Slashdot Mirror
FBI Password Database Compromised by Consultant
LackThereof writes "An IT consultant for the FBI, hired to work on their new 'Trilogy' computer system, apparently got hold of the username and password hash databases for the FBI's network. He then used a common dictionary attack to get usable passwords out of the hashes, including that of FBI director Robert Muller, making him able to access virtually any data stored electronically at the FBI, including Witness Protection program records. The consultant, Joseph Thomas Colon, claims he used the passwords to avoid bureaucratic obstacles, and that his actions were condoned by the FBI agents he was working with at the agency." (More below.)
"He has pleaded guilty to 4 counts of 'intentionally accessing a computer while exceeding authorized access and obtaining information from any department of the United States.' He initally gained access to the hash database by borrowing an agent's username and password; he then re-downloaded and re-cracked it three more times to keep up with the FBI's 90-day password expiration policy. Lesson: Your users are your biggest security hole. Don't trust your users, especially if they're government agents."
Nothing for you to see here. Please move along.
Indeed... in-deed...
The space unintentionally left unblank.
These are the people protecting me from terrorists? Scary, very scary.
s/comprised/compromised
I aim to misbehave.
So we charge the consultant, send him through the legal system, etc. Are we also going to do something to prevent this from happening again, like educating agents not to give out their username/password or allowing the kind of access this guy was able to get?
Slashdot Burying Stories About Slashdot Media Owned
re-cracked it three more times to keep up with the FBI's 90-day password expiration policy. Lesson: Your users are your biggest security hole. Don't trust your users, especially if they're government agents.
Lesson #2: Don't use stupid password expiration periods, which force users to come up with new yet easy-to-remember (=> crackable) passwords. If passwords never expire, your users are bound to pick a more secure password in the first place since they know that they don't have to change it every full moon. Make the passwords never expire and just run a dictionary attack against your users - if you get through, THEN start harassing your user about proper security.
The FBI's Trilogy program cost more than $535 million but failed to produce a usable case-management system for agents because of cost overruns and technical problems, according to the Government Accountability Office. While Trilogy led to successful hardware upgrades and thousands of new PCs for bureau workers and agents, the final phase -- a software system called the Virtual Case File -- was abandoned last year. The FBI announced in March that it would spend an additional $425 million in an attempt to finish the job. The new system would be called "Sentinel."
I need to check the Government Accountability Office more often. It's good to know we're spending 1 billion dollars to found a, most likely, failed attempt at secure computing for the FBI. Doh.
Now all we have to hear is that his laptop got stolen before he was caught.
Geeze, my sister could even run l0phtcrack. Can't give him much credit here.
Really, seriously, you do not crack passwords to get your work done. You crack passwords to ensure site security if it is part of your job description, but you do not use those accounts to get work done. Cripes.
-- dieman - Scott Dier
Employers need to be more careful about whom they hire and what their employees are doing. Even the members of
Information wants a fueled airplane waiting at the hangar and no one gets hurt.
Coming soon.. laws outlawing common dictionary password cracking tools and similiar security tools.
I can't believe that they don't even have some sort of verification that the passwords aren't common things. Heck even here, when you try to change your passwords everywhere there are so many restrictions that it can't be a dictionary word or easy to guess. Simple rules - at least 1 CAP letter (means at least 1 letter) - at least one symbol (@#.,& etc.) - at least 1 number - at least 8 chars long How hard is it to enforce this.
Just poor wording on the part of the author. Colon may have been provided access to the database by that FBI employee, and used a Perl script or any of several apps that can do their own SQL-connections to pull the data, only part of which would have been the hash.
And just for some additional information for others not familiar with this kind of thing, there are dozens of programs that can do brute-force comparisons. It's also possible that he just used a rainbow table, which are available on (sometimes more than one) DVD for relatively small sums for the comparison. With a few really good computers, or a distributed computing project, it's not terribly hard to build up a sizable rainbow table in a relatively short period of time.
You can never go home again... but I guess you can shop there.
Surely this proves that 90 day password expiration policies encourage users to pick weaker passwords they can remember because they are having to change them all the time?
Would it have been so easily cracked if everyone had a 10+ character password that was truly strong, even if it was only changed once a year or never?
Is there an argument for password systems including a dictionary attack test phase for new passwords that if the new password fails, the user has to change it again?
