Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

FBI Password Database Compromised by Consultant

timothy posted more than 8 years ago | from the this-is-the-beg-forgiveness-part dept.

373

LackThereof writes "An IT consultant for the FBI, hired to work on their new 'Trilogy' computer system, apparently got hold of the username and password hash databases for the FBI's network. He then used a common dictionary attack to get usable passwords out of the hashes, including that of FBI director Robert Muller, making him able to access virtually any data stored electronically at the FBI, including Witness Protection program records. The consultant, Joseph Thomas Colon, claims he used the passwords to avoid bureaucratic obstacles, and that his actions were condoned by the FBI agents he was working with at the agency." (More below.)"He has pleaded guilty to 4 counts of 'intentionally accessing a computer while exceeding authorized access and obtaining information from any department of the United States.' He initally gained access to the hash database by borrowing an agent's username and password; he then re-downloaded and re-cracked it three more times to keep up with the FBI's 90-day password expiration policy. Lesson: Your users are your biggest security hole. Don't trust your users, especially if they're government agents."

Sorry! There are no comments related to the filter you selected.

Upon trying to read the blurb (3, Funny)

LFS.Morpheus (596173) | more than 8 years ago | (#15666939)

Nothing for you to see here. Please move along.

Indeed... in-deed...

comprise != compromise (0, Offtopic)

Anonymous Coward | more than 8 years ago | (#15666999)

comprise, to be made up of. If the database is comprised of a consultant, that would be a person in a box who must respond to password queries very quickly.

Compromise, to reach a middle state between two conflicting positions. Like secure, and wide f'n open. If your database was secure and someone compromised it, then it's not so secure any more.

The title was more interesting when I thought we were boxing up consultants and replacing computers with them.

-theed

Re:comprise != compromise (1, Troll)

bcat24 (914105) | more than 8 years ago | (#15667107)

I have an idea. Maybe Slashdot could get some editors. Then they could read the stories ahead of time and fix errors.

Re:comprise != compromise (0)

Anonymous Coward | more than 8 years ago | (#15667273)

Like get the name of the FBI director correct...

Re:comprise != compromise (1)

Khakionion (544166) | more than 8 years ago | (#15667190)

Sure, but this headline says the database was comprised BY a consultant, meaning a consultant made up an FBI Password Database out of something, but it doesn't say what. ;)

Has the 'consultant' (3, Insightful)

zoomshorts (137587) | more than 8 years ago | (#15667091)

Been charged with illegal access? He apparently used a brute force cracking script to compromise
the database he had tenative acccess to. If he needed greater acces, he would have had it. The
article is , at best, lacking in solid information. At least to me it is.

Re:Has the 'consultant' (1, Interesting)

Anonymous Coward | more than 8 years ago | (#15667131)

While that may be interesting to know, the most interesting detail here is that apparently sensitive information is being "protected" so carelessly by the FBI.

Even for those stupid enough to not intrinsically care about the government illegally spying on them, I'd hope those same Bush supporters aren't so idiotic that they'd trust the government to protect that information from attackers once they illegally obtained and stored it. They obviously can't even protect the information they're allowed to keep.

scary (5, Insightful)

rolyatknarf (973068) | more than 8 years ago | (#15666940)

These are the people protecting me from terrorists? Scary, very scary.

Re:scary (3, Funny)

rjhubs (929158) | more than 8 years ago | (#15666992)

While there are many problems with this story, the worst is that director Robert Mueller password was broken from a simple dictionary attack. Who is in charge of network security at the FBI, elmo? The password of the day is Apple.

Re:scary (4, Insightful)

955301 (209856) | more than 8 years ago | (#15667084)

No. No they are not. The person protecting you from "terrorist" or anyone else trying to hurt you is yourself. Not cops, not the government, and often times your parents can end up the worst of your enemies (despite good intentions).

Rely on yourself for survival - rely on others to grow.

Re:scary (5, Funny)

GungaDan (195739) | more than 8 years ago | (#15667157)

"Rely on yourself for survival - rely on others to grow."

