Slashdot Mirror
FBI Password Database Compromised by Consultant
LackThereof writes "An IT consultant for the FBI, hired to work on their new 'Trilogy' computer system, apparently got hold of the username and password hash databases for the FBI's network. He then used a common dictionary attack to get usable passwords out of the hashes, including that of FBI director Robert Muller, making him able to access virtually any data stored electronically at the FBI, including Witness Protection program records. The consultant, Joseph Thomas Colon, claims he used the passwords to avoid bureaucratic obstacles, and that his actions were condoned by the FBI agents he was working with at the agency." (More below.)
"He has pleaded guilty to 4 counts of 'intentionally accessing a computer while exceeding authorized access and obtaining information from any department of the United States.' He initally gained access to the hash database by borrowing an agent's username and password; he then re-downloaded and re-cracked it three more times to keep up with the FBI's 90-day password expiration policy. Lesson: Your users are your biggest security hole. Don't trust your users, especially if they're government agents."
Nothing for you to see here. Please move along.
Indeed... in-deed...
The space unintentionally left unblank.
These are the people protecting me from terrorists? Scary, very scary.
s/comprised/compromised
I aim to misbehave.
Are you sure it's not "Trinity", instead????
So we charge the consultant, send him through the legal system, etc. Are we also going to do something to prevent this from happening again, like educating agents not to give out their username/password or allowing the kind of access this guy was able to get?
Colon used a program downloaded from the Internet to extract "hashes" -- user names, encrypted passwords and other information -- from the FBI's database. Then he used another program to crack the passwords by using dictionary word comparisons, lists of common passwords and character substitutions to figure out the plain text passwords.
... which program are they speaking of that would extract "hashes"?
Didn't you get the memo? Don't use god, love, sex, or secret. Also
Keeping us safe from harm. We should not look at this as a breech that affects Americans, it did not say anything about him accessing things like the NSA database on Americans etc... It just affected the Witness Protection program right? That doesnt matter, because he was a good guy and only doing it to do good work on the system easier.
And he was caught too, so crisis averted, everyone told us they caught him and there have never been similar attacks before!
I feel completely safe with my information knowing that they are out there keeping an eye even on those doing such things altruistically.
If you don't vote, you don't matter, so don't waste your time telling me your opinion
Slashdot Burying Stories About Slashdot Media Owned
re-cracked it three more times to keep up with the FBI's 90-day password expiration policy. Lesson: Your users are your biggest security hole. Don't trust your users, especially if they're government agents.
Lesson #2: Don't use stupid password expiration periods, which force users to come up with new yet easy-to-remember (=> crackable) passwords. If passwords never expire, your users are bound to pick a more secure password in the first place since they know that they don't have to change it every full moon. Make the passwords never expire and just run a dictionary attack against your users - if you get through, THEN start harassing your user about proper security.
The FBI's Trilogy program cost more than $535 million but failed to produce a usable case-management system for agents because of cost overruns and technical problems, according to the Government Accountability Office. While Trilogy led to successful hardware upgrades and thousands of new PCs for bureau workers and agents, the final phase -- a software system called the Virtual Case File -- was abandoned last year. The FBI announced in March that it would spend an additional $425 million in an attempt to finish the job. The new system would be called "Sentinel."
I need to check the Government Accountability Office more often. It's good to know we're spending 1 billion dollars to found a, most likely, failed attempt at secure computing for the FBI. Doh.
Now all we have to hear is that his laptop got stolen before he was caught.
Geeze, my sister could even run l0phtcrack. Can't give him much credit here.
Really, seriously, you do not crack passwords to get your work done. You crack passwords to ensure site security if it is part of your job description, but you do not use those accounts to get work done. Cripes.
-- dieman - Scott Dier
Employers need to be more careful about whom they hire and what their employees are doing. Even the members of
Information wants a fueled airplane waiting at the hangar and no one gets hurt.
Coming soon.. laws outlawing common dictionary password cracking tools and similiar security tools.
