Anonymous have apparently released 90,000 military email addresses, according to news sources everywhere. I am afraid I need help to understand this. Where are these addresses, and is each listed with its password so we can read actual emails? If not, what use is this? I am not technology savvy, so I may be missing something here.
Allowed HTML - you can use:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>
This article helps a bit:
http://www.theregister.co.uk/2011/07/12/anonymous_leaks_military_email_addresses/
People are keeping quiet about where the addresses have been uploaded to. If I knew, I think I’d keep quiet, too. With 90,000 e-mail addresses, some of them are bound to have weak passwords, and will therefore be vulnerable to “dictionary attack”, ie just running through words until the password is found.
.
The danger is two-fold. People could impersonate the owners of the e-mail addresses, ie identity theft; if the recipient is unaware of the security breach, they could act upon false orders. On the other hand, it gives every military person whose address has been revealed plausible deniability.
The booty is available as a torrent at tpb
I haven’t looked, but it’s apparently email addys and md5 hashes of the passwords. You’ll have to run an md5 crack to get the plaintext and then you’d theoretically have access to the email accounts. Btw, anon leaked more than just email stuff.
Additional dangers are that any passwords discovered could be changed thus locking those personnel out of their own accounts, and that the e-mail accounts may contain sensitive information, thus revealing further weaknesses.
.
http://nakedsecurity.sophos.com/2011/07/11/anonymous-leaks-90000-military-email-addresses-stolen-from-booz-allen-hamilton/
.
I love this comment from the blog post above:
.
“While this isn’t likely to do any good, could I please have the attention of those individuals responsible for collecting user names, passwords and personal information from people? Listening?
.
Could we please see these hacking attacks as a shot across the bow? Now is the time to secure your data… Encryption is NOT optional.”
My only interest in this is whether it is a source of evidence of yet more human rights abuse or illegal activity. The activity of hacking as an art form leaves me cold. With thanks for those who tried, we aren’t posting the info on where to find the stuff, until I’ve got my head round what it means.
I like the idea of false orders though, of a harmless kind, like sending troops on cake-baking courses. Much more useful than killing people.
Hacking is done for many reasons. Where the evidence of a hacking success is published like this it is because they want to either:
A. Highlight weak security – these are the people who want to rule our world with technology and they can’t even secure their own basic systems. It is amazing how bad some huge organisations security is. Truly staggering sometimes…
B. An ‘up yours’ revenge attack.
C. A ‘look how smart we are’ attack – usually teenage kids just for kicks.
D. To achieve some kind of action – read anon’s own notes on the pb uploads etc.
Its important to note that absolutely nothing is secure if enough time and resource is thrown at it. I do info security for a living.
Errrm…
.
So, after the past week frothing indignantly at the disgusting behaviour of NotW and the dreaded Murdoch Empire for hacking personal phones and listening into their voicemail we are now cheering on anonymous spotty oiks for doing pretty much the same thing?
.
Are these email addresses for the private emails of personnel? How is that any different from hacking the voicemail of the same personnel’s voicemail?
.
I’m sure there are some subtle distinctions here too:
1. The first case involves an ugly rich man who looks like Davros and lives in another country and he has politics I don’t agree with.
2. The second case involves cheeky lovable rogues fighting against war and injustice albeit in a clumsy and haphazard manner.
Angry, you’re losing whatever touch you once had. Murdoch deserves a lot of indignation for his disgusting behaviour, or are you trying to defend him now? He has a media empire, and it is dreadful, yet you use these terms to mock supposed hyperbole. At the same time, you equate the Anonymous hackers with the Murdoch empire, and accuse us here of hypocrisy, even though this particular action by Anonymous is not being praised. Fascinating. More muddled thinking on your part, or just the same old tiresome disingenuousness?
“Murdoch deserves a lot of indignation for his disgusting behaviour, or are you trying to defend him now?”
.
No, Glenn. I’m not defending Murdoch, I’m asking what is different in the case of these anonymous hackers. In other words, what makes their behaviour any more justifiable?
.
Do you have an answer to that question?
Anyway, could be interesting if Murdoch gets investigated in the US too:
.