Fuck that. I grow my own.

Re:scary (1)

plopez (54068) | more than 8 years ago | (#15667148)

NOt suprising. Remember, the only people that stopped an attack on 9/11 were ordinary *civilians*. The FBI failed, the military failed, the intelligence services failed and out political leadership failed. It was, as it usually is, just average off the street folks were the ones who came through in a crisis.

Re:scary (0)

Anonymous Coward | more than 8 years ago | (#15667240)

Yes, scary. They are very scary. The goverment scares, err... strikes terror into me and others. That makes them terrorists of sorts..

Briefly... (4, Informative)

LoyalOpposition (168041) | more than 8 years ago | (#15666946)

s/comprised/compromised

Re:Briefly... (1)

TCM (130219) | more than 8 years ago | (#15667166)

Correction to that regex:

s#$#/#

hahahahahahaha (0, Troll)

Dragoonkain (704719) | more than 8 years ago | (#15666948)

owned

Trilogy? (0, Offtopic)

Pig Hogger (10379) | more than 8 years ago | (#15666951)

Trilogy, you say?

Are you sure it's not "Trinity", instead????

Re:Trilogy? (0)

Anonymous Coward | more than 8 years ago | (#15667251)

Wasn't she was the one who cracked the IRS DB? That was a long time ago...

And we're going to fix this... (4, Insightful)

richdun (672214) | more than 8 years ago | (#15666953)

So we charge the consultant, send him through the legal system, etc. Are we also going to do something to prevent this from happening again, like educating agents not to give out their username/password or allowing the kind of access this guy was able to get?

Re:And we're going to fix this... (5, Insightful)

Lumpy (12016) | more than 8 years ago | (#15667066)

How about FORCING the morons that end up as department heads and executives to use secure passwords?

A dictionary attack.... OMFG!

If the director had a secure password then it would not have been a big deal.

Listen kids, Big98Boob$-311 as your password is pretty damned secure and makes a dictionaty attack useless against it.

Next question, WTF is the feds doing not using securID on all of their logins to eliminate such a problem??

Re:And we're going to fix this... (0)

Anonymous Coward | more than 8 years ago | (#15667178)

Big98Boob$-311 as your password is pretty damned secure

Kinda freaky ... how'd you know my password?

Would that it were that easy. (3, Insightful)

Divide By Zero (70303) | more than 8 years ago | (#15667269)

Forcing one's boss to do something is terribly difficult. You generally need support from your boss' boss. When they're both high-level political appointees, it's that much harder. Not saying you're wrong, just saying that it's not always possible. Generally easier (and better, imho) to teach him, give him some sort of appreciation of the pile of excrement he can wind up in if he doesn't.

As for two-factor, I know VA is moving towards it (and was before the whole laptop debacle). Might be fed-wide. Hopefully this will light a fire under it.

Re:And we're going to fix this... (1)

surprise_audit (575743) | more than 8 years ago | (#15667078)

They should be charging the agent as well as the consultant. The way lawyers game the legal system in the US, any investigation that agent has ever been involved in could be jeopardized.

Re:And we're going to fix this... (4, Insightful)

qwijibo (101731) | more than 8 years ago | (#15667099)

Why should they do that? They fixed the glitch. The guy pleaded guilty, so there's no reason for any government agent who acted carelessly and facilitated the crime to be reprimanded. From a management perspective, the problem isn't the access he had, but the egg on their face resulting from the access he had. He's got fired and will likely go to jail, so from the management perspective, the problem has been solved. It may be a stupid viewpoint, but it's a very common one when the alternative is taking responsibility for ones own actions.

Education, not restriction is the answer. (0)

Anonymous Coward | more than 8 years ago | (#15667109)

not... allowing the kind of access this guy was able to get?

Granted, user education is always a great idea and by far the most importatn aspect of social engenieering attacks, how do you propose access be disallowed.