I can't believe that they don't even have some sort of verification that the passwords aren't common things. Heck even here, when you try to change your passwords everywhere there are so many restrictions that it can't be a dictionary word or easy to guess. Simple rules - at least 1 CAP letter (means at least 1 letter) - at least one symbol (@#.,& etc.) - at least 1 number - at least 8 chars long How hard is it to enforce this.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
comprise, to be made up of. If the database is comprised of a consultant, that would be a person in a box who must respond to password queries very quickly.
Compromise, to reach a middle state between two conflicting positions. Like secure, and wide f'n open. If your database was secure and someone compromised it, then it's not so secure any more.
The title was more interesting when I thought we were boxing up consultants and replacing computers with them.
-theed
See what happens when you don't give a consultant the access he needs? He goes out and gets it himself!
Note to FBI: maybe outsourcing some things is not such a good idea.
GetOuttaMySpace - The Anti-Social Network
We've probably all been there where company politics were causing more harm than good. "Welcome to work, you have 3 days to do X but it will take you 2 days to get clearance to logon." I can sympathize for the guy and I myself have used similar tactics to get access to do my job. Nothing like password cracking but I've still gained access when I wasn't supposed to. In some cases "Don't ask, don't tell" works, you just have to be smart about it and know how far you can go. But especially not when you're working for the government! You don't mess around with government security (and I use that term lightly) to get your job done. You're going to get caught and they will prosecute you. At least this guy was smart enough to work out a plea.
What position was the agent in that had access to this database? I mean sure he had high clearance, but not everyone with high clearance should have access to the password database... what kind of security are they running here?
If he really was in a valid position to need access to it, then they definitely need to screen the mental abilities of people they give sensitive positions more carefully - any half way decent sysadmin knows not to give their password out.
Surely this proves that 90 day password expiration policies encourage users to pick weaker passwords they can remember because they are having to change them all the time?
Would it have been so easily cracked if everyone had a 10+ character password that was truly strong, even if it was only changed once a year or never?
Is there an argument for password systems including a dictionary attack test phase for new passwords that if the new password fails, the user has to change it again?
And maybe when data is really important, they might wish to utilise some other form of identification besides passwords. Certainly witness protection details should be far more protected. A biometric system, fingerprints are the easiest to implement these days without much cost, in addition to the password...
Of course the consultant had an 'in', as he was consulting for them. Some minor social engineering and they're all letting him access the systems, bypassing proper procedure.
In the end, there's no excuse for data this important being accessed illegitimately like this. Security measures should be in place, access procedures should be in force, restrictions on data movement from secure to insecure should be enforced. Yet we see it every week - laptop stolen with confidential data on, unencrypted, open, in a file on the desktop probably called "Social Security Database.xls" or "List Of Witnesses On Protection Program, Do Not Show To Criminals Who Will Pay Good Money For This.doc".
Hmmm, apparently the FBI password database was made up from a consultant. I wonder if someone possibly meant compromised? Keep up the good work, Timmy. You deserve a raise!
This guy's the limit!
And the FBI chief's password was: 'JEdgarTransvestite'.
Bad, bad choice.
Serving your airship needs since 1995.
even have access to much of that data. Just cause he is top dog does not in any way mean he should have access to the witness protection records. He doesnt need to know that information, and if he does he should have to go through the proper channels. This is exactly why.
In many cases, the higher upthe person, the LESS data they need from the computer systems.
The phrase "more better" is acceptable English. suck it grammar Nazis
Good thing this guy pleaded guilty. Otherwise, someone might ask uncomfortable questions, like why FBI agents were active participants in this criminal act. The whole problem would have been averted if someone didn't give their username and password to this guy.
Of course, the whole thing could have also been averted if normal users didn't have access to the password file. The Unix world figured out that shadow password files are a good idea a long time ago. Too bad the wisdom there hasn't caught on.
