FBI Password Database Compromised by Consultant

LackThereof writes "An IT consultant for the FBI, hired to work on their new 'Trilogy' computer system, apparently got hold of the username and password hash databases for the FBI's network. He then used a common dictionary attack to get usable passwords out of the hashes, including that of FBI director Robert Muller, making him able to access virtually any data stored electronically at the FBI, including Witness Protection program records. The consultant, Joseph Thomas Colon, claims he used the passwords to avoid bureaucratic obstacles, and that his actions were condoned by the FBI agents he was working with at the agency." (More below.)

"He has pleaded guilty to 4 counts of 'intentionally accessing a computer while exceeding authorized access and obtaining information from any department of the United States.' He initally gained access to the hash database by borrowing an agent's username and password; he then re-downloaded and re-cracked it three more times to keep up with the FBI's 90-day password expiration policy. Lesson: Your users are your biggest security hole. Don't trust your users, especially if they're government agents."

Upon trying to read the blurb

[LFS.Morpheus]

Nothing for you to see here. Please move along.

Indeed... in-deed...

Has the 'consultant'

[zoomshorts]

Been charged with illegal access? He apparently used a brute force cracking script to compromise
the database he had tenative acccess to. If he needed greater acces, he would have had it. The
article is , at best, lacking in solid information. At least to me it is.

Re:Has the 'consultant'

[Foobar of Borg]

Why is Parent modded Flamebait? It is a very valid point. Even if you are insane enough to trust the government not to abuse your information (and in this regard I don't care if it is a Bush, a Clinton, or a Coleman in office - even Gary Coleman would abuse your personal information), the fact that they can't keep it safe means that any number of scumbags can target you for ID theft, stalking, or whatever else they get into their theiving/warped/addled heads.

Re:comprise != compromise

[hevenor]

They would but the bureaucracy involved in reading TFA is way too onerous. I recommend stealing the passwords of the /. overlords and skipping the mountain of red tape.

Sincerely,

James Colon

scary

[rolyatknarf]

These are the people protecting me from terrorists? Scary, very scary.

Re:scary

[rjhubs]

While there are many problems with this story, the worst is that director Robert Mueller password was broken from a simple dictionary attack. Who is in charge of network security at the FBI, elmo? The password of the day is Apple.

Re:scary

[Fulcrum of Evil]

The worst is that Robert Mueller has access to everything - why does he need to know the specifics of every witness relocation?

Re:scary

[ray-auch]

The people at the top have to know so they can they leak the info when politically necessary.

[ Same answer as "why does the whitehouse need to know who every undercover CIA agent is ?" ]

Re:scary

[StikyPad]

It's not just the FBI.. internal security is a real problem for the corporate and government worlds alike, especially with Windows networks. Attaching a laptop to a wired network, using ARP poisoning, and capturing password hashes is kid's stuff. After that, rainbow tables = plaintext passwords in a matter of seconds. Even before rainbow tables, I did an internal audit and managed to grab 65% of passwords using brute force, including those of CEO and ISO.. (That's the Information Security Officer, not th

Re:scary

[955301]

No. No they are not. The person protecting you from "terrorist" or anyone else trying to hurt you is yourself. Not cops, not the government, and often times your parents can end up the worst of your enemies (despite good intentions).

Rely on yourself for survival - rely on others to grow.

Re:scary

[GungaDan]

"Rely on yourself for survival - rely on others to grow."

Fuck that. I grow my own.

Re:scary

[griffjon]

Nevertheless, our tax dollars are funding this ham-handedness.

Re:scary

[Intron]

Right. Cops and FBI should investigate crimes after they have been committed, or when they have evidence a crime is going to be committed. Asking them to prevent terrorist acts in advance is equivalent to asking for a police state. I personally feel that there should have been no blame cast on the intelligence community for 9/11. I certainly do not feel any safer since the creation of DHS. Another layer of bureaucracy is not going to make information flow better. The opposite, if anything.

Re:scary

[plopez]

NOt suprising. Remember, the only people that stopped an attack on 9/11 were ordinary *civilians*. The FBI failed, the military failed, the intelligence services failed and out political leadership failed. It was, as it usually is, just average off the street folks were the ones who came through in a crisis.

Re:scary

[Rolan]

How many FBI agents were on board the planes that crashed into the WTC? How many people would whine about invasion of privacy and wasting tax payers money if the government put FBI agents on every single flight inside, or into the US?

This is called the Air Marshall system (yes, I know they're not FBI), and nobody has ever griped about it being an invasion of privacy or a waste of money.

Re:scary

[hackstraw]

These are the people protecting me from terrorists? Scary, very scary.

Huh?

What ever gave you that idea? What evidence is there? Next, people will believe that "Homeland Security" is... Or the war in Iraq was...

