Slashdot Mirror

← Back to Stories (view on slashdot.org)

FBI Password Database Compromised by Consultant

Posted by ryuzaki0 on from the this-is-the-beg-forgiveness-part dept.

LackThereof writes "An IT consultant for the FBI, hired to work on their new 'Trilogy' computer system, apparently got hold of the username and password hash databases for the FBI's network. He then used a common dictionary attack to get usable passwords out of the hashes, including that of FBI director Robert Muller, making him able to access virtually any data stored electronically at the FBI, including Witness Protection program records. The consultant, Joseph Thomas Colon, claims he used the passwords to avoid bureaucratic obstacles, and that his actions were condoned by the FBI agents he was working with at the agency." (More below.) "He has pleaded guilty to 4 counts of 'intentionally accessing a computer while exceeding authorized access and obtaining information from any department of the United States.' He initally gained access to the hash database by borrowing an agent's username and password; he then re-downloaded and re-cracked it three more times to keep up with the FBI's 90-day password expiration policy. Lesson: Your users are your biggest security hole. Don't trust your users, especially if they're government agents."

34 of 373 comments (clear)

  1. scary by rolyatknarf · · Score: 5, Insightful

    These are the people protecting me from terrorists? Scary, very scary.

    1. Re:scary by 955301 · · Score: 4, Insightful

      No. No they are not. The person protecting you from "terrorist" or anyone else trying to hurt you is yourself. Not cops, not the government, and often times your parents can end up the worst of your enemies (despite good intentions).

      Rely on yourself for survival - rely on others to grow.

      --
      You are checking your backups, aren't you?
    2. Re:scary by GungaDan · · Score: 5, Funny

      "Rely on yourself for survival - rely on others to grow."

      Fuck that. I grow my own.

      --
      Eloi are stupid, throw morlocks at them!
    3. Re:scary by Fulcrum+of+Evil · · Score: 4, Interesting

      The worst is that Robert Mueller has access to everything - why does he need to know the specifics of every witness relocation?

      --
      "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
    4. Re:scary by ray-auch · · Score: 4, Insightful

      The people at the top have to know so they can they leak the info when politically necessary.

      [ Same answer as "why does the whitehouse need to know who every undercover CIA agent is ?" ]

    5. Re:scary by Intron · · Score: 4, Insightful

      Right. Cops and FBI should investigate crimes after they have been committed, or when they have evidence a crime is going to be committed. Asking them to prevent terrorist acts in advance is equivalent to asking for a police state. I personally feel that there should have been no blame cast on the intelligence community for 9/11. I certainly do not feel any safer since the creation of DHS. Another layer of bureaucracy is not going to make information flow better. The opposite, if anything.

      --
      Intron: the portion of DNA which expresses nothing useful.
  2. Briefly... by LoyalOpposition · · Score: 4, Informative

    s/comprised/compromised

    --
    I aim to misbehave.
  3. And we're going to fix this... by richdun · · Score: 4, Insightful

    So we charge the consultant, send him through the legal system, etc. Are we also going to do something to prevent this from happening again, like educating agents not to give out their username/password or allowing the kind of access this guy was able to get?

    1. Re:And we're going to fix this... by Lumpy · · Score: 5, Insightful

      How about FORCING the morons that end up as department heads and executives to use secure passwords?

      A dictionary attack.... OMFG!

      If the director had a secure password then it would not have been a big deal.

      Listen kids, Big98Boob$-311 as your password is pretty damned secure and makes a dictionaty attack useless against it.

      Next question, WTF is the feds doing not using securID on all of their logins to eliminate such a problem??

      --
      Do not look at laser with remaining good eye.
    2. Re:And we're going to fix this... by qwijibo · · Score: 4, Insightful

      Why should they do that? They fixed the glitch. The guy pleaded guilty, so there's no reason for any government agent who acted carelessly and facilitated the crime to be reprimanded. From a management perspective, the problem isn't the access he had, but the egg on their face resulting from the access he had. He's got fired and will likely go to jail, so from the management perspective, the problem has been solved. It may be a stupid viewpoint, but it's a very common one when the alternative is taking responsibility for ones own actions.