One thing everyone should know when working for a large organization is that they have policies for everything because they assume everyone is dumber than paste. The up side of this as a consultant is that you can bill a week for 30 minutes of work because there's a week of paperwork needed before you can perform any task. This guy tried to get things done more efficiently by sidestepping the boundaries. Small companies can respect that kind of attitude, but not the government. That kind of behavior results in lower billings to the government, and that is unamerican.
Jumping through hoops, as silly as they may be, is an important part of any technical job within a large organization.
Colon claimed that he did this because he was tired of having to seek bureaucratic authorization for every last task, including adding printers. Having worked with government agencies before, I can say I understand his frustration. But his later justification was priceless:
Okay, so: getting authorization was onerous, so he asked for permission from agents in the Springfield office to forge their superiors' credentials in order to speed up the process. And they gave it to him.
Did you get that? I was originally gonna boldface the best parts, but I couldn't decide where to start.
1. The contractor, fed up with an onerous and ridiculous authorization process,
2. asked for permission from FBI officials to crack their superiors' passwords,
3. and the FBI officials in question said yes.
Okay, so, Colon is in court. What happened to the FBI staffers who gave him the go-ahead?
Been charged with illegal access? He apparently used a brute force cracking script to compromise
the database he had tenative acccess to. If he needed greater acces, he would have had it. The
article is , at best, lacking in solid information. At least to me it is.
Regular access audits would have picked this up much sooner. End of story. By hanging this poor bastard out to dry, they've basically exposed even more lack of security.
I call for this every time something like this gets published , and I'll call for it again :
We need (real) IT professionals in Congress, they need to form an oversight committee, and they need to have pretty much unrestricted access to most systems so they can be effective.
These holes have *got* to get plugged. Its not only embarrassing, its media porn and its going to encourage hacks that *do* result in something bad happening.
Nimrods.
not... allowing the kind of access this guy was able to get?
Granted, user education is always a great idea and by far the most importatn aspect of social engenieering attacks, how do you propose access be disallowed.
Where is the line drawn between making data avialable to those who need is and makign it so hard to get it is never accessed?
I bet it was Administrator Password
What, like due-process, warrants, and legal considerations?
So FBI agents just stand around while he illegally accesses everything he's not supposed to so it can make their jobs easier? If there were actual agents standing around thinking this was good, we're in deep doo-doo, because they have now taken the stance that if they subcontract the illegal stuff, they're all good.
Yikes!
Lost at C:>. Found at C.
Cuba, here you come! viva la revolucion!
I'd think that the FBI could afford to implement two-factor authentication for its employees.
Mea navis aericumbens anguillis abundat
That at least he didn't compromise any email accounts.
Friends don't let friends line-dance.
Username: fmulder
Password: uf0s4ever
Yes Francis, the world has gone crazy.
Hasn't this type of attack been taken care of by the introducion of salts and spices :-D. FBI needs to update their software!
So one hash file gives him access to all FBI records, including the most sensitive? No offense, but why aren't the most sensitive of services protected by isolating them in a separate system? Compromising the witness protection program could endanger the lives of everyone protected by it, and just the ideas that it might be compromised could reduce the chances of people helping the FBI and testifying.
Isn't witness protection data Need To Know? Why would the FBI director Need To Know anything at all at a moment's notice from his desktop PC? It would make much more sense to have a separate system, and have him walk down the hall, ask someone to retrieve what he needs, and maybe get ONE record made available for a limited time.
I'm not trolling or anything. Seriously, can someone suggest scenarios whereby immediate, free access to that data is valuable, especially by people who don't already know whether you or I are in the program?
It doesn't hurt to be nice.
To be honest this type of thing does not really surprise me with the governments current track record
I love to deploy my packages
Forcing one's boss to do something is terribly difficult. You generally need support from your boss' boss. When they're both high-level political appointees, it's that much harder. Not saying you're wrong, just saying that it's not always possible. Generally easier (and better, imho) to teach him, give him some sort of appreciation of the pile of excrement he can wind up in if he doesn't.
As for two-factor, I know VA is moving towards it (and was before the whole laptop debacle). Might be fed-wide. Hopefully this will light a fire under it.