Re:scary

[vertinox]

These are the people protecting me from terrorists?

Well to be fair, you are more likley to die from a drunk driver so I'd be more concerned how your local State Troopers are behaving. ;)

Briefly...

[LoyalOpposition]

s/comprised/compromised

Re:Briefly...

[TCM]

Correction to that regex:

s#$#/#

And we're going to fix this...

[richdun]

So we charge the consultant, send him through the legal system, etc. Are we also going to do something to prevent this from happening again, like educating agents not to give out their username/password or allowing the kind of access this guy was able to get?

Re:And we're going to fix this...

[Lumpy]

How about FORCING the morons that end up as department heads and executives to use secure passwords?

A dictionary attack.... OMFG!

If the director had a secure password then it would not have been a big deal.

Listen kids, Big98Boob$-311 as your password is pretty damned secure and makes a dictionaty attack useless against it.

Next question, WTF is the feds doing not using securID on all of their logins to eliminate such a problem??

Would that it were that easy.

[Divide By Zero]

Forcing one's boss to do something is terribly difficult. You generally need support from your boss' boss. When they're both high-level political appointees, it's that much harder. Not saying you're wrong, just saying that it's not always possible. Generally easier (and better, imho) to teach him, give him some sort of appreciation of the pile of excrement he can wind up in if he doesn't.

As for two-factor, I know VA is moving towards it (and was before the whole laptop debacle). Might be fed-wide. Hopefully this will light a fire under it.

Re:And we're going to fix this...

[J.R. Random]

The policy of forcing people to change their passwords on a regular basis is in direct conflict with requiring the password to be obscure and full of funny characters. If I'm forced to change my password every two months I'll use passwords like "january", "march", "may", etc. If I'm forced to to change my password every two months and have it be obscure, I'll write the damn thing on a post-it note and attach it to the back of my monitor. If you want me to remember an obscure password like Big98Boob$-311 without writing it down I better be able to keep it.

Re:And we're going to fix this...

[syukton]

Where I work, we've got a 60 or 90 day period (I forget how long it is, really) between mandatory password changes, and my "base" password is 12 characters long to begin with, upper and lower case letters and numbers and symbols mixed.

When the time comes to change my password, you know what I do? I add an exclamation point. I'm up to four now.

People just need to devise their own system that they can use to make their password more secure, but memorable. Here's a fairly easy to remember, secure password: 123

Re:And we're going to fix this...

[hey!]

Well, this is one of those situations where you just throw up your hands.

It's not that the higher ups are idiots for choosing crackable passwords. It's that passwords don't work. Not well enough to do what we want them to do.

They can be made less dysfunctiona by checking for things like dictionary attacks, but a password that is strong enough to be used for something like tracking terrorists or launching nuclear missiles is too strong for a human to remember.

And there have been solutions for this around forever. Lotus Notes has had two factor security with strong crypto for twenty years now. RSA and other vendors have been selling solutions that work for basically forever.

This guy was foolish to do what he did. Not because it was wrong, but because the results to himself were predictable. The FBI reaction in this case reminds me of the Catholic Church's reaction to priest pedophilia. The Church has a rule that it is wrong to bring the Church into disrepute. But instead of interpreting this rule as "don't do anything that is shameful", it became "don't let the truth about shameful things get out."

So, what we have here is a geek who just wanted to get his job done, up against the slowness of the bureacracy. Why is the bureacracy slow? Because slow is safe. Decisions that don't get made don't leave anybody responsible. But bureacracies are still jealous of their rights to make decisions, even if they are put off indefinitely. Making things happen fast, and along the way exposing weaknesses that attach to individuals, that's almost unimaginably evil from that point of view.

Re:And we're going to fix this...

[Iamthefallen]

With apologies to Bash.org [bash.org]

It only appears as Big98Boob$-311 to you since it's your password. To me it just looks like **************

Re:Actually, that is not a secure password...

[danpat]

Actually, you can have a pretty secure password that's not dictionary based and easy to remember. So long as you have enough characters, it'll be difficult to break.

Take a look at password generation tools like "apg" and "pwgen". They use tools like trigraphs, triphthongs, diphthongs to make easy-to-remember, non-dictionary passwords. Sure, using these techniques reduces the keyspace for a brute force attack, but keyspace size and easy-to-remember are pretty much mutually exclusive.

http://pwgen.org/ [pwgen.org]
http: [puroga.com]

Re:Yep, works for me.

[CheeseTroll]

I hadn't even thought of applying the idea to the kids. Mine aren't old enough yet for that to be an issue, but the future is full of possibilities, esp. if you exploit the gender stereotypes!