“A key US senator has called for an investigation into whether reported hacking by News Corporation targeted any US citizens.”
.
http://www.bbc.co.uk/news/world-us-canada-14132168
Angry: Well yes, and that answer should be pretty obvious. One is a filthy multi-billionaire pushing a fascist agenda in which racism, bigotry, lies and fear-mongering are deliberate, divisive smokescreens, which dominates virtually all forms of media. This is done in the service of the monied and investor class to the detriment of the bottom 99.8% of humanity. The other is a populist, albeit occasionally misguided, group of individuals working for no personal gain against establishment forces. ‘Anonymous’ usually target corporate or state enterprises who they perceive have acted unjustly, while Murdoch’s empire is at its most enthusiastic while targeting a powerless individual who is already on the ropes.
.
Are you really unable to see any difference in their motivations, and think they are equally unjustified in what they do? Of course not, you’re not that stupid, and you’re just playing to the audience. But you’ll claim so anyway.
“Are you really unable to see any difference in their motivations, and think they are equally unjustified in what they do? Of course not, you’re not that stupid, and you’re just playing to the audience. But you’ll claim so anyway.”
.
I’m not talking about their motivations and I think their relative wealth is irrelevant. I am saying that targetting someone’s personal emails and hacking into them is bad regardless of who does it. I think it is a spurious distinction to point out that one person doing it is a horrible old multi-millionaire ogre while the other is a plucky misguided youngster.
I reckon Angry could have an argument with himself in an empty room. Craig called it contrarianism.
.
The ‘horrible old multi-millionaire ogre’ is the recipient of these tax dollars which should rightfully be spent on relieving the hardship of the one time workers, many now homeless and penniless. the real victims of the financial crash which was not of their making.
.
http://www.informationclearinghouse.info/article28552.htm
.
Murdoch’s News Corp Generated $10.4 Billion Profits And Received $4.8 Billion In “Taxes” From The IRS
.
By Tyler Durden
.
July 12, 2011 “Zero Hedge” – – Call it the gift that keeps on giving (if one is a corporation that is): the US Tax system, so effective at extracting income tax from America’s working class, is just as “effective” at redistributing said income tax at the corporate level. Case in point: News Corp, which after generating $10.4 billion in profits over the past 4 years, and which would have been expected to pay the IRS $3.6 billion at the statutory corporate tax rate, instead received $4.6 billion back from Uncle Sam. Bottom line: Murdoch’s corporation had a cash paid tax rate of -46% between 2007 and 2010. The culrpit: two little somethings called Deferred Tax Assets and Net Operating Loss Carry-forwards.
/….
@Angrysoba…Murdoch and the NOW spent much time and money terrorizing all sorts of people by holding up pedestrian personal flaws for public entertainment, ridicule and profit.
Had they used their resources to uncover for public viewing the stinking and corrupt practices of the bankers, politicians and general business types…then there would be no market for the likes of Anonymous and Wikileaks.
We’re on our way to hell in a hand basket…and it’s certainly not because of those last two groups.
@Glenn
“The other is a populist, albeit occasionally misguided, group of individuals working for no personal gain against establishment forces. ”
I thought that, in the moronosphere, populism was a bad thing ?
Or is it only bad when it is populism you disagree with ?
Well spoken Oliver, the best thing that could happen now is that the Murdoch scandal turns into a rolling programme reducing the excesses of a free wielding fundamental global
capitalism that has failed to deal with our limits to growth, bringing us back towards a sustainable path will be the hardest thing mankind has ever done, day by day it is becoming a more utopian goal to make ends meet for our children.
When will the wrath of fathers boil over into indignation, frustration and opposition to what is going on? Abolition of the WTO would be a start, letting Mandelnoson and Bliar get hold of global strings is regressive, these two have to be pensioned of, asap, but then they are Murdochs creations.
I shall spend a rather grey day in Suffolk today. Hope Craig had a great party. Can’t make Ramsgate Frazer, would have loved to crack a bottle open with ya, take care and enjoy the seaside.