Where is the line drawn between making data avialable to those who need is and makign it so hard to get it is never accessed?

Re:And we're going to fix this... (1)

drinkypoo (153816) | more than 8 years ago | (#15667121)

Are we also going to do something to prevent this from happening again, like educating agents not to give out their username/password or allowing the kind of access this guy was able to get?

Perhaps we could be moving to a system not so easily compromised...

Re:And we're going to fix this... (4, Funny)

Kozar_The_Malignant (738483) | more than 8 years ago | (#15667183)

>Are we also going to do something to prevent this from happening again

No. That would be wrong for the following reasons:

  1. It would require admitting that the existing security system is sub-optimal.
  2. It would imply that the Dear Leader/FBI Director had made a mistake.
  3. Acknowledging that there was a problem would aid terrorists and Democrats.
  4. Creating a culture of accountability would damage agent morale and lead to #3 above.
  5. Sending some wanker consultant to jail makes staff feel good.
  6. The option of sending agents to jail and/or Butte, Montana must be reserved for the serious crime of embarrassing the Dear Leader.
Thank you for asking. However, the fact that you asked shows that you have no possible future with the FBI and are probably a threat to our National Security. We'll be in touch.

Most Common Passwords (1)

neonprimetime (528653) | more than 8 years ago | (#15666956)

Colon used a program downloaded from the Internet to extract "hashes" -- user names, encrypted passwords and other information -- from the FBI's database. Then he used another program to crack the passwords by using dictionary word comparisons, lists of common passwords and character substitutions to figure out the plain text passwords.

Didn't you get the memo? Don't use god, love, sex, or secret. Also ... which program are they speaking of that would extract "hashes"?

Re:Most Common Passwords (1)

russotto (537200) | more than 8 years ago | (#15667004)

Also ... which program are they speaking of that would extract "hashes"?
That would be the dreaded "awk". As in
awk -F\: '{ print $1, $2 }' < /etc/passwd
Assuming, of course, that the FBI is using a Unix system lacking shadow passwords. Which wouldn't surprise me all that much.

Re:Most Common Passwords (5, Informative)

Martin Blank (154261) | more than 8 years ago | (#15667014)

Just poor wording on the part of the author. Colon may have been provided access to the database by that FBI employee, and used a Perl script or any of several apps that can do their own SQL-connections to pull the data, only part of which would have been the hash.

And just for some additional information for others not familiar with this kind of thing, there are dozens of programs that can do brute-force comparisons. It's also possible that he just used a rainbow table, which are available on (sometimes more than one) DVD for relatively small sums for the comparison. With a few really good computers, or a distributed computing project, it's not terribly hard to build up a sizable rainbow table in a relatively short period of time.

Re:Most Common Passwords (1)

tinkertim (918832) | more than 8 years ago | (#15667024)

I thought most FBI guys knew you used a bong or rolling papers to extract hash .. strange.

Re:Most Common Passwords (1)

drinkypoo (153816) | more than 8 years ago | (#15667161)

Actually, you usually use a polyethylene mesh bag.

Re:Most Common Passwords (0)

Anonymous Coward | more than 8 years ago | (#15667071)

John the Ripper
http://www.openwall.com/john/ [openwall.com]

Re:Most Common Passwords (0)

Anonymous Coward | more than 8 years ago | (#15667165)

Arnaud Pilon's Cachedump for Windows XP AD cached passwords. John the Ripper for the crack. I think Cachedump is hard to find anymore.

Our Government (1)

Buzz_Litebeer (539463) | more than 8 years ago | (#15666957)

Keeping us safe from harm. We should not look at this as a breech that affects Americans, it did not say anything about him accessing things like the NSA database on Americans etc... It just affected the Witness Protection program right? That doesnt matter, because he was a good guy and only doing it to do good work on the system easier.

And he was caught too, so crisis averted, everyone told us they caught him and there have never been similar attacks before!

I feel completely safe with my information knowing that they are out there keeping an eye even on those doing such things altruistically.