For boys:
MyPrettyPony
BarbieIsNeat
ILikeGirls (only embarrassing up to a certain age, I suppose)

For girls:
ExtraHairy
GirlsRSmelly
BoysAreCool

Now that I've had fun dreaming these up, though, I wonder if the password could be so 'repulsive' that they will refuse to use the computer at all?

Re:And we're going to fix this...

[surprise_audit]

They should be charging the agent as well as the consultant. The way lawyers game the legal system in the US, any investigation that agent has ever been involved in could be jeopardized.

Re:And we're going to fix this...

[qwijibo]

Why should they do that? They fixed the glitch. The guy pleaded guilty, so there's no reason for any government agent who acted carelessly and facilitated the crime to be reprimanded. From a management perspective, the problem isn't the access he had, but the egg on their face resulting from the access he had. He's got fired and will likely go to jail, so from the management perspective, the problem has been solved. It may be a stupid viewpoint, but it's a very common one when the alternative is taking responsibility for ones own actions.

Re:And we're going to fix this...

[drinkypoo]

Are we also going to do something to prevent this from happening again, like educating agents not to give out their username/password or allowing the kind of access this guy was able to get?

Perhaps we could be moving to a system not so easily compromised...

Re:And we're going to fix this...

[Kozar_The_Malignant]

>Are we also going to do something to prevent this from happening again

No. That would be wrong for the following reasons:

1. It would require admitting that the existing security system is sub-optimal.
2. It would imply that the Dear Leader/FBI Director had made a mistake.
3. Acknowledging that there was a problem would aid terrorists and Democrats.
4. Creating a culture of accountability would damage agent morale and lead to #3 above.
5. Sending some wanker consultant to jail makes staff feel good.
6. The option of sending agents to jail and/or Butte, Montana must be reserved for the serious crime of embarrassing the Dear Leader.

Thank you for asking. However, the fact that you asked shows that you have no possible future with the FBI and are probably a threat to our National Security. We'll be in touch.

How about educating the programmers?

[Moraelin]

Sure, complaining about the users is easy and a favourite geek passtime, but how about educating the programmers before we let them loose on something that important?

The classic newbie mistake is thinking, basically, "I know, I'll take the password as it is, run it through MD5 and store the hash. It's uber-secure because it's MD5, right?" Turns out: wrong. An attacker can, yes:

1) download a program that will try every word in the dictionary until it finds a match, like this guy did. (And it _will_ find a ma

Way worse than what Merlyn did

[frankie]

This guy not only cracked his employer's passwords (many of whom probably have high security clearance), but he actually logged into them routinely and used them as part of his workflow for nearly a year. Hello?

Compare that to the clearly less harmful actions of Randal Schwartz [google.com], who went gray-hat (one time, without using the logins, as a security warning). Three felony convictions and a rather severe sentence.

Most Common Passwords

[neonprimetime]

Colon used a program downloaded from the Internet to extract "hashes" -- user names, encrypted passwords and other information -- from the FBI's database. Then he used another program to crack the passwords by using dictionary word comparisons, lists of common passwords and character substitutions to figure out the plain text passwords.

Didn't you get the memo? Don't use god, love, sex, or secret. Also ... which program are they speaking of that would extract "hashes"?

Re:Most Common Passwords

[russotto]

Also ... which program are they speaking of that would extract "hashes"?

That would be the dreaded "awk". As in

awk -F\: '{ print $1, $2 }' < /etc/passwd

Assuming, of course, that the FBI is using a Unix system lacking shadow passwords. Which wouldn't surprise me all that much.

Re:Most Common Passwords

[Martin Blank]

Just poor wording on the part of the author. Colon may have been provided access to the database by that FBI employee, and used a Perl script or any of several apps that can do their own SQL-connections to pull the data, only part of which would have been the hash.

And just for some additional information for others not familiar with this kind of thing, there are dozens of programs that can do brute-force comparisons. It's also possible that he just used a rainbow table, which are available on (sometimes more than one) DVD for relatively small sums for the comparison. With a few really good computers, or a distributed computing project, it's not terribly hard to build up a sizable rainbow table in a relatively short period of time.

Re:Most Common Passwords

[Lord Ender]

A rainbow table?

Are you suggesting the FBI doesn't seed their password hashes?

That's hard to believe! I would assume those that write the authentication mechanisms for FBI software have taken a class (or read a book) on the very basics of password-based authentication.

Actually, I take that back.

Re:Most Common Passwords

[tinkertim]

I thought most FBI guys knew you used a bong or rolling papers to extract hash .. strange.

Re:Most Common Passwords

[drinkypoo]

Actually, you usually use a polyethylene mesh bag.

The Most Common Password

[kalirion]

You missed the most common one: password. But I guess I can't blame you since I don't think it was mentioned in Hackers [imdb.com]. Probably because it would have jeopardized national security or something.

