Slashdot Mirror
FBI Password Database Compromised by Consultant
LackThereof writes "An IT consultant for the FBI, hired to work on their new 'Trilogy' computer system, apparently got hold of the username and password hash databases for the FBI's network. He then used a common dictionary attack to get usable passwords out of the hashes, including that of FBI director Robert Muller, making him able to access virtually any data stored electronically at the FBI, including Witness Protection program records. The consultant, Joseph Thomas Colon, claims he used the passwords to avoid bureaucratic obstacles, and that his actions were condoned by the FBI agents he was working with at the agency." (More below.)
"He has pleaded guilty to 4 counts of 'intentionally accessing a computer while exceeding authorized access and obtaining information from any department of the United States.' He initally gained access to the hash database by borrowing an agent's username and password; he then re-downloaded and re-cracked it three more times to keep up with the FBI's 90-day password expiration policy. Lesson: Your users are your biggest security hole. Don't trust your users, especially if they're government agents."
These are the people protecting me from terrorists? Scary, very scary.
Really, seriously, you do not crack passwords to get your work done. You crack passwords to ensure site security if it is part of your job description, but you do not use those accounts to get work done. Cripes.
-- dieman - Scott Dier
Good thing this guy pleaded guilty. Otherwise, someone might ask uncomfortable questions, like why FBI agents were active participants in this criminal act. The whole problem would have been averted if someone didn't give their username and password to this guy.
Of course, the whole thing could have also been averted if normal users didn't have access to the password file. The Unix world figured out that shadow password files are a good idea a long time ago. Too bad the wisdom there hasn't caught on.
One thing everyone should know when working for a large organization is that they have policies for everything because they assume everyone is dumber than paste. The up side of this as a consultant is that you can bill a week for 30 minutes of work because there's a week of paperwork needed before you can perform any task. This guy tried to get things done more efficiently by sidestepping the boundaries. Small companies can respect that kind of attitude, but not the government. That kind of behavior results in lower billings to the government, and that is unamerican.
Jumping through hoops, as silly as they may be, is an important part of any technical job within a large organization.
How about FORCING the morons that end up as department heads and executives to use secure passwords?
A dictionary attack.... OMFG!
If the director had a secure password then it would not have been a big deal.
Listen kids, Big98Boob$-311 as your password is pretty damned secure and makes a dictionaty attack useless against it.
Next question, WTF is the feds doing not using securID on all of their logins to eliminate such a problem??
Do not look at laser with remaining good eye.
Employers need to be more careful about whom they hire and what their employees are doing.
In the U.S. the workplace has developed an adversarial relationship between employers and employees. The mantra, "nothing personal, this is just business" has removed the major factor stopping employees from screwing over their employer. If it is just business when an employer lies to the employees, fires them when they need a boost in the numbers, outsources their job, cancels benefits, or takes other action that affects the employees negatively then it is also just business when the employee lies to the employer, walks off with equipment, moves to another job at a bad time without giving any notice, or loots the database for info they can sell.
You see, it was not the law that prevented this sort of behavior, it was an ethical motivation. People, in general, don't like to hurt or even disappoint others. They want to do right by them. When they are treated unethically in turn, that motivation disappears. Do you want your employees to be loyal and honest? I certainly recommend checking up on each one, but more importantly, treat them well and with concern. Make sure they know, even if they screw up they won't be fired. Make sure they know you're doing the best you can to provide them with a reasonable income, friendly workplace, and what they need to be happy. Make sure you reward their good works. Make sure that if they run into money troubles you're the first person they talk to. Make sure they know you respect them. This is not only ethical, it is good business.
So one hash file gives him access to all FBI records, including the most sensitive? No offense, but why aren't the most sensitive of services protected by isolating them in a separate system? Compromising the witness protection program could endanger the lives of everyone protected by it, and just the ideas that it might be compromised could reduce the chances of people helping the FBI and testifying.
Isn't witness protection data Need To Know? Why would the FBI director Need To Know anything at all at a moment's notice from his desktop PC? It would make much more sense to have a separate system, and have him walk down the hall, ask someone to retrieve what he needs, and maybe get ONE record made available for a limited time.
I'm not trolling or anything. Seriously, can someone suggest scenarios whereby immediate, free access to that data is valuable, especially by people who don't already know whether you or I are in the program?
It doesn't hurt to be nice.
The flip side to the dumb arbitraryness of govt work is that you will never get in trouble if you follow the rules. This guy should of just billed the extra time to set up printers and been happy he had a job. What an idiot.
Please sign petition to restore sanity to our banking system!!!
http://financialpetition.org/
This guy not only cracked his employer's passwords (many of whom probably have high security clearance), but he actually logged into them routinely and used them as part of his workflow for nearly a year. Hello?
Compare that to the clearly less harmful actions of Randal Schwartz, who went gray-hat (one time, without using the logins, as a security warning). Three felony convictions and a rather severe sentence.