Dare to Hope. Prepare to be Disappointed.
This is one of the most intelligent comments in this thread. If the article is correct, it's pretty clear that the FBI isn't even making an attempt at following basic rules of security that have been well known since long before the FBI even existed...
The universe is a figment of its own imagination.
"Don't trust your users" Really, this is the same logic as: "Don't trust your citizens" in another scenario, not a good conclusion IMO.
Don't allow *any* users onto a government computer system at all.... until after they undergo training to teach them how to create strong passwords and exercise basic good-sense when it comes to computer security from a user's perspective. Make them take a written test and obtain a certificate that entitles them to obtain a logon account. Require periodic re-training and re-certification to maintain the privilege of computer access... and YES, make it a privilege not a "right". Revoke permanently their computer access privileges when they fail or demonstrate lack of competance or commit an act of negligence. If they can't do their job without computer access, then that's just tough. Too bad. Sucks to be them. You don't think a commercial aircraft pilot gets to continue their job (flying passengers or cargo for compensation) if he flaunts or violates the FAA's rules do you? Nope, they lose the privilege of access to something that's vital to their ability to earn a living in their career and are forced to do something else for income. Computer security needs to me considered equally as important as that. The punishment for having a careless or cavalier attitude towards proper security needs to be damned harsh.
It's really been standard practice on even minimally secure systems for decades. So I doubt the system concerned can be very important.
What the contractor should have done is to increase his rates when waiting around for permissions. You may well hate the bureaucracy but at least you're then being well paid for it.
Deleted
When I was in university the admins had a program on one of the linux labs that would try to crack /etc/shadow and if it found a password it would email you saying that your password wasnt secure. I dont remember if it gave a hint about what your password was but it definetly made you think twice about using a weak password someone can crack so easily.
Its scary the FBI doesnt even do this kind of simple audits
The best test environment is production. - Me
chrome://browser/content/browser.xul
Don't trust your users, especially if they're government agents. So, we shouldn't trust Government Agents? That's a new one
"Don't trust your users, especially if they're government agents."
Fuck you.
Now, on with our story.
Many years ago, I was interviewing for a position at a up and coming online store.
During the interview they showed me there database. In it, there were the CC numbers, name expire dates of all credit card transactions(thousands of them) unencrypted.
Anybody, at any time, could ahve downloaded that information to floppy and walked out.
It was a sweat shop, with 2 programer per card table(yes you read that right.). and sitting on metal fold out chairs. Some people brought there own office chairs from home. All of which would have been fine if they offered shares, or high pay, or something. Needless to say I passed on the job.
I do know that they have sinced changed there database, and most of their programmers.
The Kruger Dunning explains most post on
The FBI illegally obtains our information, why can't we illegally obtain theirs?
Haiku for you!
Sure, complaining about the users is easy and a favourite geek passtime, but how about educating the programmers before we let them loose on something that important?
The classic newbie mistake is thinking, basically, "I know, I'll take the password as it is, run it through MD5 and store the hash. It's uber-secure because it's MD5, right?" Turns out: wrong. An attacker can, yes:
1) download a program that will try every word in the dictionary until it finds a match, like this guy did. (And it _will_ find a match. There'll always be someone who took a password like "kitten" or "sex" or whatever, no matter how much you tried to educated them.) Or, better yet,
2) use so-called "rainbow tables" which are basically key-value pairs. The key is a hash value, and the value is one password that's known to hash to the key. Hackers have been building such tables for a long while, so there are a _ton_ of passwords which can be instantly un-hashed. It doesn't matter if the user's password is "kitten" or "1+l0v3+b00b13z". If that password has been harvested once (e.g., he's also used it on some warez site), it can be de-hashed for ever after by a simple lookup.
So what smart programmers do is "salt" the password first. Add some arbitrary value before MD5-ing it. E.g., add the hash of the user name at the end of the password, _then_ MD5 it. Add your program's name. Whatever.
