FBI Password Database Compromised by Consultant

LackThereof writes "An IT consultant for the FBI, hired to work on their new 'Trilogy' computer system, apparently got hold of the username and password hash databases for the FBI's network. He then used a common dictionary attack to get usable passwords out of the hashes, including that of FBI director Robert Muller, making him able to access virtually any data stored electronically at the FBI, including Witness Protection program records. The consultant, Joseph Thomas Colon, claims he used the passwords to avoid bureaucratic obstacles, and that his actions were condoned by the FBI agents he was working with at the agency." (More below.) "He has pleaded guilty to 4 counts of 'intentionally accessing a computer while exceeding authorized access and obtaining information from any department of the United States.' He initally gained access to the hash database by borrowing an agent's username and password; he then re-downloaded and re-cracked it three more times to keep up with the FBI's 90-day password expiration policy. Lesson: Your users are your biggest security hole. Don't trust your users, especially if they're government agents."

Re:Most Common Passwords

[Martin+Blank]

Just poor wording on the part of the author. Colon may have been provided access to the database by that FBI employee, and used a Perl script or any of several apps that can do their own SQL-connections to pull the data, only part of which would have been the hash.

And just for some additional information for others not familiar with this kind of thing, there are dozens of programs that can do brute-force comparisons. It's also possible that he just used a rainbow table, which are available on (sometimes more than one) DVD for relatively small sums for the comparison. With a few really good computers, or a distributed computing project, it's not terribly hard to build up a sizable rainbow table in a relatively short period of time.