Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI Password Database Compromised by Consultant

Posted by ryuzaki0 on from the this-is-the-beg-forgiveness-part dept.

LackThereof writes "An IT consultant for the FBI, hired to work on their new 'Trilogy' computer system, apparently got hold of the username and password hash databases for the FBI's network. He then used a common dictionary attack to get usable passwords out of the hashes, including that of FBI director Robert Muller, making him able to access virtually any data stored electronically at the FBI, including Witness Protection program records. The consultant, Joseph Thomas Colon, claims he used the passwords to avoid bureaucratic obstacles, and that his actions were condoned by the FBI agents he was working with at the agency." (More below.) "He has pleaded guilty to 4 counts of 'intentionally accessing a computer while exceeding authorized access and obtaining information from any department of the United States.' He initally gained access to the hash database by borrowing an agent's username and password; he then re-downloaded and re-cracked it three more times to keep up with the FBI's 90-day password expiration policy. Lesson: Your users are your biggest security hole. Don't trust your users, especially if they're government agents."

12 of 373 comments (clear)

  1. Forced password expirations by Zarhan · · Score: 5, Interesting

    re-cracked it three more times to keep up with the FBI's 90-day password expiration policy. Lesson: Your users are your biggest security hole. Don't trust your users, especially if they're government agents.

        Lesson #2: Don't use stupid password expiration periods, which force users to come up with new yet easy-to-remember (=> crackable) passwords. If passwords never expire, your users are bound to pick a more secure password in the first place since they know that they don't have to change it every full moon. Make the passwords never expire and just run a dictionary attack against your users - if you get through, THEN start harassing your user about proper security.

  2. Password Expiration Policies by hattig · · Score: 4, Interesting

    Surely this proves that 90 day password expiration policies encourage users to pick weaker passwords they can remember because they are having to change them all the time?

    Would it have been so easily cracked if everyone had a 10+ character password that was truly strong, even if it was only changed once a year or never?

    Is there an argument for password systems including a dictionary attack test phase for new passwords that if the new password fails, the user has to change it again?

    And maybe when data is really important, they might wish to utilise some other form of identification besides passwords. Certainly witness protection details should be far more protected. A biometric system, fingerprints are the easiest to implement these days without much cost, in addition to the password...

    Of course the consultant had an 'in', as he was consulting for them. Some minor social engineering and they're all letting him access the systems, bypassing proper procedure.

    In the end, there's no excuse for data this important being accessed illegitimately like this. Security measures should be in place, access procedures should be in force, restrictions on data movement from secure to insecure should be enforced. Yet we see it every week - laptop stolen with confidential data on, unencrypted, open, in a file on the desktop probably called "Social Security Database.xls" or "List Of Witnesses On Protection Program, Do Not Show To Criminals Who Will Pay Good Money For This.doc".

  3. Re:Has the 'consultant' by Anonymous Coward · · Score: 1, Interesting

    While that may be interesting to know, the most interesting detail here is that apparently sensitive information is being "protected" so carelessly by the FBI.

    Even for those stupid enough to not intrinsically care about the government illegally spying on them, I'd hope those same Bush supporters aren't so idiotic that they'd trust the government to protect that information from attackers once they illegally obtained and stored it. They obviously can't even protect the information they're allowed to keep.

  4. Re:Most Common Passwords by Lord+Ender · · Score: 2, Interesting

    A rainbow table?

    Are you suggesting the FBI doesn't seed their password hashes?

    That's hard to believe! I would assume those that write the authentication mechanisms for FBI software have taken a class (or read a book) on the very basics of password-based authentication.