    3. Re:And we're going to fix this... by Kozar_The_Malignant · · Score: 4, Funny

      >Are we also going to do something to prevent this from happening again

      No. That would be wrong for the following reasons:

      1. It would require admitting that the existing security system is sub-optimal.
      2. It would imply that the Dear Leader/FBI Director had made a mistake.
      3. Acknowledging that there was a problem would aid terrorists and Democrats.
      4. Creating a culture of accountability would damage agent morale and lead to #3 above.
      5. Sending some wanker consultant to jail makes staff feel good.
      6. The option of sending agents to jail and/or Butte, Montana must be reserved for the serious crime of embarrassing the Dear Leader.
      Thank you for asking. However, the fact that you asked shows that you have no possible future with the FBI and are probably a threat to our National Security. We'll be in touch.
      --
      Some mornings it's hardly worth chewing through the restraints to get out of bed.
    4. Re:And we're going to fix this... by Iamthefallen · · Score: 5, Funny

      With apologies to Bash.org

      It only appears as Big98Boob$-311 to you since it's your password. To me it just looks like **************

      --
      Wax-Museum Fire Results In Hundreds Of New Danny DeVito Statues
    5. Re:And we're going to fix this... by J.R.+Random · · Score: 4, Insightful

      The policy of forcing people to change their passwords on a regular basis is in direct conflict with requiring the password to be obscure and full of funny characters. If I'm forced to change my password every two months I'll use passwords like "january", "march", "may", etc. If I'm forced to to change my password every two months and have it be obscure, I'll write the damn thing on a post-it note and attach it to the back of my monitor. If you want me to remember an obscure password like Big98Boob$-311 without writing it down I better be able to keep it.

  4. Wow. by Rob+T+Firefly · · Score: 5, Funny
    The consultant, Joseph Thomas Colon
    What is he, some kind of a... no, sometimes it's too easy a shot, even for me.
    --
    Slashdot Burying Stories About Slashdot Media Owned
  5. Forced password expirations by Zarhan · · Score: 5, Interesting

    re-cracked it three more times to keep up with the FBI's 90-day password expiration policy. Lesson: Your users are your biggest security hole. Don't trust your users, especially if they're government agents.

        Lesson #2: Don't use stupid password expiration periods, which force users to come up with new yet easy-to-remember (=> crackable) passwords. If passwords never expire, your users are bound to pick a more secure password in the first place since they know that they don't have to change it every full moon. Make the passwords never expire and just run a dictionary attack against your users - if you get through, THEN start harassing your user about proper security.

    1. Re:Forced password expirations by jbeaupre · · Score: 4, Informative

      We had a system like this on a student run server in 1991 at NMSU. The server was continually trying to crack passwords. When it did, you got an automatic email telling you of the crack and to change your password.

      I thought it had two things going for it. Suceptible passwords were weeded out and in theory your password should be cracked by a friendly before someone else.

      --
      The world is made by those who show up for the job.
    2. Re:Forced password expirations by Tim+C · · Score: 4, Insightful

      The problem with a biometric system is that when someone manages to fool it and impersonate someone, you can't change their access token. At least if my password is compromised I can change it; not so with my thumbprint.

      --
      It's official. Most of you are morons.
    3. Re:Forced password expirations by Princeofcups · · Score: 4, Insightful

      This may seem obvious, but shouldn't they be using a three piece access system?

      1 - biometric (fingerprint, voice, retina, etc.)
      2 - item (SecureID card, etc.)
      3 - password

      If biometric fails, the cracker still doesn't have the item or password. If the item is stolen, the cracker doesn't have a fingerprint or password. If the doofus tells someone his password, the cracker doesn't have the fingerprint or item.

      jfs

      --
      The only thing worse than a Democrat is a Republican.
  6. The only thing interesting to me is the pricetag. by a_karbon_devel_005 · · Score: 4, Insightful

    The FBI's Trilogy program cost more than $535 million but failed to produce a usable case-management system for agents because of cost overruns and technical problems, according to the Government Accountability Office. While Trilogy led to successful hardware upgrades and thousands of new PCs for bureau workers and agents, the final phase -- a software system called the Virtual Case File -- was abandoned last year. The FBI announced in March that it would spend an additional $425 million in an attempt to finish the job. The new system would be called "Sentinel."

    I need to check the Government Accountability Office more often. It's good to know we're spending 1 billion dollars to found a, most likely, failed attempt at secure computing for the FBI. Doh.

  7. Unqualfied moron by dieman · · Score: 5, Insightful

    Really, seriously, you do not crack passwords to get your work done. You crack passwords to ensure site security if it is part of your job description, but you do not use those accounts to get work done. Cripes.

    --
    -- dieman - Scott Dier
  8. Re:Most Common Passwords by Martin+Blank · · Score: 5, Informative

    Just poor wording on the part of the author. Colon may have been provided access to the database by that FBI employee, and used a Perl script or any of several apps that can do their own SQL-connections to pull the data, only part of which would have been the hash.

    And just for some additional information for others not familiar with this kind of thing, there are dozens of programs that can do brute-force comparisons. It's also possible that he just used a rainbow table, which are available on (sometimes more than one) DVD for relatively small sums for the comparison. With a few really good computers, or a distributed computing project, it's not terribly hard to build up a sizable rainbow table in a relatively short period of time.