Also a lot of people just use their usernames as passwords, as long as the system allows it. Maybe tack on a 1 on the end.

Re:Most Common Passwords

[sgt scrub]

IRS

Our Government

[Buzz_Litebeer]

Keeping us safe from harm. We should not look at this as a breech that affects Americans, it did not say anything about him accessing things like the NSA database on Americans etc... It just affected the Witness Protection program right? That doesnt matter, because he was a good guy and only doing it to do good work on the system easier.

And he was caught too, so crisis averted, everyone told us they caught him and there have never been similar attacks before!

I feel completely safe with my information knowi

Re:Our Government

[DaveV1.0]

1) The FBI and the NSA are too separate agencies with two different missions.
2) The NSA's computers are much better protected because they are in the business of information monitoring and security.
3) The FBI is a law enforcement agency with files on millions of Americans, including those that have security clearances. Said files may include information which can be used to apply pressure to or to find weaknesses of said people with security clearances.
4) How much do you think the Witness Relocation and Pro

Re:Our Government

[Buzz_Litebeer]

You need to chill out, if our government doesnt hire honest people then the government would fall apart. I mean, it would be terrible to have dishonest people with so much information! Right now this proves that we have a lot of honest people and one or two bad apples which are caught in a timely manner, the government can run clean. The reason we allow the government to have all of our information and view it so easily is to stop terrorists and those that act like terrorist but are classed as criminals in our judicial system.

If we dont get all this information together we wont be safe, and without being safe our entire country would fall apart. So we have to have complete and unfettered trust in our government that it is doing the right thing as they know everything about us!

Remember to smile for the security camera, there is an angel on the other side.

Wow.

[Rob T Firefly]

The consultant, Joseph Thomas Colon

What is he, some kind of a... no, sometimes it's too easy a shot, even for me.

Re:Wow.

[Billosaur]

The consultant, Joseph Thomas Colon

What is he, some kind of a... no, sometimes it's too easy a shot, even for me.

Could be worse -- he could be a "new fragrance for men"...

Forced password expirations

[Zarhan]

re-cracked it three more times to keep up with the FBI's 90-day password expiration policy. Lesson: Your users are your biggest security hole. Don't trust your users, especially if they're government agents.

    Lesson #2: Don't use stupid password expiration periods, which force users to come up with new yet easy-to-remember (=> crackable) passwords. If passwords never expire, your users are bound to pick a more secure password in the first place since they know that they don't have to change it every full moon. Make the passwords never expire and just run a dictionary attack against your users - if you get through, THEN start harassing your user about proper security.

Re:Forced password expirations

[Billosaur]

Lesson #2: Don't use stupid password expiration periods, which force users to come up with new yet easy-to-remember (=> crackable) passwords. If passwords never expire, your users are bound to pick a more secure password in the first place since they know that they don't have to change it every full moon. Make the passwords never expire and just run a dictionary attack against your users - if you get through, THEN start harassing your user about proper security.

Or better yet, use a biometric system

Re:Forced password expirations

[unsigned integer]

Is it any wonder that they are floundering, when the executive branch is set and determined to push out 'bad facts' people and replace them with 'good facts' yes-men? The article references the CIA, but I'm sure the FBI has felt the push as well. Imagine the loss of talent and people who want to do a good job, do it right, and not have to be encumbered by coming up with 'politically convenient' reports.

http://service.spiegel.de/cache/international/0,15 18,415638,00.html [spiegel.de]

Re:Forced password expirations

[qwijibo]

Since when is the FBI on the cutting edge? They only pick up techniques that have had sufficient time to be proven, which leaves them 10-20 years behind the cutting edge. Fortunately for them, criminals tend to be 50 years behind the times since they're too paranoid to hire outside consultants who are aware of the most recent technical developments.

Re:Forced password expirations

[Billosaur]

They organized the first data banks of fingerprints in the nation and developed laboratories for processing crime scene material that were the forerunners of today's crime scene investigation units. They have had to stay one step ahead of criminals, but in recent decades seem to have lost their edge, perhaps from becoming too beaureauracritized. The 9/11 Commission certainly took them to task for their failure to communicate vital information, but then again, a lot of people dropped the ball then, not just

Re:Forced password expirations

[Tim C]

The problem with a biometric system is that when someone manages to fool it and impersonate someone, you can't change their access token. At least if my password is compromised I can change it; not so with my thumbprint.

Re:Forced password expirations

[Billosaur]

At least if my password is compromised I can change it; not so with my thumbprint.

Which is why you can't rely on one biometric system alone. I would think a combination of maybe retinal, fingerprint, and voice recognition would make it much harder to impersonate someone to gain access.