Craig,
I think something that hasn’t been mentioned is that once you have a good list of names and e-mail addresses then you can start sending targeted e-mails to individuals which social engineer or otherwise trick them into clicking on links contained in the e-mail. These links then launch web sites that contain malware, which exploit security holes in Windows (or other operating systems) and effectively allow the hackers to take over your computer.
If you have a name and an e-mail address and do some research on e.g. LinkedIn it can be quite easy to create a relatively authentic looking e-mail from a colleague, that manages to slip through somebodies guard.
Thanks. What I was really trying to get a handle on is what are ananymous’s motives and what use it is. If they are hacking government emails to gather intelligence on human rights abuse, corruption or other email material, that’s good. Angrysoba, I think there is a fairly simple answer to the NOTW comparison which is the lack there of any plausible public interest defence.
The interesting thing on Newscorp’s position is the USA’s very rigorous but almosy completely unenforced foreign corrupt practices legislation.
I believe they described it themselves as “Booz Allen Hamilton pwned”. It’s a US government contractor. Anon go after what they see as the mis-use of power. I doubt if they have any plans for the email addies, their objective would be to damage the image and credibility of Booz Allen Hamilton.
.
“The hack was the second in the past week to target major companies doing business with the federal government. Late last week, Anonymous shared databases and emails it said it obtained by hacking the website of IRC Federal, a company that contracts with federal government agencies, including the FBI and the U.S. Department of Defense, for information management services.”
http://technolog.msnbc.msn.com/_news/2011/07/11/7061036-anonymous-shares-90000-military-email-addresses
.
This is one of their twitter accounts:
{http://twitter.com/#!/OperationLeaks}
.
It would be interesting if they decided to hack NI!
I’m sure you know they carried out DDOS attacks on Visa and Mastercard because they halted online donations for WikiLeaks and Bradley Manning. That was retribution.
Craig, welcome to the world of infosec 😉 It’s a huge industry with its own politics and pretty much a world in itself little understood by outsiders. A lot of battles are raging inside to do with privacy and so forth that I think you would approve of, and there are some big ego’s as well.
I would suggest signing up to Bruce Schneier’s monthly newsletter where he discusses infosec issues in easy to understand plain english. His books are also very easy to read for the non geek.
http://www.schneier.com/crypto-gram.html
I suspect all of those email accounts had their passwords changed quite quickly, else that is the second part of the story to come (poor or no plan to cover this type of event). So I doubt that is the motive – anon would have cracked the passwords themselves and sucked all the emails down before posting the email addresses if that is what they were planning to do. They may have done this already?? Who knows, maybe more to come?
Clearly they are not doing it for financial gain. They are essentially political. So that is an indicator that they are trying to make a point.
Some within the infosec world would say they made a great point, but should have partially obscured the emails and passwords. It is what journalists tend to say.
What is their point? Well, I think they made it themselves quite well in the notes they released with the dump. Essentially: Look at what these bad people are doing. We want to expose them, shine the media spotlight on them, embarrass them and hopefully make them lose contract work because clearly they are piss poor. Also perhaps a little of the emperor has no clothes and we have a powerful spotlight so the emperor should tread carefully.
Obviously now the feds are after ‘Anonymous’ which is probably the same as being after ‘Al Qaida’. Its important to note that the USA/UK has/is making any kind of hacking activity an act of terrorism (current) and war (coming soon).
What do you think of this kind of hack Craig?
http://www.theregister.co.uk/2011/07/08/patriotic_portuguese_hackers_hit_moody/
http://regmedia.co.uk/2011/07/08/moodys.png
Anon’s notes posted below as they are worth reading:
Dreolin sums it up quite well. Email passwords will be changed very quickly, main effect is embarrassment and media spotlight on things that otherwise the general public would never hear of. As Anonymous say:
“Hello Thar!
Today we want to turn our attention to Booz Allen Hamilton, whose core business
is contractual work completed on behalf of the US federal government, foremost
on defense and homeland security matters, and limited engagements of foreign
governments specific to U.S. military assistance programs.
So in this line of work you’d expect them to sail the seven proxseas with a
state- of-the-art battleship, right? Well you may be as surprised as we were
when we found their vessel being a puny wooden barge.