    --
    You can never go home again... but I guess you can shop there.
  9. Password Expiration Policies by hattig · · Score: 4, Interesting

    Surely this proves that 90 day password expiration policies encourage users to pick weaker passwords they can remember because they are having to change them all the time?

    Would it have been so easily cracked if everyone had a 10+ character password that was truly strong, even if it was only changed once a year or never?

    Is there an argument for password systems including a dictionary attack test phase for new passwords that if the new password fails, the user has to change it again?

    And maybe when data is really important, they might wish to utilise some other form of identification besides passwords. Certainly witness protection details should be far more protected. A biometric system, fingerprints are the easiest to implement these days without much cost, in addition to the password...

    Of course the consultant had an 'in', as he was consulting for them. Some minor social engineering and they're all letting him access the systems, bypassing proper procedure.

    In the end, there's no excuse for data this important being accessed illegitimately like this. Security measures should be in place, access procedures should be in force, restrictions on data movement from secure to insecure should be enforced. Yet we see it every week - laptop stolen with confidential data on, unencrypted, open, in a file on the desktop probably called "Social Security Database.xls" or "List Of Witnesses On Protection Program, Do Not Show To Criminals Who Will Pay Good Money For This.doc".

  10. Re:A hacker? by dJOEK · · Score: 5, Funny

    is your sister single? hot?

    --
    Exercise caution when modding this message up: the author acts like a jerk when his karma is excellent.
  11. Disaster averted! by qwijibo · · Score: 5, Insightful

    Good thing this guy pleaded guilty. Otherwise, someone might ask uncomfortable questions, like why FBI agents were active participants in this criminal act. The whole problem would have been averted if someone didn't give their username and password to this guy.

    Of course, the whole thing could have also been averted if normal users didn't have access to the password file. The Unix world figured out that shadow password files are a good idea a long time ago. Too bad the wisdom there hasn't caught on.

    One thing everyone should know when working for a large organization is that they have policies for everything because they assume everyone is dumber than paste. The up side of this as a consultant is that you can bill a week for 30 minutes of work because there's a week of paperwork needed before you can perform any task. This guy tried to get things done more efficiently by sidestepping the boundaries. Small companies can respect that kind of attitude, but not the government. That kind of behavior results in lower billings to the government, and that is unamerican.

    Jumping through hoops, as silly as they may be, is an important part of any technical job within a large organization.

  12. And the FBI agreed to this? by sammy+baby · · Score: 4, Insightful
    Talk about losing sight of the forest due to the trees...

    Colon claimed that he did this because he was tired of having to seek bureaucratic authorization for every last task, including adding printers. Having worked with government agencies before, I can say I understand his frustration. But his later justification was priceless:

    Colon's lawyer said in a court filing that his client was hired to work on the FBI's "Trilogy" computer system but became frustrated over "bureaucratic" obstacles, such as obtaining a written authorization from the FBI's Washington headquarters for "routine" matters such as adding a printer or moving a new computer onto the system. He said Colon used the hacked user names and passwords to bypass the authorization process and speed up the work.

    Colon's lawyers said FBI officials in the Springfield office approved of what he was doing, and that one agent even gave Colon his own password, enabling him to get to the encrypted database in March 2004. Because FBI employees are required to change their passwords every 90 days, Colon hacked into the system on three later occasions to update his password list.


    Okay, so: getting authorization was onerous, so he asked for permission from agents in the Springfield office to forge their superiors' credentials in order to speed up the process. And they gave it to him.

    Did you get that? I was originally gonna boldface the best parts, but I couldn't decide where to start.

    1. The contractor, fed up with an onerous and ridiculous authorization process,
    2. asked for permission from FBI officials to crack their superiors' passwords,
    3. and the FBI officials in question said yes.

    Okay, so, Colon is in court. What happened to the FBI staffers who gave him the go-ahead?
    1. Re:And the FBI agreed to this? by Khammurabi · · Score: 4, Informative
      1. The contractor, fed up with an onerous and ridiculous authorization process,
      2. asked for permission from FBI officials to crack their superiors' passwords,
      3. and the FBI officials in question said yes.

      Okay, so, Colon is in court. What happened to the FBI staffers who gave him the go-ahead?