    Actually, I take that back.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  5. scary by brenddie · · Score: 4, Interesting

    When I was in university the admins had a program on one of the linux labs that would try to crack /etc/shadow and if it found a password it would email you saying that your password wasnt secure. I dont remember if it gave a hint about what your password was but it definetly made you think twice about using a weak password someone can crack so easily. Its scary the FBI doesnt even do this kind of simple audits

    --
    The best test environment is production. - Me
    chrome://browser/content/browser.xul
  6. Database salting by Ignorant+Aardvark · · Score: 2, Interesting

    It's really sad that the FBI isn't using a simple salt on their stored passwords. This "hacker" was only able to get his hand on the hashed passwords, so his dictionary attack would only work if the passwords were stored unsalted. That's ridiculous. Hell, MediaWiki salts passwords by default ... the FBI can't do it?!

    --
    Cyde Weys Musings - Scrutinizing the inscrutable
    1. Re:Database salting by Victor+Fors · · Score: 2, Interesting

      No, a dictionary attack works on salted passwords per definition. Salting only defeats precomputation attacks (eg. rainbow tables).

  7. Secret passwords by 1cebird · · Score: 2, Interesting

    He should have published the passwords. Then he would have constitutional protections, right? I mean, he's only exposing the insecure nature of FBI passwords.

    --
    -K
  8. Re:scary by Fulcrum+of+Evil · · Score: 4, Interesting

    The worst is that Robert Mueller has access to everything - why does he need to know the specifics of every witness relocation?

    --
    "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
  9. Once again by COMON$ · · Score: 2, Interesting

    I would like to state that this is your lowest bid tax dollars at work again. State and Federal agencies arent worried about Professionalism or getting things done right. They are worried about having the right paperwork and that you dont step on anyone's toes. Just once I would like to see a professional well functioning department in a Gov't agency. BTW I work for a gov't agency.

    --
    CS: It is all sink or swim...oh and did I mention there are sharks in that water?
  10. Re:And we're going to fix this... by syukton · · Score: 2, Interesting

    Where I work, we've got a 60 or 90 day period (I forget how long it is, really) between mandatory password changes, and my "base" password is 12 characters long to begin with, upper and lower case letters and numbers and symbols mixed.

    When the time comes to change my password, you know what I do? I add an exclamation point. I'm up to four now.

    People just need to devise their own system that they can use to make their password more secure, but memorable. Here's a fairly easy to remember, secure password: 1234qwer!@#$ -- numbers, letters, symbols, 12 characters, not going to be thwarted by a dictionary attack any time soon. When the time comes to change the password, just add a period, or a semicolon, or a backslash, or a pair of brackets around the whole thing, or whatever. Unless you're prohibited from using part of your old password in your new password, it's relatively easy to keep a secure password that changes on a regular basis. If you always need to change your password so it doesn't contain the previous password, consider reversing the password: $#@!rewq4321 or consider putting something between each character: 1.2.3.4.q.w.e.r.!.@.#.$ or whatever... You'd have to be pretty dim-witted to not realize how easy this is...

    --
    Reinvent the wheel only at either a lower cost, greater effectiveness, or your own personal enrichment and satisfaction.
  11. Re:scary by StikyPad · · Score: 2, Interesting

    It's not just the FBI.. internal security is a real problem for the corporate and government worlds alike, especially with Windows networks. Attaching a laptop to a wired network, using ARP poisoning, and capturing password hashes is kid's stuff. After that, rainbow tables = plaintext passwords in a matter of seconds. Even before rainbow tables, I did an internal audit and managed to grab 65% of passwords using brute force, including those of CEO and ISO.. (That's the Information Security Officer, not the CD image). New hardware helps some, but government in particular upgrades at the speed of light... divided by 299,792,458.

    And frequent upgrading is a double edged sword as well. Not only does it cost beaucoup dollars, which pisses off everybody, but new products will often introduce new vulnerabilities, and may or may not resolve old ones.

    I sympathize with the guy who got shitcanned, but security clearances are 99% about trust, and by circumventing the protections -- falliable as they may have been -- he showed that he cannot be trusted to adhere to regulations... if he sacrifices a little security for a little convenience, then what's to say he wouldn't sacrifice a lot of security for a lot of conveniences, in the form of dollars? That's the way the government looks at it anyway.

    --
    https://www.eff.org/https-everywhere