We infiltrated a server on their network that basically had no security
measures in place. We were able to run our own application, which turned out to
be a shell and began plundering some booty. Most shiny is probably a list of
roughly 90,000 military emails and password hashes (md5, non-salted of course!).
We also added the complete sqldump, compressed ~50mb, for a good measure.
We also were able to access their svn, grabbing 4gb of source code. But this
was deemed insignificant and a waste of valuable space, so we merely grabbed
it, and wiped it from their system.
Additionally we found some related datas on different servers we got access to
after finding credentials in the Booz Allen System. We added anything which
could be interesting.
And last but not least we found maps and keys for various other treasure chests
buried on the islands of government agencies, federal contractors and shady
whitehat companies. This material surely will keep our blackhat friends busy
for a while.
A shoutout to all friendly vessels: Always remember, let it flow!
#AntiSec
/*******************************************************************************
*** BONUS ROUND: BOOZ ALLEN HAMILTON KEY FACTS ***
*******************************************************************************/
For the Lazy we have assembled some facts about Booz Allen. First let’s take a
quick look of who these guys are. Some key personnel:
* John Michael “Mike” McConnell, Executive Vice President of Booz Allen and
former Director of the National Security Agency (NSA) and former Director of
National Intelligence.
* James R. Clapper, Jr., current Director of National Intelligence, former
Director of Defense Intelligence.
* Robert James Woolsey Jr, former Director of National Intelligence and head
of the Central Intelligence Agency (CIA).
* Melissa Hathaway, Current Acting Senior Director for Cyberspace for the
National Security and Homeland Security Councils
Now let’s check out what these guys have been doing:
* Questionable involvement in the U.S. government’s SWIFT surveillance program;
acting as auditors of a government program, when that contractor is heavily
involved with those same agencies on other contracts. Beyond that, the
implication was also made that Booz Allen may be complicit in a program
(electronic surveillance of SWIFT) that may be deemed illegal by the EC.
http://www.aclu.org/national-security/booz-allens-extensive-ties-government
-raise-more-questions-about-swift-surveillanc
https://www.privacyinternational.org/article/pi-and-aclu-show-swift-auditor-
has-extensive-ties-us-government
* Through investigation of Booz Allen employees, Tim Shorrock of Democracy Now!
asserts that there is a sort of revolving-door conflict of interest between
Booz Allen and the U.S. government, and between multiple other contractors and
the U.S. government in general. Regarding Booz Allen, Shorrock referred to such
people as John M. McConnell, R. James Woolsey, Jr., and James R. Clapper, all
of whom have gone back and forth between government and industry (Booz Allen in
particular), and who may present the appearance that certain government
contractors receive undue or unlawful business from the government, and that
certain government contractors may exert undue or unlawful influence on
government. Shorrock further relates that Booz Allen was a sub-contractor with
two programs at the U.S. National Security Agency (NSA), called Trailblazer and
Pioneer Groundbreaker.
http://www.democracynow.org/article.pl?sid=07/01/12/151224
If you haven’t heard about Pioneer Groundbreaker, we recommend the following
Wikipedia article:
“The NSA warrantless surveillance controversy (AKA “Warrantless Wiretapping”)
concerns surveillance of persons within the United States during the collection
of foreign intelligence by the U.S. National Security Agency (NSA) as part of
the war on terror.”
http://en.wikipedia.org/wiki/Pioneer_Groundbreaker
* A June 28, 2007 Washington Post article related how a U.S. Department of
Homeland Security contract with Booz Allen increased from $2 million to more
than $70 million through two no-bid contracts, one occurring after the DHS’s
legal office had advised DHS not to continue the contract until after a review.
A Government Accountability Office (GAO) report on the contract characterized
it as not well-planned and lacking any measure for assuring valuable work to be
completed.
http://www.washingtonpost.com/wp-dyn/content/article/2007/06/27/
AR2007062702988.html
* Known as PISCES (Personal Identification Secure Comparison and Evaluation
System), the ΓΓé¼┼ôterrorist interdiction systemΓΓé¼┬¥ matches passengers inbound for the
United States against facial images, fingerprints and biographical information
at airports in high-risk countries. A high-speed data network permits U.S.
authorities to be informed of problems with inbound passengers. Although PISCES
was operational in the months prior to September 11, it apparently failed to
detect any of the terrorists involved in the attack.