Re:Our Government (1)

DaveV1.0 (203135) | more than 8 years ago | (#15667132)

1) The FBI and the NSA are too separate agencies with two different missions.
2) The NSA's computers are much better protected because they are in the business of information monitoring and security.
3) The FBI is a law enforcement agency with files on millions of Americans, including those that have security clearances. Said files may include information which can be used to apply pressure to or to find weaknesses of said people with security clearances.
4) How much do you think the Witness Relocation and Protection database would be worth to various organized crime outfits? What do you think would happen if people in the program started being killed or disappearing? What would happen to RICO cases?
5) This individual was caught after over 180 and possibly 270 days. That is almost a year of illicit access.

Wow. (5, Funny)

Rob T Firefly (844560) | more than 8 years ago | (#15666961)

The consultant, Joseph Thomas Colon
What is he, some kind of a... no, sometimes it's too easy a shot, even for me.

Re:Wow. (1)

Billosaur (927319) | more than 8 years ago | (#15666998)

The consultant, Joseph Thomas Colon
What is he, some kind of a... no, sometimes it's too easy a shot, even for me.

Could be worse -- he could be a "new fragrance for men"...

Re:Wow. (0)

Anonymous Coward | more than 8 years ago | (#15667154)

Could be worse -- he could be a "new fragrance for men"...

Don't know about you, but I'd rather be "a fragrance for men", vs "the source of a fragrance by men".

Also, he could name his kid "Semi".

Re:Wow. (0, Offtopic)

Duhavid (677874) | more than 8 years ago | (#15667158)

His mom missed the chance to name him Charles.

And this family should definitely marry into
( hyphenated, of course ) the backslash-greaterthan
family.

Forced password expirations (5, Interesting)

Zarhan (415465) | more than 8 years ago | (#15666967)

re-cracked it three more times to keep up with the FBI's 90-day password expiration policy. Lesson: Your users are your biggest security hole. Don't trust your users, especially if they're government agents.

    Lesson #2: Don't use stupid password expiration periods, which force users to come up with new yet easy-to-remember (=> crackable) passwords. If passwords never expire, your users are bound to pick a more secure password in the first place since they know that they don't have to change it every full moon. Make the passwords never expire and just run a dictionary attack against your users - if you get through, THEN start harassing your user about proper security.

Re:Forced password expirations (2, Insightful)

Billosaur (927319) | more than 8 years ago | (#15667044)

Lesson #2: Don't use stupid password expiration periods, which force users to come up with new yet easy-to-remember (=> crackable) passwords. If passwords never expire, your users are bound to pick a more secure password in the first place since they know that they don't have to change it every full moon. Make the passwords never expire and just run a dictionary attack against your users - if you get through, THEN start harassing your user about proper security.

Or better yet, use a biometric system. It's amazing to think that the FBI, which was always on the cutting edge of technology back from its inception in order to better get ahead of the bad guys, is now foundering in the Internet age. Is it any wonder data sharing and coordination is such a problem?

Re:Forced password expirations (2, Informative)

unsigned integer (721338) | more than 8 years ago | (#15667143)

Is it any wonder that they are floundering, when the executive branch is set and determined to push out 'bad facts' people and replace them with 'good facts' yes-men? The article references the CIA, but I'm sure the FBI has felt the push as well. Imagine the loss of talent and people who want to do a good job, do it right, and not have to be encumbered by coming up with 'politically convenient' reports.


http://service.spiegel.de/cache/international/0,15 18,415638,00.html [spiegel.de]

Re:Forced password expirations (1)

qwijibo (101731) | more than 8 years ago | (#15667168)

Since when is the FBI on the cutting edge? They only pick up techniques that have had sufficient time to be proven, which leaves them 10-20 years behind the cutting edge. Fortunately for them, criminals tend to be 50 years behind the times since they're too paranoid to hire outside consultants who are aware of the most recent technical developments.