Re:Forced password expirations

[Princeofcups]

This may seem obvious, but shouldn't they be using a three piece access system?

1 - biometric (fingerprint, voice, retina, etc.)
2 - item (SecureID card, etc.)
3 - password

If biometric fails, the cracker still doesn't have the item or password. If the item is stolen, the cracker doesn't have a fingerprint or password. If the doofus tells someone his password, the cracker doesn't have the fingerprint or item.

jfs

Re:Forced password expirations

[vinn01]

I second that. Everytime that I have had to deal with passwords that must be changed monthly I've found that users append or prepend the number of the month. In July, most of the password will begin or end in "07".

Another stupid rule: "a new password must contain three characters not found in the previous password". This was created to try to stop the "number of month" problem noted above. Instead it makes it hard to have long passwords. I created a 20 character password (pass phrase) once. The follow

Re:Forced password expirations

[jbeaupre]

We had a system like this on a student run server in 1991 at NMSU. The server was continually trying to crack passwords. When it did, you got an automatic email telling you of the crack and to change your password.

I thought it had two things going for it. Suceptible passwords were weeded out and in theory your password should be cracked by a friendly before someone else.

Re:Forced password expirations

[neonprimetime]

I agree, having a short password expiration date, combined with crappy password rules equals less security. At the company I work at the passwords expire every 30 days, you can't use your last like 10 passwords, and all you're required to do is have 1 number in your password. So you get users with passwords like this

• January - myparty1
• Febraury - myparty2
• March - myparty3

Instead a much more secure system would have the password expire once a year, can't use your previous password, and require 2 numbers

The only thing interesting to me is the pricetag.

[a_karbon_devel_005]

The FBI's Trilogy program cost more than $535 million but failed to produce a usable case-management system for agents because of cost overruns and technical problems, according to the Government Accountability Office. While Trilogy led to successful hardware upgrades and thousands of new PCs for bureau workers and agents, the final phase -- a software system called the Virtual Case File -- was abandoned last year. The FBI announced in March that it would spend an additional $425 million in an attempt to finish the job. The new system would be called "Sentinel."

I need to check the Government Accountability Office more often. It's good to know we're spending 1 billion dollars to found a, most likely, failed attempt at secure computing for the FBI. Doh.

Good news!

[Krellion]

Now all we have to hear is that his laptop got stolen before he was caught.

A hacker?

[Rick Zeman]

Geeze, my sister could even run l0phtcrack. Can't give him much credit here.

Re:A hacker?

[dJOEK]

is your sister single? hot?

Unqualfied moron

[dieman]

Really, seriously, you do not crack passwords to get your work done. You crack passwords to ensure site security if it is part of your job description, but you do not use those accounts to get work done. Cripes.

Re:Unqualfied moron

[Moby Cock]

Agreed. You've heard the phase "knows enough to be dangerous". This guy heard about John the Ripper (or whatever he used. I can't RTFA, its been slashdotted) somewhere and decided that it would be easy to use. What on earth was going through his head?

Re:Unqualfied moron

[z0idberg]

no kidding.

Admins, security depts and managers (though to a lesser extent generally) usually get pretty uppity with sharing passwords on ANY systems, and thats on internal systems for small time companys with sweet FA worth breaking in to. What the hell was this guy thinking? I suppose he thought those relaxed, easy going folks over at the FBI wouldnt mind if he ran some random script/program off the internet to retrieve some passwords so he can get on with the job.

I mean, its only a cracking/hacking script

And now for the "flip-side"...

[The_REAL_DZA]

While I agree with the parent (and the existing siblings to this post) that unless it is your job to "put stress on the system" and "test the limits" (officially) then it's unethical to do so (even if you "have the approval of your coworkers/peers", etc.), this is a prime opportunity to point out to businesses the value of periodically taking the proverbial step back and critically evaluating their procedures and policies for inefficient, obsolete, conflicting, or downright counterproductive practices and d

Employees suck!

[andrewman327]

There is incredible effort focused on keeping bad people out of networks. Where I currently work I need to use three different passwords that must be changed regularly in order to access a large database. The problem is that there is nothing stopping an employee of any company who has legitimate access to any data from using it for nefarious ends. I seem to remember employees of a credit card company stealing numbers a while back. Also, the Department of Vetrans' Affairs and many other companies and agencies have lately had data breaches that were the direct result of employees either intentionally or accidentally removing data from the network and allowing it to be potentially misused.

Employers need to be more careful about whom they hire and what their employees are doing. Even the members of /. should agree that not all information should be free.

Re:Employees suck!

[99BottlesOfBeerInMyF]

Employers need to be more careful about whom they hire and what their employees are doing.