Privacy advocates have alleged that the PISCES system is deployed in various
countries that are known for human rights abuses (ie Pakistan and Iraq) and
that facilitating them with an advanced database system capable of storing
biometric details of travelers (often without consent of their own nationals)
poses a danger to human rights activists and government opponents.
http://multinationalmonitor.org/mm2002/02march/march02corp3.html“
Angrysoba, I have just returned to this blog after my night’s sleep. Prior to your comment, I see Craig’s original post, which does not praise Anonymous, and two comments, one of which stresses Craig’s interest in human rights, and the other of which is humorous (though somewhat misguided, I would argue).
.
There are three comments by myself; I pointed out some dangers, specifically stated that I would not help such information proliferate, and praised the blog that called for greater care over security. There is one by Nik, who originally posted a link to the data, which was apparently deleted by Craig or another site moderator. There is one by Darrin, who gives a general explanation of the motivations behind this sort of penetration.
.
In all, I do not see any evidence of Craig or regular contributors “cheering on Anonymous spotty oiks for doing pretty much the same thing (as News International)” as you put it. In fact, I see the opposite. Please explain your remark, which I find insulting to this blog.
.
Incidentally, Anonymous’s actions are clearly quite different from News International’s, as pointed out by various contributors above.
Part 2 of what Anon said in their release. Clearly previously they do read what they find. Interesting stuff they expose here…
Clark, many infosec people I know admire their technical abilities at the least, even though sometimes it is nothing to brag about as it is easy low hanging fruit. Generally I find myself supporting what Anon release – they are trying to make informative and provocative points.
If they can get these email addresses and passwords (easily cracked) then imagine how people with bad intentions could have also gotten them and all the email data involved already etc etc. Now hopefully the security is tightened up.
/*******************************************************************************
*** BONUS ROUND TWO: ANONYMOUS INTERESTS ***
*******************************************************************************/
Back in February, as many may recall, Anonymous was challenged by security
company HBGary. One month later – after many grandiose claims and several pages
of dox on “members” of Anonymous which were factually accurate in no way
whatsoever – HBGary and its leadership were busy ruing the day they ever
tangled with Anonymous, and Anonymous was busy toasting another epic trolling.
And there was much rejoicing. However, celebration soon gave way to
fascination, followed by horror, as scandal after scandal radiated from the
company’s internal files, scandals spanning the government, corporate and
financial spheres. This was no mere trolling. Anonymous had uncovered a
monster.
One of the more interesting, and sadly overlooked, stories to emerge from
HBGary’s email server (a fine example to its customers of how NOT to secure
their own email systems) was a military project – dubbed Operation Metal Gear
by Anonymous for lack of an official title – designed to manipulate social
media. The main aims of the project were two fold: Firstly, to allow a lone
operator to control multiple false virtual identities, or “sockpuppets”. This
would allow them to infiltrate discussions groups, online polls, activist
forums, etc and attempt to influence discussions or paint a false
representation of public opinion using the highly sophisticated sockpuppet
software. The second aspect of the project was to destroy the concept of online
anonymity, essentially attempting to match various personas and accounts to a
single person through recognition shared of writing styles, timing of online
posts, and other factors. This, again, would be used presumably against any
perceived online opponent or activist.
HBGary Federal was just one of several companies involved in proposing software
solutions for this project. Another company involved was Booz Allen Hamilton.
Anonymous has been investigating them for some time, and has uncovered all
sorts of other shady practices by the company, including potentially illegal
surveillance systems, corruption between company and government officials,
warrantless wiretapping, and several other questionable surveillance projects.
All of this, of course, taking place behind closed doors, free from any public
knowledge or scrutiny.
You would think the words “Expect Us” would have been enough to prevent another
epic security fail, wouldn’t you?