And maybe when data is really important, they might wish to utilise some other form of identification besides passwords. Certainly witness protection details should be far more protected. A biometric system, fingerprints are the easiest to implement these days without much cost, in addition to the password...
Of course the consultant had an 'in', as he was consulting for them. Some minor social engineering and they're all letting him access the systems, bypassing proper procedure.
In the end, there's no excuse for data this important being accessed illegitimately like this. Security measures should be in place, access procedures should be in force, restrictions on data movement from secure to insecure should be enforced. Yet we see it every week - laptop stolen with confidential data on, unencrypted, open, in a file on the desktop probably called "Social Security Database.xls" or "List Of Witnesses On Protection Program, Do Not Show To Criminals Who Will Pay Good Money For This.doc".
Hmmm, apparently the FBI password database was made up from a consultant. I wonder if someone possibly meant compromised? Keep up the good work, Timmy. You deserve a raise!
This guy's the limit!
even have access to much of that data. Just cause he is top dog does not in any way mean he should have access to the witness protection records. He doesnt need to know that information, and if he does he should have to go through the proper channels. This is exactly why.
In many cases, the higher upthe person, the LESS data they need from the computer systems.
The phrase "more better" is acceptable English. suck it grammar Nazis
Good thing this guy pleaded guilty. Otherwise, someone might ask uncomfortable questions, like why FBI agents were active participants in this criminal act. The whole problem would have been averted if someone didn't give their username and password to this guy.
Of course, the whole thing could have also been averted if normal users didn't have access to the password file. The Unix world figured out that shadow password files are a good idea a long time ago. Too bad the wisdom there hasn't caught on.
One thing everyone should know when working for a large organization is that they have policies for everything because they assume everyone is dumber than paste. The up side of this as a consultant is that you can bill a week for 30 minutes of work because there's a week of paperwork needed before you can perform any task. This guy tried to get things done more efficiently by sidestepping the boundaries. Small companies can respect that kind of attitude, but not the government. That kind of behavior results in lower billings to the government, and that is unamerican.
Jumping through hoops, as silly as they may be, is an important part of any technical job within a large organization.
Colon claimed that he did this because he was tired of having to seek bureaucratic authorization for every last task, including adding printers. Having worked with government agencies before, I can say I understand his frustration. But his later justification was priceless:
Okay, so: getting authorization was onerous, so he asked for permission from agents in the Springfield office to forge their superiors' credentials in order to speed up the process. And they gave it to him.
Did you get that? I was originally gonna boldface the best parts, but I couldn't decide where to start.
1. The contractor, fed up with an onerous and ridiculous authorization process,
2. asked for permission from FBI officials to crack their superiors' passwords,
3. and the FBI officials in question said yes.
Okay, so, Colon is in court. What happened to the FBI staffers who gave him the go-ahead?
Been charged with illegal access? He apparently used a brute force cracking script to compromise
the database he had tenative acccess to. If he needed greater acces, he would have had it. The
article is , at best, lacking in solid information. At least to me it is.
Regular access audits would have picked this up much sooner. End of story. By hanging this poor bastard out to dry, they've basically exposed even more lack of security.
I call for this every time something like this gets published , and I'll call for it again :
We need (real) IT professionals in Congress, they need to form an oversight committee, and they need to have pretty much unrestricted access to most systems so they can be effective.
These holes have *got* to get plugged. Its not only embarrassing, its media porn and its going to encourage hacks that *do* result in something bad happening.
Nimrods.
What, like due-process, warrants, and legal considerations?
So FBI agents just stand around while he illegally accesses everything he's not supposed to so it can make their jobs easier? If there were actual agents standing around thinking this was good, we're in deep doo-doo, because they have now taken the stance that if they subcontract the illegal stuff, they're all good.
Yikes!
Lost at C:>. Found at C.
So one hash file gives him access to all FBI records, including the most sensitive? No offense, but why aren't the most sensitive of services protected by isolating them in a separate system? Compromising the witness protection program could endanger the lives of everyone protected by it, and just the ideas that it might be compromised could reduce the chances of people helping the FBI and testifying.
Isn't witness protection data Need To Know? Why would the FBI director Need To Know anything at all at a moment's notice from his desktop PC? It would make much more sense to have a separate system, and have him walk down the hall, ask someone to retrieve what he needs, and maybe get ONE record made available for a limited time.
I'm not trolling or anything. Seriously, can someone suggest scenarios whereby immediate, free access to that data is valuable, especially by people who don't already know whether you or I are in the program?
