2011-07-13

Article: Hackers strike at a foe

Hackers strike at a foe
http://www.economist.com/blogs/schumpeter/2011/07/security-breach-booz-allen-hamilton

ANONYMOUS, a group of “hacktivist” computer-savvy attackers, has already speared a number of big fish: credit-card companies, the church of Scientology, and Monsanto, a biotechnology firm. And the hackers have flaunted their skills by successfully attacking computer-security expert firms, like HBGary.

Its latest victim is Booz Allen Hamilton, a big consulting firm to America’s government, including on cybersecurity, with bigwigs like a former CIA head and a former director of national intelligence on its payroll. Anonymous opposes Booz Allen’s work for the government in the fight against terrorism. This included an alleged plan to fill social-networking sites with “sock puppets”—fake commenters who would spread disinformation. The hackers’ response has been to steal from Booz Allen what it says are 90,000 military e-mail addresses and passwords.

Booz Allen went public in November 2010, and just two weeks ago issued a confident first annual report as a public company. In it, the firm’s boss, Ralph Shrader, wrote “who would have imagined that in a single year Congress would pass landmark healthcare legislation and financial regulatory reform, a major cybersecurity breach would reveal sensitive government secrets, and an exploding oil rig would lead to the worst environmental disaster in US history? Years like this challenge us at Booz Allen Hamilton to do the best work for our clients.” Now the company is on the wrong end of its own "major cybersecurity breach".

This comes after a good year, with $5.6 billion in revenue, 9.1% up on the previous year, and net income growth from $25.4m to $84.7m. In August, the firm's non-compete agreement with Booz & Co expires. Booz & Co and Booz Allen were split apart in 2008 so that Booz & Co could focus on the private sector, Booz Allen on the public sector. Booz Allen is expecting to expand its private-sector work when the agreement expires. So Anonymous’s attack comes at an especially awkward time.

Sitting duck
Booz Allen does not seem to have done its homework—which is somewhat embarrassing for a security contractor working with classified materials. Critics say that it did not protect its servers sufficiently and used algorithms to encrypt data that can be easily cracked. The firm is also said to have left its databases open to "SQL injection", a means of inserting malicious code. Anonymous says that the server it targeted “basically had no security measures in place”.

The stockmarket quickly shook off a small drop in Booz Allen’s share price. The long-term damage to the company—which was still boasting on its website on Tuesday evening that it was "leading the way in helping organisations develop skills for the Cyber Age"—may not be clear until fuller details of the hacking emerge. In any case, there is little doubt that the anxiety will be felt more widely. One executive vice-president at Booz Allen, Mike McConnell, used to run the National Security Agency, America’s electronic eavesdroppers. Hacking the company isn’t quite like hacking the Pentagon or the NSA, but it is not a million miles away, either. Mocking the government’s use of contractors, Anonymous sent Booz Allen an invoice for a “security audit” in the amount of $310. For “media and press” services, the charge was an even $0.00.