Well, you’d be wrong. And thanks to the gross incompetence at Booz Allen
Hamilton probably all military mersonnel of the U.S. will now have to change
their passwords.
Let it flow!
/*******************************************************************************
*** INVOICE ***
*******************************************************************************/
Enclosed is the invoice for our audit of your security systems, as well as the
auditor’s conclusion.
4 hours of man power: $40.00
Network auditing: $35.00
Web-app auditing: $35.00
Network infiltration*: $0.00
Password and SQL dumping**: $200.00
Decryption of data***: $0.00
Media and press****: $0.00
Total bill: $310.00
*Price is based on the amount of effort required.
**Price is based on the amount of badly secured data to be dumped, which in
this case was a substantial figure.
***No security in place, no effort for intrusion needed.
****Trolling is our specialty, we provide this service free of charge.
Auditor’s closing remarks: Pwned. U mad, bro?
We are Anonymous.
We are Legion.
We are Antisec.
We do not forgive.
We do not forget.
Expect us.
Pingback: Craig Murray » Blog Archive » Bent Cops on Parade | cops
Darrin,
Wasn’t it a guy in HBGary who was proposing how to smear Glenn Greenwald and others who supported Wikileaks? And didn’t the guy have to leave the company (when the whole scandal broke) after bragging about how he’d cracked Anon’s identities? And Anon hacked him instead?
.
Or have I got that all backwards?
Okay, fair enough Clark. I see you were doing the opposite of what I had mistakenly assumed you were doing and I apologize. And of course I think you are right that a free-for-all hacking of private email addresses is not something to encourage.
“I’m not defending Murdoch, I’m asking what is different in the case of these anonymous hackers. In other words, what makes their behaviour any more justifiable?” – Angrysoba
.
Good question. I sympathise with Anonymous, so I have to ask myself the same. In both instances the law was broken.
.
Here is how I come to terms with my ‘hypocrisy’. Other posters have pointed out that although the technical crime is the same, the intended consequences are very different. I agree with this. Consider these three cases: speeding with the intent of running someone over, speeding for fun, and speeding to get a sick person to hospital in an attempt to save their life.
.
I also think there is a more important distinction. The role of the media is critical to the functioning of our society, in the way that anonymous hackers are not. Democracy is meaningless without properly functioning news media. For example the following words are attributed to Thomas Jefferson: “I would rather live in a country without elections than in a country without newspapers”. To illustrate with a simple thought experiment – what use is a ballot paper if one has no way of getting accurate information about the choices that are printed on it?
.
I think we all agree that the consequences of Murdoch’s illegal activities are likely to be negative overall for us. As for those of Anonymous, it is less clear but I suspect the consequences to us are mostly positive.
Glenn Greenwald, Feb, 2011:
.
“Last week, Aaron Barr, a top executive at computer security firm HB Gary, boasted to the Financial Times that his firm had infiltrated and begun to expose Anonymous, the group of pro-WikiLeaks hackers that had launched cyber attacks on companies terminating services to the whistleblowing site (such as Paypal, MasterCard, Visa, Amazon and others). In retaliation, Anonymous hacked into the email accounts of HB Gary, published 50,000 of their emails online, and also hacked Barr’s Twitter and other online accounts.
.
“Among the emails that were published was a report prepared by HB Gary — in conjunction with several other top online security firms, including Palantir Technologies — on how to destroy WikiLeaks. The emails indicated the report was part of a proposal to be submitted to Bank of America through its outside law firm, Hunton & Williams. News reports have indicated that WikiLeaks is planning to publish highly incriminating documents showing possible corruption and fraud at that bank, and The New York Times detailed last month how seriously top bank officials are taking that threat. The NYT article described that the bank’s “counterespionage work” against WikiLeaks entailed constant briefings for top executives on the whistle-blower site, along with the hiring of “several top law firms” and Booz Allen (the long-time firm of former Bush DNI Adm. Michael McConnell and numerous other top intelligence and defense officials). The report prepared by these firms was designed to be part of the Bank of America’s highly funded anti-WikiLeaks campaign …”
.
Continues:
http://www.salon.com/news/opinion/glenn_greenwald/2011/02/11/campaigns/index.html