Yes, it's "security by obscurity", because essentially you rely on an attacker not knowing wth you've salted the passwords with. But it tends to work nevertheless. A generic de-hashing program downloaded over the net can run through a dictionary all it wants, and it still won't decrypt your passwords unless it was created for exactly your salting method. Ditto for rainbow table lookups.
Basically, seriously. Before picking on the users, I wish someone educated their programmers about even the basics of security. If this guy could pull this stunt, then chances are so could anyone else having any access to that building. So there is no excuse to have such vulnerabilities. Did anyone even do a security review there?
A polar bear is a cartesian bear after a coordinate transform.
Sure does sound like the attitude that employees "suck" created the circumstances in which this little exploit was possible in the first place. First and most obvious example: a 90-day renewal policies on passwords only make your passwords more likely to be crackable, because people are choosing passwords they can more easily remember. That's exactly the sort of corrosive pressure that'll make otherwise security-conscious employees try to cut corners just to get their jobs done.
Technical support people develop the attitude you're showing when they've been in environments where the users are constantly pressuring the security mechanisms. The underlying problem isn't the users. FBI employees in general are as dedicated as anyone to their jobs. It's the security model that sucks; they perceive it, eventually, as one more obstacle to work around.
Now, if you want to ask some hard questions about why a consultant is in anything like a sensitive position, then I will be entertaining this "sucks" conversation. Again, it's gonna be a conversation about any system that requires consultants instead of full time employees for something like law enforcement on this level.
"Fundamentalism" isn't about divine morality. It's about human authority.
You missed the most common one: password. But I guess I can't blame you since I don't think it was mentioned in Hackers. Probably because it would have jeopardized national security or something.
Also a lot of people just use their usernames as passwords, as long as the system allows it. Maybe tack on a 1 on the end.
It's really sad that the FBI isn't using a simple salt on their stored passwords. This "hacker" was only able to get his hand on the hashed passwords, so his dictionary attack would only work if the passwords were stored unsalted. That's ridiculous. Hell, MediaWiki salts passwords by default ... the FBI can't do it?!
Cyde Weys Musings - Scrutinizing the inscrutable
He used this access to "bypass bureaucratic obstacles" Such as: being employed. asshat.
He should have published the passwords. Then he would have constitutional protections, right? I mean, he's only exposing the insecure nature of FBI passwords.
-K
Who in the world *still* thinks that any data on any database is actually "safe"?? I've given up on this fairy tale long ago. Get real...if your info is stored somewhere/anywhere in some system, it is not, nor ever will be, secure.
Get over it...
never bring a twinkie to a food fight.
1) Use Password Safe. now you need to remember 1 strong password. Or two, dependig on paranoia.
2) How to create an easy to remember strong password.
You can do this by pulling out obscure facts from your life. example.
My childhood dogs name was 'Toby'
The first time I had sex, my partners name was 'Mary'
My childhood street was 'Parakeet'
switch o to 0; and e to 3
type them backwords.
At a character to change at the end.
yb0TyraMt33karaPa
there you go.
The Kruger Dunning explains most post on
FBI123
CTRL-F "Mulder" NOT FOUND This thread fails.
Maybe the FBI needs their own private Wiki.
The author wrote: "Lesson: Your users are your biggest security hole. Don't trust your users, especially if they're government agents." No. The lesson here is that those of us in the infosec business need to learn that, like it or not, the line where "hacking" becomes illegal is now 100% determined by people that are not IT-savvy and who are very, very serious about what they are trying to protect. It sucks, but we have to get used to it because our people are already going to prison for misunderstandings just like this. I'd say that if you're living in the US or Europe or certain parts of Asia, and you're doing ANYTHING slightly questionable to someone else's computer that is also in one of those places, you'd better realize that you're opening yourself up to all that the criminal justice system has to offer, including prison, house-arrest, parole, etc.
--tcpiplab
"1 2 3 4 5? That's amazing! I've got the same combination on my luggage! Prepare Trilogy for immediate departure - and change the combination on my luggage!