Re:Forced password expirations (1)

Billosaur (927319) | more than 8 years ago | (#15667236)

They organized the first data banks of fingerprints in the nation and developed laboratories for processing crime scene material that were the forerunners of today's crime scene investigation units. They have had to stay one step ahead of criminals, but in recent decades seem to have lost their edge, perhaps from becoming too beaureauracritized. The 9/11 Commission certainly took them to task for their failure to communicate vital information, but then again, a lot of people dropped the ball then, not just the FBI.

Re:Forced password expirations (4, Insightful)

Tim C (15259) | more than 8 years ago | (#15667224)

The problem with a biometric system is that when someone manages to fool it and impersonate someone, you can't change their access token. At least if my password is compromised I can change it; not so with my thumbprint.

Re:Forced password expirations (1)

Billosaur (927319) | more than 8 years ago | (#15667265)

At least if my password is compromised I can change it; not so with my thumbprint.

Which is why you can't rely on one biometric system alone. I would think a combination of maybe retinal, fingerprint, and voice recognition would make it much harder to impersonate someone to gain access.

Re:Forced password expirations (1)

vinn01 (178295) | more than 8 years ago | (#15667095)


I second that. Everytime that I have had to deal with passwords that must be changed monthly I've found that users append or prepend the number of the month. In July, most of the password will begin or end in "07".

Another stupid rule: "a new password must contain three characters not found in the previous password". This was created to try to stop the "number of month" problem noted above. Instead it makes it hard to have long passwords. I created a 20 character password (pass phrase) once. The following month I was stonewalled because I could barely think of a new password with three new characters. I had already used most of the alphabet and a good part of the ASCII special characters.

Re:Forced password expirations (1, Funny)

Anonymous Coward | more than 8 years ago | (#15667098)

Oh dear lord. So I work at a security company. We have about 20 different password we have to remember. Our login. Our ticket system. Our Exchange server. Plus local accounts for various things, and numerous other company wide accounts. Each one has a different policy, expiration, and a stupid set of rules to follow when generating.

Must have a number in it, but can't be at the beginning or end and must have a symbol in it! Expires in 90 days so you have to think up another password you can barely type, let alone remember since you have to have a different one for each site because each site has different policies! What?! I can't use my secure, hard to type, but easy for me to remember password on site Y because site Y has a different password policy?! Fuck you!

Our company's solution? Give us a program to store all our passwords in. Which can then be 'protected' by a simple password with no rules or expirations.

Rant rant rant.

Re:Forced password expirations (4, Informative)

jbeaupre (752124) | more than 8 years ago | (#15667112)

We had a system like this on a student run server in 1991 at NMSU. The server was continually trying to crack passwords. When it did, you got an automatic email telling you of the crack and to change your password.

I thought it had two things going for it. Suceptible passwords were weeded out and in theory your password should be cracked by a friendly before someone else.

Re:Forced password expirations (0)

Anonymous Coward | more than 8 years ago | (#15667163)

Agreed!!!

As I've personnally been subject to obsurd password policies, though not as bad as a 90-day rotation, 1 10+ character 3-4 variation(U/l let/#/char) password scheme with 6 to 9 month rotation works just fine. With that, and have the users rotate throughout that time period so everyone doesn't change at once is also a good idea.

Now for him claiming his actions were used to 'overcome bureucratic obstacles, anyone, AND I DO MEAN ANYONE, in THAT position, computer consultant for the FBI, DAMN WELL KNOWS THE BOUNDARIES OF COMPUTER SECURITY AND WHERE THE LINE IS. If there were policies in place that compromised efficiency in that Intelligence environment, I would assume that the appropriate channels are in place for suggestion and complaints to be made. Such a route should have been taken regardless if you lose your contract. Sorry, but NO JOB is worth BREAKING the LAW for, ESPECIALLY for our domestic hall monitors (see FBI).

As amusing as this is, I have little to know sympathy for this guy or the FBI. I would suggest some sort of Congressional Investigation into Computer Security at the FBI, but Congress already wastes too much money, so I'll just say let the media and Industry Analysts take their toll.