In the U.S. the workplace has developed an adversarial relationship between employers and employees. The mantra, "nothing personal, this is just business" has removed the major factor stopping employees from screwing over their employer. If it is just business when an employer lies to the employees, fires them when they need a boost in the numbers, outsources their job, cancels benefits, or takes other action that affects the employees negatively then it is also just business when the employee lies to the employer, walks off with equipment, moves to another job at a bad time without giving any notice, or loots the database for info they can sell.

You see, it was not the law that prevented this sort of behavior, it was an ethical motivation. People, in general, don't like to hurt or even disappoint others. They want to do right by them. When they are treated unethically in turn, that motivation disappears. Do you want your employees to be loyal and honest? I certainly recommend checking up on each one, but more importantly, treat them well and with concern. Make sure they know, even if they screw up they won't be fired. Make sure they know you're doing the best you can to provide them with a reasonable income, friendly workplace, and what they need to be happy. Make sure you reward their good works. Make sure that if they run into money troubles you're the first person they talk to. Make sure they know you respect them. This is not only ethical, it is good business.

Re:Employees suck!

[andrewman327]

I agree that there needs to be an open dialogue between boss and peon. That is a vital part of having a successful business. However, there is no legal justification to large scale theft, regardless of how good Office Space was.

Re:Employees suck!

[99BottlesOfBeerInMyF]

However, there is no legal justification to large scale theft, regardless of how good Office Space was.

Laws are not a very good way to motivate behavior. The death penalty is not a good deterrent because most killers are either desperate, emotionally driven, or believe they will not be caught anyway. Similarly, threat of punishment is a terribly way to motivate employees to not steal and that is what the laws are really. Don't steal or we'll throw you in jail is not nearly as effective as the ethical mot

Re:Employees suck!

[mjeffers]

You see, it was not the law that prevented this sort of behavior, it was an ethical motivation. People, in general, don't like to hurt or even disappoint others. They want to do right by them. When they are treated unethically in turn, that motivation disappears.

While I agree that the qualities you've listed make for a better business, both in terms of a better workplace as well as a business that is concerned more with the next 10 years than the next quarter, I have to disagree with the above statement. It

Re:Employees suck!

[writermike]

Employees suck!

You're in luck. Many companies fire them these days! ;-)

Employees cope, is what they do

[ianscot]

Sure does sound like the attitude that employees "suck" created the circumstances in which this little exploit was possible in the first place. First and most obvious example: a 90-day renewal policies on passwords only make your passwords more likely to be crackable, because people are choosing passwords they can more easily remember. That's exactly the sort of corrosive pressure that'll make otherwise security-conscious employees try to cut corners just to get their jobs done.

Technical support people de

Laws against security tools

[Grue]

Coming soon.. laws outlawing common dictionary password cracking tools and similiar security tools.

Re:Laws against security tools

[bcat24]

When password crackers are outlawed, only outlaws will have password crackers.

Passwords

[metarox]

I can't believe that they don't even have some sort of verification that the passwords aren't common things. Heck even here, when you try to change your passwords everywhere there are so many restrictions that it can't be a dictionary word or easy to guess. Simple rules - at least 1 CAP letter (means at least 1 letter) - at least one symbol (@#.,& etc.) - at least 1 number - at least 8 chars long How hard is it to enforce this.

The perils of consulting

[Billosaur]

The consultant, Joseph Thomas Colon, claims he used the passwords to avoid bureaucratic obstacles, and that his actions were condoned by the FBI agents he was working with at the agency.

See what happens when you don't give a consultant the access he needs? He goes out and gets it himself!

Note to FBI: maybe outsourcing some things is not such a good idea.

Who was this agent?

[imunfair]

What position was the agent in that had access to this database? I mean sure he had high clearance, but not everyone with high clearance should have access to the password database... what kind of security are they running here?

If he really was in a valid position to need access to it, then they definitely need to screen the mental abilities of people they give sensitive positions more carefully - any half way decent sysadmin knows not to give their password out.

Password Expiration Policies

[hattig]

Surely this proves that 90 day password expiration policies encourage users to pick weaker passwords they can remember because they are having to change them all the time?

Would it have been so easily cracked if everyone had a 10+ character password that was truly strong, even if it was only changed once a year or never?

Is there an argument for password systems including a dictionary attack test phase for new passwords that if the new password fails, the user has to change it again?

And maybe when data is really important, they might wish to utilise some other form of identification besides passwords. Certainly witness protection details should be far more protected. A biometric system, fingerprints are the easiest to implement these days without much cost, in addition to the password...

Of course the consultant had an 'in', as he was consulting for them. Some minor social engineering and they're all letting him access the systems, bypassing proper procedure.

