail attack, the purpose isn’t so much to gain access to the email account itself, but rather to use email as the vehicle through which they can infect the host computer with malware.

The bigger problem for Booz Allen Hamilton is that they stored passwords with these email addresses using only a SHA hash. The passwords are not salted, which will likely lead to the majority of the passwords being exposed.


In addition to the emails, Anonymous claims to have erased 4 gigabytes worth of source code and to have discovered information which could help them attack US government and other contractors systems.

While this should certainly be embarrassing to Booz Allen Hamilton, the real impact is on the US military. These 90,000+ individuals will need to reset their passwords, and ensure any systems that they shared these passwords with are changed.

While this isn’t likely to do any good, could I please have the attention of those individuals responsible for collecting user names, passwords and personal information from people? Listening?

Could we please see these hacking attacks as a shot across the bow? Now is the time to secure your data… Encryption is NOT optional. For some helpful advice you may wish to check out our Data Security Toolkit.


NSA testing smartphones, tablets on safe mobile architecture

The National Security Agency is testing a new mobile infrastructure, largely composed of commercial tools, to secure Top Secret information on portable devices, such as smartphones and tablet computers, a high-level NSA official said.

The intelligence community, like the rest of the federal workforce, increasingly wants to access information on the go, which is creating a challenge for Debora Plunkett, director of the NSA Information Assurance Directorate. Mobility is just one of about 10 challenges– or “opportunities” as Plunkett likes to call them — that she has set out to tackle this year.

Moving ahead, her priority will remain bolstering national security networks at the agency responsible for safekeeping the nation’s secrets and spying on others’ covert activities, she said. But the evolving threat landscape has prompted her to change tactics.

After the disclosure of thousands of pages of classified material on the WikiLeaks website, there is increased interest in the data that NSA houses. In addition, technology is rapidly advancing, and cyber adversaries are becoming more sophisticated.

To shore up mobile devices, NSA is experimenting through the summer with an architecture comprised of commercial handsets and a data delivery concept similar to one used by Amazon’s Kindle e-reader and OnStar Corp.’s navigation systems, Plunkett said. So-called mobile virtual network operators, or MVNOs, lease wireless capacity owned by other network providers, including Verizon Communications and Sprint, and then repackage the mobile services with their own specialized features under a new brand name, such as “OnStar.”

But “the IT architecture of the future,” said Plunkett, will be cloud computing –accessing over the Internet information technology systems that are grounded elsewhere– and virtualization, a means of segmenting one physical server into smaller servers that can be accessed remotely.

Last month, U.S. Cyber Command chief Gen. Keith Alexander endorsed this sentiment when he testified before a House subcommittee that cloud computing will help fortify military networks during the coming year.

“This architecture would seem at first glance to be vulnerable to insider threats — indeed, no system that human beings use can be made immune to abuse,” he said, “but we are convinced the controls and tools that will be built into the cloud will ensure that people cannot see any data beyond what they need for their jobs and will be swiftly identified if they make unauthorized attempts to access data.”

Both Plunkett and Alexander said they believe cloud computing will reduce security risks by moving information away from desktops to a centralized arrangement that allows for tighter control over access and more rapid responses to cyber incidents.

“We’re tracking, absolutely,” Plunkett said of their mutual goal. “I firmly believe that cloud computing is the way to go.”

Like civilian agencies, NSA aims to continuously monitor its security posture by automating the process of collecting network status indicators, such as data on anti-virus scans or software patches, she added.

Other challenges this year include software assurance –the practice of making sure “the millions and millions and trillions of lines of code” that personnel exchange “is both developed securely and that it stays secure throughout its life cycle,” Plunkett said.