      My question exactly. I used to work for the government, and it's highly believable that the guy was given approval to do this. (You have no idea how much red tape there is, let alone the process to get an account with the type of access he was after.) However, Colon shouldn't have cracked the database multiple times (let alone once). He should have either 1) kept requesting the agent's password when it changed, or 2) quit. There's a reason those processes were there, and if he didn't like it, he should have left. Also, the staffers can claim ignorance all they want, but I find it very hard to believe that none of them knew he was doing this to get his work done.
    2. Re:And the FBI agreed to this? by P3NIS_CLEAVER · · Score: 5, Insightful

      The flip side to the dumb arbitraryness of govt work is that you will never get in trouble if you follow the rules. This guy should of just billed the extra time to set up printers and been happy he had a job. What an idiot.

      --
      Please sign petition to restore sanity to our banking system!!!

      http://financialpetition.org/
  13. Well, we now know the FBI doesn't audit. by tinkertim · · Score: 4, Insightful

    Regular access audits would have picked this up much sooner. End of story. By hanging this poor bastard out to dry, they've basically exposed even more lack of security.

    I call for this every time something like this gets published , and I'll call for it again :

    We need (real) IT professionals in Congress, they need to form an oversight committee, and they need to have pretty much unrestricted access to most systems so they can be effective.

    These holes have *got* to get plugged. Its not only embarrassing, its media porn and its going to encourage hacks that *do* result in something bad happening.

    Nimrods.

  14. Re:Employees suck! by 99BottlesOfBeerInMyF · · Score: 5, Insightful

    Employers need to be more careful about whom they hire and what their employees are doing.

    In the U.S. the workplace has developed an adversarial relationship between employers and employees. The mantra, "nothing personal, this is just business" has removed the major factor stopping employees from screwing over their employer. If it is just business when an employer lies to the employees, fires them when they need a boost in the numbers, outsources their job, cancels benefits, or takes other action that affects the employees negatively then it is also just business when the employee lies to the employer, walks off with equipment, moves to another job at a bad time without giving any notice, or loots the database for info they can sell.

    You see, it was not the law that prevented this sort of behavior, it was an ethical motivation. People, in general, don't like to hurt or even disappoint others. They want to do right by them. When they are treated unethically in turn, that motivation disappears. Do you want your employees to be loyal and honest? I certainly recommend checking up on each one, but more importantly, treat them well and with concern. Make sure they know, even if they screw up they won't be fired. Make sure they know you're doing the best you can to provide them with a reasonable income, friendly workplace, and what they need to be happy. Make sure you reward their good works. Make sure that if they run into money troubles you're the first person they talk to. Make sure they know you respect them. This is not only ethical, it is good business.

  15. Witness Protection Info on shared database? by SydShamino · · Score: 5, Insightful

    So one hash file gives him access to all FBI records, including the most sensitive? No offense, but why aren't the most sensitive of services protected by isolating them in a separate system? Compromising the witness protection program could endanger the lives of everyone protected by it, and just the ideas that it might be compromised could reduce the chances of people helping the FBI and testifying.

    Isn't witness protection data Need To Know? Why would the FBI director Need To Know anything at all at a moment's notice from his desktop PC? It would make much more sense to have a separate system, and have him walk down the hall, ask someone to retrieve what he needs, and maybe get ONE record made available for a limited time.

    I'm not trolling or anything. Seriously, can someone suggest scenarios whereby immediate, free access to that data is valuable, especially by people who don't already know whether you or I are in the program?

    --
    It doesn't hurt to be nice.
  16. scary by brenddie · · Score: 4, Interesting

    When I was in university the admins had a program on one of the linux labs that would try to crack /etc/shadow and if it found a password it would email you saying that your password wasnt secure. I dont remember if it gave a hint about what your password was but it definetly made you think twice about using a weak password someone can crack so easily. Its scary the FBI doesnt even do this kind of simple audits

    --
    The best test environment is production. - Me
    chrome://browser/content/browser.xul
  17. So What? by spykemail · · Score: 5, Funny

    The FBI illegally obtains our information, why can't we illegally obtain theirs?

    --
    Haiku for you!
  18. Re:Has the 'consultant' by Foobar+of+Borg · · Score: 4, Insightful

    Why is Parent modded Flamebait? It is a very valid point. Even if you are insane enough to trust the government not to abuse your information (and in this regard I don't care if it is a Bush, a Clinton, or a Coleman in office - even Gary Coleman would abuse your personal information), the fact that they can't keep it safe means that any number of scumbags can target you for ID theft, stalking, or whatever else they get into their theiving/warped/addled heads.

    --
    Similar to the upcoming US election results
  19. Way worse than what Merlyn did by frankie · · Score: 5, Insightful

    This guy not only cracked his employer's passwords (many of whom probably have high security clearance), but he actually logged into them routinely and used them as part of his workflow for nearly a year. Hello?

    Compare that to the clearly less harmful actions of Randal Schwartz, who went gray-hat (one time, without using the logins, as a security warning). Three felony convictions and a rather severe sentence.