Re:Forced password expirations (1)

Azoth's Revenge (82601) | more than 8 years ago | (#15667215)

You know of course that this sort of crap comes from some security insignificant Certification and Accreditation crap. Passwords expire in 90 days check. User is automatically logged off in 20 minutes, check. Completely ignore the actual security of the system, while documenting all the insignificant crap that is required by the C&A, check.

Re:Forced password expirations (1)

quarterbrain (958359) | more than 8 years ago | (#15667222)

With that in mind... The gubmint just got smacked recently because they weren't changing their passwords often enough. I don't remember the catalyst but there was a subsequent audit and passwords were being kept the same for years. It was judged A Bad Thing and a government wide mandate was passed that every password for every conceivable thing that may have one was changed across the nation. Kinda seems like as far as passwords go, they're just not gonna please everyone.

Re:Forced password expirations (1)

neonprimetime (528653) | more than 8 years ago | (#15667235)

I agree, having a short password expiration date, combined with crappy password rules equals less security. At the company I work at the passwords expire every 30 days, you can't use your last like 10 passwords, and all you're required to do is have 1 number in your password. So you get users with passwords like this
  • January - myparty1
  • Febraury - myparty2
  • March - myparty3


Instead a much more secure system would have the password expire once a year, can't use your previous password, and require 2 numbers and 2 symbols or something like that. Then you'll end up with passwords like
  • myparty!?21
  • 99rock&roll!

Which would be much more secure

Re:Forced password expirations (1)

pkcs11 (529230) | more than 8 years ago | (#15667246)

The real solution is setting up policy to enforce both the frequent changing of passwords and strong passwords. Password expiration isn't the problem in the above story. The problem is two-fold:
Passwords escrowed to a non-secured area of the network.
No strong password enforcement.

Better solution.... (0)

Anonymous Coward | more than 8 years ago | (#15667300)

Don't allow *any* users onto a government computer system at all.... until after they undergo training to teach them how to create strong passwords and exercise basic good-sense when it comes to computer security from a user's perspective. Make them take a written test and obtain a certificate that entitles them to obtain a logon account. Require periodic re-training and re-certification to maintain the privilege of computer access... and YES, make it a privilege not a "right". Revoke permanently their computer access privileges when they fail or demonstrate lack of competance or commit an act of negligence. If they can't do their job without computer access, then that's just tough. Too bad. Sucks to be them. You don't think a commercial aircraft pilot gets to continue their job (flying passengers or cargo for compensation) if he flaunts or violates the FAA's rules do you? Nope, they lose the privilege of access to something that's vital to their ability to earn a living in their career and are forced to do something else for income. Computer security needs to me considered equally as important as that. The punishment for having a careless or cavalier attitude towards proper security needs to be damned harsh.

The only thing interesting to me is the pricetag. (4, Insightful)

a_karbon_devel_005 (733886) | more than 8 years ago | (#15666969)

The FBI's Trilogy program cost more than $535 million but failed to produce a usable case-management system for agents because of cost overruns and technical problems, according to the Government Accountability Office. While Trilogy led to successful hardware upgrades and thousands of new PCs for bureau workers and agents, the final phase -- a software system called the Virtual Case File -- was abandoned last year. The FBI announced in March that it would spend an additional $425 million in an attempt to finish the job. The new system would be called "Sentinel."

I need to check the Government Accountability Office more often. It's good to know we're spending 1 billion dollars to found a, most likely, failed attempt at secure computing for the FBI. Doh.

Good news! (3, Funny)

Krellion (795134) | more than 8 years ago | (#15666975)

Now all we have to hear is that his laptop got stolen before he was caught.

A hacker? (3, Insightful)

Rick Zeman (15628) | more than 8 years ago | (#15666977)

Geeze, my sister could even run l0phtcrack. Can't give him much credit here.

Re:A hacker? (5, Funny)

dJOEK (66178) | more than 8 years ago | (#15667046)

is your sister single? hot?