It doesn't hurt to be nice.
Forcing one's boss to do something is terribly difficult. You generally need support from your boss' boss. When they're both high-level political appointees, it's that much harder. Not saying you're wrong, just saying that it's not always possible. Generally easier (and better, imho) to teach him, give him some sort of appreciation of the pile of excrement he can wind up in if he doesn't.
As for two-factor, I know VA is moving towards it (and was before the whole laptop debacle). Might be fed-wide. Hopefully this will light a fire under it.
Dare to Hope. Prepare to be Disappointed.
A rainbow table?
Are you suggesting the FBI doesn't seed their password hashes?
That's hard to believe! I would assume those that write the authentication mechanisms for FBI software have taken a class (or read a book) on the very basics of password-based authentication.
Actually, I take that back.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
They would but the bureaucracy involved in reading TFA is way too onerous. I recommend stealing the passwords of the /. overlords and skipping the mountain of red tape.
Sincerely,
James Colon
When I was in university the admins had a program on one of the linux labs that would try to crack /etc/shadow and if it found a password it would email you saying that your password wasnt secure. I dont remember if it gave a hint about what your password was but it definetly made you think twice about using a weak password someone can crack so easily.
Its scary the FBI doesnt even do this kind of simple audits
The best test environment is production. - Me
chrome://browser/content/browser.xul
The FBI illegally obtains our information, why can't we illegally obtain theirs?
Haiku for you!
Sure, complaining about the users is easy and a favourite geek passtime, but how about educating the programmers before we let them loose on something that important?
The classic newbie mistake is thinking, basically, "I know, I'll take the password as it is, run it through MD5 and store the hash. It's uber-secure because it's MD5, right?" Turns out: wrong. An attacker can, yes:
1) download a program that will try every word in the dictionary until it finds a match, like this guy did. (And it _will_ find a match. There'll always be someone who took a password like "kitten" or "sex" or whatever, no matter how much you tried to educated them.) Or, better yet,
2) use so-called "rainbow tables" which are basically key-value pairs. The key is a hash value, and the value is one password that's known to hash to the key. Hackers have been building such tables for a long while, so there are a _ton_ of passwords which can be instantly un-hashed. It doesn't matter if the user's password is "kitten" or "1+l0v3+b00b13z". If that password has been harvested once (e.g., he's also used it on some warez site), it can be de-hashed for ever after by a simple lookup.
So what smart programmers do is "salt" the password first. Add some arbitrary value before MD5-ing it. E.g., add the hash of the user name at the end of the password, _then_ MD5 it. Add your program's name. Whatever.
Yes, it's "security by obscurity", because essentially you rely on an attacker not knowing wth you've salted the passwords with. But it tends to work nevertheless. A generic de-hashing program downloaded over the net can run through a dictionary all it wants, and it still won't decrypt your passwords unless it was created for exactly your salting method. Ditto for rainbow table lookups.
Basically, seriously. Before picking on the users, I wish someone educated their programmers about even the basics of security. If this guy could pull this stunt, then chances are so could anyone else having any access to that building. So there is no excuse to have such vulnerabilities. Did anyone even do a security review there?
A polar bear is a cartesian bear after a coordinate transform.
It's really sad that the FBI isn't using a simple salt on their stored passwords. This "hacker" was only able to get his hand on the hashed passwords, so his dictionary attack would only work if the passwords were stored unsalted. That's ridiculous. Hell, MediaWiki salts passwords by default ... the FBI can't do it?!
Cyde Weys Musings - Scrutinizing the inscrutable
He should have published the passwords. Then he would have constitutional protections, right? I mean, he's only exposing the insecure nature of FBI passwords.
-K
You need to chill out, if our government doesnt hire honest people then the government would fall apart. I mean, it would be terrible to have dishonest people with so much information! Right now this proves that we have a lot of honest people and one or two bad apples which are caught in a timely manner, the government can run clean. The reason we allow the government to have all of our information and view it so easily is to stop terrorists and those that act like terrorist but are classed as criminals in our judicial system.
If we dont get all this information together we wont be safe, and without being safe our entire country would fall apart. So we have to have complete and unfettered trust in our government that it is doing the right thing as they know everything about us!
Remember to smile for the security camera, there is an angel on the other side.
If you don't vote, you don't matter, so don't waste your time telling me your opinion
This guy not only cracked his employer's passwords (many of whom probably have high security clearance), but he actually logged into them routinely and used them as part of his workflow for nearly a year. Hello?