Custom electronics and digital signage for your business: www.evcircuits.com
Now a truely secure password is something like "h3$xF1@", but memorizing those is very hard on a standard user group. But for an account that has a high level of access, it should be mandated that passwords be like that (i.e. mix of upper case, lower case, numbers and symbols with no words or l337 speak).
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
I'd like to know why specifically he felt he needed these passwords to get his job done. It probably says a lot about why this project has cost half a billion dollars already.
My guess would be that it has something to do with not having a proper development environment with adequate test data. I could see this become a problem if they were expected to test this new system against their existing production user database.
This fella sounds like a scapegoat for a badly managed IT project.
He did something stupid like that to make his job easier?? All those obstacles he didn't like would have just taken more of his (billable) time! What right minded consultant doesn't LOVE things that take more time??? Bah. Wannabe.
This guy not only cracked his employer's passwords (many of whom probably have high security clearance), but he actually logged into them routinely and used them as part of his workflow for nearly a year. Hello?
Compare that to the clearly less harmful actions of Randal Schwartz, who went gray-hat (one time, without using the logins, as a security warning). Three felony convictions and a rather severe sentence.
Where is the torrent? Information wants to be free, you know.
Don't fight for your country, if your country does not fight for you.
I'll write the damn thing on a post-it note and attach it to the back of my monitor
You know, it's just as easy and more secure to put it in your wallet or wherever you keep your credit cards. That way there is at least a little physical security, and you'll know if it is compromised.
A house divided against itself cannot stand.
This is not only the case in the FBI I worked for the RCMP as a student and I was responsible for maintaining computers. In order to reinstall windows for an officers computer I would have to
1.Submit a ticket to uninstall software
2. Install Windows
3. Submit a ticket to allow the computer to connect back to the internal network
4. Submit a ticket for each new application I would have to install
Now the officers had tons of applications they needed and each ticket was directed to an IT department that would take about half a day to respond. After the first week I just watched the IT guy type in the password and after that fresh installs took about 30 minutes oppose to 3 or 4 days. Yeah I broke the rules but I was known as the fastest student in the office after that.
On the subject I HATE tickets. I now work in an office where the IT department is next door but in order to get a computer problem fixed I have to call the National Service Desk then they contact the IT and then they come such a waste of time!
There are many possibilities, but they all boil down to three things: (a) users were granted rights that they not only did not need, they could only meaningfully use for malicious purposes, (b) technicians were NOT granted rights they needed to do their work, and (c) the FBI are probably not using Government-mandated standards for OS' or data security.
That last one is inferred from the fact that there was no meaningful auditing and no meaningful access control barring users from reading the password file. If there's no real auditing and no access controls, the OS should not be certifiable under the Common Criteria, if I understand the requirements. If the OS is not CC-certified - formerly Orange Book certified - then the OS is not authorized for Government work. The Government also has rules barring a network from carrying both classified and unclassified material, which may also have been violated.
Right about now, I would imagine that the NSA (which scrutinized a lot of this stuff) is probably having a quiet word with the FBI. In any other year, they'd probably (ok, hopefully!) be in for a full-blown audit, but this is an election year so the rules are very different. Nobody is going to publicly do or say anything that shows the Government is incapable of following its own (minimal) procedures.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Sometimes, you're hired to do a job, and not given the priveledges necessary to do it, but you must do it anyway.
I expect a normal person would have simply shouted insults at their superiors and walked away from the job if they were put in this sort of stupid hopeless situation, rather than commit a number of serious felonies like this guy did.
I keep hearing that the US goverment favors Sun and their hard/soft -ware big time. So can I conclude that they are just stupid and (which seems pretty common) "know best how to run their business" ?
I mean, just take a look at a random outdated workstation and you'll notice it has an embedded cardreader. Solaris also has native support for this kind of security measures and whats more; even their object oriented language which is always mentioned with regards to stability and security has full support for keycard authentication. So, where did they go wrong ?
