FBI Password Database Compromised by Consultant

LackThereof writes "An IT consultant for the FBI, hired to work on their new 'Trilogy' computer system, apparently got hold of the username and password hash databases for the FBI's network. He then used a common dictionary attack to get usable passwords out of the hashes, including that of FBI director Robert Muller, making him able to access virtually any data stored electronically at the FBI, including Witness Protection program records. The consultant, Joseph Thomas Colon, claims he used the passwords to avoid bureaucratic obstacles, and that his actions were condoned by the FBI agents he was working with at the agency." (More below.) "He has pleaded guilty to 4 counts of 'intentionally accessing a computer while exceeding authorized access and obtaining information from any department of the United States.' He initally gained access to the hash database by borrowing an agent's username and password; he then re-downloaded and re-cracked it three more times to keep up with the FBI's 90-day password expiration policy. Lesson: Your users are your biggest security hole. Don't trust your users, especially if they're government agents."

Forced password expirations

[Zarhan]

re-cracked it three more times to keep up with the FBI's 90-day password expiration policy. Lesson: Your users are your biggest security hole. Don't trust your users, especially if they're government agents.

    Lesson #2: Don't use stupid password expiration periods, which force users to come up with new yet easy-to-remember (=> crackable) passwords. If passwords never expire, your users are bound to pick a more secure password in the first place since they know that they don't have to change it every full moon. Make the passwords never expire and just run a dictionary attack against your users - if you get through, THEN start harassing your user about proper security.

Password Expiration Policies

[hattig]

Surely this proves that 90 day password expiration policies encourage users to pick weaker passwords they can remember because they are having to change them all the time?

Would it have been so easily cracked if everyone had a 10+ character password that was truly strong, even if it was only changed once a year or never?

Is there an argument for password systems including a dictionary attack test phase for new passwords that if the new password fails, the user has to change it again?

And maybe when data is really important, they might wish to utilise some other form of identification besides passwords. Certainly witness protection details should be far more protected. A biometric system, fingerprints are the easiest to implement these days without much cost, in addition to the password...

Of course the consultant had an 'in', as he was consulting for them. Some minor social engineering and they're all letting him access the systems, bypassing proper procedure.

In the end, there's no excuse for data this important being accessed illegitimately like this. Security measures should be in place, access procedures should be in force, restrictions on data movement from secure to insecure should be enforced. Yet we see it every week - laptop stolen with confidential data on, unencrypted, open, in a file on the desktop probably called "Social Security Database.xls" or "List Of Witnesses On Protection Program, Do Not Show To Criminals Who Will Pay Good Money For This.doc".

scary

[brenddie]

When I was in university the admins had a program on one of the linux labs that would try to crack /etc/shadow and if it found a password it would email you saying that your password wasnt secure. I dont remember if it gave a hint about what your password was but it definetly made you think twice about using a weak password someone can crack so easily. Its scary the FBI doesnt even do this kind of simple audits

Re:scary

[Fulcrum+of+Evil]

The worst is that Robert Mueller has access to everything - why does he need to know the specifics of every witness relocation?