Compare that to the clearly less harmful actions of Randal Schwartz, who went gray-hat (one time, without using the logins, as a security warning). Three felony convictions and a rather severe sentence.
Actually, you can have a pretty secure password that's not dictionary based and easy to remember. So long as you have enough characters, it'll be difficult to break.
p
Take a look at password generation tools like "apg" and "pwgen". They use tools like trigraphs, triphthongs, diphthongs to make easy-to-remember, non-dictionary passwords. Sure, using these techniques reduces the keyspace for a brute force attack, but keyspace size and easy-to-remember are pretty much mutually exclusive.
http://pwgen.org/
http://www.puroga.com/webtools/apgonline/index.ph
While I agree with the parent (and the existing siblings to this post) that unless it is your job to "put stress on the system" and "test the limits" (officially) then it's unethical to do so (even if you "have the approval of your coworkers/peers", etc.), this is a prime opportunity to point out to businesses the value of periodically taking the proverbial step back and critically evaluating their procedures and policies for inefficient, obsolete, conflicting, or downright counterproductive practices and directives. Human nature being what it is, if a policy or practice doesn't seem to have any value (or, worse yet, it seems to "cost" an employee "more" to follow it than to circumvent it) sooner or later someone will figure out a way to cut that corner for reasons that range from collecting the "brownie points" awarded for being the "guru" who figured out how to "streamline" the process all the way to the guy who legitimately believes (correctly or otherwise) that his job really does depend on getting that extra little thing done. I've seen it. We've all seen it.
Situation: Contractor entrusted with compiling "the numbers" on "that important account" is involved in an accident (yup, you guessed it) the morning of "the big presentation." Oh, but all her work is (by company policy) safe and sound on the server instead of on her (now smashed) laptop. Great! Just one little problem: nobody knows her password, and (also by company policy) access to anyone's server-side account other than the person to whom that account is assigned is strictly verboten! No "emergency plan" exists to cover such a contingency, and the critical hour (minute) fast approaches.
Solution: A quick call to IT (from the contractor's manager's phone) went something like this: "Hey, Suzy Q's password needs to be reset; her account's locked out. You want me to just tell her the password is 'password' and she needs to change it the first time she logs in? No problem. Yeah, and I'll see to it the password-reset form gets done and drop it off to you ASAP; I know you gotta cover things on your end. Thanks!" Almost five whole minutes, and the "company policy" that was no doubt pored-over for hour upon hour by some of the finest administrative (and legal) minds in the company's employ was artfully dodged by "just some dude." I think one of us asked the guy if he felt bad about lying to the person in IT, and his response was that he didn't lie; the account was locked-out (after he had tried to guess the password three times...) so the password did need to be reset and as soon as he saw "Suzy Q" he would be sure to tell her what her new password was! Unethical? Yup. Sneaky? Yup. Effective? Yup. The presentation was retrieved, the account was saved, and the world continued to revolve. A simplistic example, sure, but [insert "slippery-slope" analogy here]...
I'm not saying I condone it and I'm not saying I'd do it, I'm just saying you've got to be stupid to think you can throw obstacles in front of motivated people and they won't figure a way to avoid them, and it's wise to occassionally evaluate whether or not we're doing just that.
This space intentionally left (almost) blank.
As we all know the net upshot of forcing users to change passwords every 90 day easy to remember passwords and/or writing them down. In this case I think its an even worse policy. If an FBI password is compremised the worst damage is going to happen within a day or two.
I would like to state that this is your lowest bid tax dollars at work again. State and Federal agencies arent worried about Professionalism or getting things done right. They are worried about having the right paperwork and that you dont step on anyone's toes. Just once I would like to see a professional well functioning department in a Gov't agency. BTW I work for a gov't agency.
CS: It is all sink or swim...oh and did I mention there are sharks in that water?
I hadn't even thought of applying the idea to the kids. Mine aren't old enough yet for that to be an issue, but the future is full of possibilities, esp. if you exploit the gender stereotypes!
For boys:
MyPrettyPony
BarbieIsNeat
ILikeGirls (only embarrassing up to a certain age, I suppose)
For girls:
ExtraHairy
GirlsRSmelly
BoysAreCool
Now that I've had fun dreaming these up, though, I wonder if the password could be so 'repulsive' that they will refuse to use the computer at all?
A post a day keeps productivity at bay.