For those who are not intimately familiar with contemporary password technology, this is how it works. When you specify a password, the string gets hashed and stored in a file, usually accessible only by the superuser (eg. root.) When the user then tries to login, the supplied password is hashed and checked against the hash stored on the system. "Salting" the password means to append a random value to the password, before it is hashed. Naturally, this value has to be stored unhashed with the hashed and salted password to enable a hashing>comparision to take place during the authentication process. This defeats (or, in theory, makes harder) a precomputation attack where you precompute hash values for all strings (eg. rainbow tables). It does not, however, defeat _dictionary attacks_, where you have a wordlist with probable passwords and try every password against the password hash list you have managed to aquire using the same procedure as during authentication. (For those who now think "well, duh", just move along, nothing to see here...)
Look up the case of Randal Schwartz (author of perl books) many years ago.
He was convivted and sentenced for something very similar.
the network was subject to a colostomy!
Wow, I feel almost privileged to have been turned down for a job with these kinds of people. I've always thought it was a compliment when stupid people think *you're* stupid.
In this case, the stupid rules and procedures were the ad hoc ones implemented by Mr. Colon. He illegally bypassed the established security rules and regulations in favor of ones he deemed more efficient. His transgression revealed only the stupidity of his personal rules, not those of the FBI.
damaged by dogma
While I agree with the parent (and the existing siblings to this post) that unless it is your job to "put stress on the system" and "test the limits" (officially) then it's unethical to do so (even if you "have the approval of your coworkers/peers", etc.), this is a prime opportunity to point out to businesses the value of periodically taking the proverbial step back and critically evaluating their procedures and policies for inefficient, obsolete, conflicting, or downright counterproductive practices and directives. Human nature being what it is, if a policy or practice doesn't seem to have any value (or, worse yet, it seems to "cost" an employee "more" to follow it than to circumvent it) sooner or later someone will figure out a way to cut that corner for reasons that range from collecting the "brownie points" awarded for being the "guru" who figured out how to "streamline" the process all the way to the guy who legitimately believes (correctly or otherwise) that his job really does depend on getting that extra little thing done. I've seen it. We've all seen it.
Situation: Contractor entrusted with compiling "the numbers" on "that important account" is involved in an accident (yup, you guessed it) the morning of "the big presentation." Oh, but all her work is (by company policy) safe and sound on the server instead of on her (now smashed) laptop. Great! Just one little problem: nobody knows her password, and (also by company policy) access to anyone's server-side account other than the person to whom that account is assigned is strictly verboten! No "emergency plan" exists to cover such a contingency, and the critical hour (minute) fast approaches.
Solution: A quick call to IT (from the contractor's manager's phone) went something like this: "Hey, Suzy Q's password needs to be reset; her account's locked out. You want me to just tell her the password is 'password' and she needs to change it the first time she logs in? No problem. Yeah, and I'll see to it the password-reset form gets done and drop it off to you ASAP; I know you gotta cover things on your end. Thanks!" Almost five whole minutes, and the "company policy" that was no doubt pored-over for hour upon hour by some of the finest administrative (and legal) minds in the company's employ was artfully dodged by "just some dude." I think one of us asked the guy if he felt bad about lying to the person in IT, and his response was that he didn't lie; the account was locked-out (after he had tried to guess the password three times...) so the password did need to be reset and as soon as he saw "Suzy Q" he would be sure to tell her what her new password was! Unethical? Yup. Sneaky? Yup. Effective? Yup. The presentation was retrieved, the account was saved, and the world continued to revolve. A simplistic example, sure, but [insert "slippery-slope" analogy here]...
I'm not saying I condone it and I'm not saying I'd do it, I'm just saying you've got to be stupid to think you can throw obstacles in front of motivated people and they won't figure a way to avoid them, and it's wise to occassionally evaluate whether or not we're doing just that.
This space intentionally left (almost) blank.
That was your tax dollars at work.
Here's a thought:
Protected witnesses in Iowa start dying. You don't know why, but suddenly you want to notify all protected witnesses in Iowa or any neighboring state, and perhaps relocate them.