In the end, there's no excuse for data this important being accessed illegitimately like this. Security measures should be in place, access procedures should be in force, restrictions on data movement from secure to insecure should be enforced. Yet we see it every week - laptop stolen with confidential data on, unencrypted, open, in a file on the desktop probably called "Social Security Database.xls" or "List Of Witnesses On Protection Program, Do Not Show To Criminals Who Will Pay Good Money For This.doc".

Re:Password Expiration Policies

[thynk]

Surely this proves that 90 day password expiration policies encourage users to pick weaker passwords they can remember because they are having to change them all the time?

Surely this really proves that the IT department wasn't enforcing strong passwords and that's about all it proves. Having strong passwords that change every 90 days is NOT an unreasonable policy and is easy to enforce with any OS.

The IT department should be on trial along with the consultant.
   

Re:Password Expiration Policies

[hibiki_r]

It doesn't matter if you claim a policy is reasonable or not. What really matters is what your average user would do when subject to such policy.under a 30-90 day strong password policy, most people end up writing the password down, or changing only 1 character every time, typically a number. If the user is forced to keep track of 3 or 4 passwords this way, you're guaranteed your passwords will be in cubicle walls.

If all you are worried about is external attacks, the fact that 60% of the company's passwords

comprised, eh?

[gEvil (beta)]

Hmmm, apparently the FBI password database was made up from a consultant. I wonder if someone possibly meant compromised? Keep up the good work, Timmy. You deserve a raise!

Why would the director

[Tweekster]

even have access to much of that data. Just cause he is top dog does not in any way mean he should have access to the witness protection records. He doesnt need to know that information, and if he does he should have to go through the proper channels. This is exactly why.

In many cases, the higher upthe person, the LESS data they need from the computer systems.

Disaster averted!

[qwijibo]

Good thing this guy pleaded guilty. Otherwise, someone might ask uncomfortable questions, like why FBI agents were active participants in this criminal act. The whole problem would have been averted if someone didn't give their username and password to this guy.

Of course, the whole thing could have also been averted if normal users didn't have access to the password file. The Unix world figured out that shadow password files are a good idea a long time ago. Too bad the wisdom there hasn't caught on.

One thing everyone should know when working for a large organization is that they have policies for everything because they assume everyone is dumber than paste. The up side of this as a consultant is that you can bill a week for 30 minutes of work because there's a week of paperwork needed before you can perform any task. This guy tried to get things done more efficiently by sidestepping the boundaries. Small companies can respect that kind of attitude, but not the government. That kind of behavior results in lower billings to the government, and that is unamerican.

Jumping through hoops, as silly as they may be, is an important part of any technical job within a large organization.

And the FBI agreed to this?

[sammy baby]

Talk about losing sight of the forest due to the trees...

Colon claimed that he did this because he was tired of having to seek bureaucratic authorization for every last task, including adding printers. Having worked with government agencies before, I can say I understand his frustration. But his later justification was priceless:

Colon's lawyer said in a court filing that his client was hired to work on the FBI's "Trilogy" computer system but became frustrated over "bureaucratic" obstacles, such as obtaining a written authorization from the FBI's Washington headquarters for "routine" matters such as adding a printer or moving a new computer onto the system. He said Colon used the hacked user names and passwords to bypass the authorization process and speed up the work.

Colon's lawyers said FBI officials in the Springfield office approved of what he was doing, and that one agent even gave Colon his own password, enabling him to get to the encrypted database in March 2004. Because FBI employees are required to change their passwords every 90 days, Colon hacked into the system on three later occasions to update his password list.

Okay, so: getting authorization was onerous, so he asked for permission from agents in the Springfield office to forge their superiors' credentials in order to speed up the process. And they gave it to him.

Did you get that? I was originally gonna boldface the best parts, but I couldn't decide where to start.

1. The contractor, fed up with an onerous and ridiculous authorization process,
2. asked for permission from FBI officials to crack their superiors' passwords,
3. and the FBI officials in question said yes.

Okay, so, Colon is in court. What happened to the FBI staffers who gave him the go-ahead?

Re:And the FBI agreed to this?

[Khammurabi]

1. The contractor, fed up with an onerous and ridiculous authorization process,
2. asked for permission from FBI officials to crack their superiors' passwords,
3. and the FBI officials in question said yes.

Okay, so, Colon is in court. What happened to the FBI staffers who gave him the go-ahead?

My question exactly. I used to work for the government, and it's highly believable that the guy was given approval to do this. (You have no idea how much red tape there is, let alone the process to get an account with the type of access he was after.) However, Colon shouldn't have cracked the database multiple times (let alone once). He should have either 1) kept requesting the agent's password when it changed, or 2) quit. There's a reason those processes were there, and if he didn't like it, he should have left. Also, the staffers can claim ignorance all they want, but I find it very hard to believe that none of them knew he was doing this to get his work done.

Re:And the FBI agreed to this?

[P3NIS_CLEAVER]

The flip side to the dumb arbitraryness of govt work is that you will never get in trouble if you follow the rules. This guy should of just billed the extra time to set up printers and been happy he had a job. What an idiot.

Re:And the FBI agreed to this?

[ucblockhead]

They are probably on Fantasy Island, cavorting with Santa Claus, unicorns and honest lawyers.

Well, we now know the FBI doesn't audit.

[tinkertim]

Regular access audits would have picked this up much sooner. End of story. By hanging this poor bastard out to dry, they've basically exposed even more lack of security.

I call for this every time something like this gets published , and I'll call for it again :

We need (real) IT professionals in Congress, they need to form an oversight committee, and they need to have pretty much unrestricted access to most systems so they can be effective.

These holes have *got* to get plugged. Its not only embarrassing, its media porn and its going to encourage hacks that *do* result in something bad happening.

Nimrods.

Yikes!!!

[gstoddart]

The consultant, Joseph Thomas Colon, claims he used the passwords to avoid bureaucratic obstacles, and that his actions were condoned by the FBI agents he was working with at the agency.

What, like due-process, warrants, and legal considerations?

So FBI agents just stand around while he illegally accesses everything he's not supposed to so it can make their jobs easier? If there were actual agents standing around thinking this was good, we're in deep doo-doo, because they have now taken the stance that if they subcontract the illegal stuff, they're all good.

Yikes!

Sh*t Rolls Downhill

[Detritus]

While his actions weren't well thought through, they weren't malicious. It isn't smart to point out that the King has no clothes in any large bureaucracy, they tend to react by attacking the troublemaker.

I'd think that the FBI could afford to implement two-factor authentication for its employees.

Witness Protection Info on shared database?

[SydShamino]

So one hash file gives him access to all FBI records, including the most sensitive? No offense, but why aren't the most sensitive of services protected by isolating them in a separate system? Compromising the witness protection program could endanger the lives of everyone protected by it, and just the ideas that it might be compromised could reduce the chances of people helping the FBI and testifying.

Isn't witness protection data Need To Know? Why would the FBI director Need To Know anything at all at a moment's notice from his desktop PC? It would make much more sense to have a separate system, and have him walk down the hall, ask someone to retrieve what he needs, and maybe get ONE record made available for a limited time.

I'm not trolling or anything. Seriously, can someone suggest scenarios whereby immediate, free access to that data is valuable, especially by people who don't already know whether you or I are in the program?

Mod parent up!

[Jerry Coffin]

This is one of the most intelligent comments in this thread. If the article is correct, it's pretty clear that the FBI isn't even making an attempt at following basic rules of security that have been well known since long before the FBI even existed...

Re:Witness Protection Info on shared database?

[geekoid]

FBI director deals with all kinds of sensitive data all the time.
Making him walk to a room would be a waste.

Also, he will need to pass senisitive data to others. Like the ;president, or if procedure calls, the cia.

Run crack daily and lock any failed accounts.

[Colin Smith]

It's really been standard practice on even minimally secure systems for decades. So I doubt the system concerned can be very important.

What the contractor should have done is to increase his rates when waiting around for permissions. You may well hate the bureaucracy but at least you're then being well paid for it.

 

scary

[brenddie]

When I was in university the admins had a program on one of the linux labs that would try to crack /etc/shadow and if it found a password it would email you saying that your password wasnt secure. I dont remember if it gave a hint about what your password was but it definetly made you think twice about using a weak password someone can crack so easily. Its scary the FBI doesnt even do this kind of simple audits

first off

[geekoid]

"Don't trust your users, especially if they're government agents."

Fuck you.

Now, on with our story.
Many years ago, I was interviewing for a position at a up and coming online store.
During the interview they showed me there database. In it, there were the CC numbers, name expire dates of all credit card transactions(thousands of them) unencrypted.
Anybody, at any time, could ahve downloaded that information to floppy and walked out.

It was a sweat shop, with 2 programer per card table(yes you read that right.).

So What?

[spykemail]

The FBI illegally obtains our information, why can't we illegally obtain theirs?

Database salting

[Ignorant Aardvark]

It's really sad that the FBI isn't using a simple salt on their stored passwords. This "hacker" was only able to get his hand on the hashed passwords, so his dictionary attack would only work if the passwords were stored unsalted. That's ridiculous. Hell, MediaWiki salts passwords by default ... the FBI can't do it?!

Once again

[COMON$]

I would like to state that this is your lowest bid tax dollars at work again. State and Federal agencies arent worried about Professionalism or getting things done right. They are worried about having the right paperwork and that you dont step on anyone's toes. Just once I would like to see a professional well functioning department in a Gov't agency. BTW I work for a gov't agency.