You could spend 30 seconds crafting a query in some database to do this, or you could have 20 flunkies sifting through your paper files - and each flunky is a security risk.
Paper is irresponsible for any data you might actually need to do anything with. This information should be in a database that is not connected to anything except when access is needed.
My amazing wife - Artist, Author, Philosopher - Laurie M
Yeah, but lots of agents got new PCs and Dell and Micro$oft are better off.
Just another example of our tax dollars keeping capitalism strong.
Double-Doh!
All an attacker needs is different password generation. For example, you use crack, and the attacker uses John the Ripper with -rules turned on and a bunch of dictionaries you don't bother to collect (such as sports and words from fiction). Indicating that allowing users to gather hashes is the problem, and a more generic analysis of password weakness may be better.
If you need text styles to communicate then you don't have a message.
Another thing: If you think you may be tempted to ever give out your password someday ("just being helpful!"), choose one that would be really embarrassing to share with anyone (except maybe your spouse).
Big98Boob$-311 would work quite nicely!
A post a day keeps productivity at bay.
As we all know the net upshot of forcing users to change passwords every 90 day easy to remember passwords and/or writing them down. In this case I think its an even worse policy. If an FBI password is compremised the worst damage is going to happen within a day or two.
I think people mis-quote the original line fairly often? Wasn't it supposed to say, "Information strives to be free!"??
That seems much closer to the truth to me. Any given piece of information, relative to its usefulness to people lacking said information, is liable to be "freed" from its source and spread.
Should all information BE free? No. Should the keepers of sensitive or personal information realize that it has a strong tendency to "leak out" (and take measures to prevent it)? Yep!
In that case, information strives to have a fueled airplane waiting at the hanger and no one gets hurt.
Information wants a fueled airplane waiting at the hangar and no one gets hurt.
I would like to state that this is your lowest bid tax dollars at work again. State and Federal agencies arent worried about Professionalism or getting things done right. They are worried about having the right paperwork and that you dont step on anyone's toes. Just once I would like to see a professional well functioning department in a Gov't agency. BTW I work for a gov't agency.
CS: It is all sink or swim...oh and did I mention there are sharks in that water?
IT Consultant: "Mr. FBI director Robert Muller, would you like salt with your hash?"
...as the united flakes government turns... and yes, i'm a taxpaying citizen.
Mr. FBI Director: "uh, are you weird? this is dinner, not breakfast!"
IT: "Exactly! What was I thinking. Would you like me to redact those PDFs or should we let Sally Secretary do it, sir?"
Mr. FBI Director: "Let Sally do it. She can't screw that up like she does my coffee..."
Mr. FBI Director (thinking to himself): "Salt... What a Moron. Does he think I'm an idiot?"
"often times your parents can end up the worst of your enemies" You had childhood issues didn't you? Stop suppressing them and seek help. I have lots of guns, alarms, two loud dogs and I'm a light sleeper. What more can I do? I already shot all my neighbors because they were different than me. I'm doing the best I can without government help.
Set me straight, but doesn't the dictionary attack mean that dictionary words are encrypted and compared to the hash of encrypted passwords? Doesn't that mean you must have the encryption algorithm? If he used standard hacker tools, the algorithm must have been known. Why doesn't the FBI have a unique encryption algorithm for such critical data?
E Proelio Veritas.
is she open or closed source? avoid women with eula's...
it was pretty cute seeing l0phtcrack & samba on the news tonight.
Colon?
Maybe Colon won't be the ONLY only to end up swollen. If he can use common dictionary attacks and gain access to the data the director-level is privileged to, then I wonder if the director and the other (figurative) "assholes" will be swollen, too after the auditors' auditory beating/trouncing.
(slash image word: sermon)
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
trustno1
Legalize recreational marijuana. Seriously.
I had a problem with my youngest telling people his password. After exhausting every other option, I changed it to "iamadumbbell" and he stopped telling. I suppopse there will be a therapy bill for that in twenty years or so.