Unqualfied moron (5, Insightful)

dieman (4814) | more than 8 years ago | (#15666984)

Really, seriously, you do not crack passwords to get your work done. You crack passwords to ensure site security if it is part of your job description, but you do not use those accounts to get work done. Cripes.

Re:Unqualfied moron (3, Informative)

Moby Cock (771358) | more than 8 years ago | (#15667141)

Agreed. You've heard the phase "knows enough to be dangerous". This guy heard about John the Ripper (or whatever he used. I can't RTFA, its been slashdotted) somewhere and decided that it would be easy to use. What on earth was going through his head?

Re:Unqualfied moron (2, Insightful)

z0idberg (888892) | more than 8 years ago | (#15667181)

no kidding.

Admins, security depts and managers (though to a lesser extent generally) usually get pretty uppity with sharing passwords on ANY systems, and thats on internal systems for small time companys with sweet FA worth breaking in to. What the hell was this guy thinking? I suppose he thought those relaxed, easy going folks over at the FBI wouldnt mind if he ran some random script/program off the internet to retrieve some passwords so he can get on with the job.

I mean, its only a cracking/hacking script, people that write those are usually pretty stand-up guys right? And its only the FBI here, its not the NSA or anything! And I need to crack those passwords so I can do my job so that should be cool, right?

Is this the kind of consultant they have working on this new system? I imagine the security being implemented with it is state of the art then!

Employees suck! (3, Insightful)

andrewman327 (635952) | more than 8 years ago | (#15666988)

There is incredible effort focused on keeping bad people out of networks. Where I currently work I need to use three different passwords that must be changed regularly in order to access a large database. The problem is that there is nothing stopping an employee of any company who has legitimate access to any data from using it for nefarious ends. I seem to remember employees of a credit card company stealing numbers a while back. Also, the Department of Vetrans' Affairs and many other companies and agencies have lately had data breaches that were the direct result of employees either intentionally or accidentally removing data from the network and allowing it to be potentially misused.


Employers need to be more careful about whom they hire and what their employees are doing. Even the members of /. should agree that not all information should be free.

Re:Employees suck! (5, Insightful)

99BottlesOfBeerInMyF (813746) | more than 8 years ago | (#15667115)

Employers need to be more careful about whom they hire and what their employees are doing.

In the U.S. the workplace has developed an adversarial relationship between employers and employees. The mantra, "nothing personal, this is just business" has removed the major factor stopping employees from screwing over their employer. If it is just business when an employer lies to the employees, fires them when they need a boost in the numbers, outsources their job, cancels benefits, or takes other action that affects the employees negatively then it is also just business when the employee lies to the employer, walks off with equipment, moves to another job at a bad time without giving any notice, or loots the database for info they can sell.

You see, it was not the law that prevented this sort of behavior, it was an ethical motivation. People, in general, don't like to hurt or even disappoint others. They want to do right by them. When they are treated unethically in turn, that motivation disappears. Do you want your employees to be loyal and honest? I certainly recommend checking up on each one, but more importantly, treat them well and with concern. Make sure they know, even if they screw up they won't be fired. Make sure they know you're doing the best you can to provide them with a reasonable income, friendly workplace, and what they need to be happy. Make sure you reward their good works. Make sure that if they run into money troubles you're the first person they talk to. Make sure they know you respect them. This is not only ethical, it is good business.

Re:Employees suck! (2, Insightful)

andrewman327 (635952) | more than 8 years ago | (#15667230)

I agree that there needs to be an open dialogue between boss and peon. That is a vital part of having a successful business. However, there is no legal justification to large scale theft, regardless of how good Office Space was.

Re:Employees suck! (1)

writermike (57327) | more than 8 years ago | (#15667203)

Employees suck!

You're in luck. Many companies fire them these days! ;-)

Laws against security tools (2, Insightful)

Grue (3391) | more than 8 years ago | (#15666995)

Coming soon.. laws outlawing common dictionary password cracking tools and similiar security tools.

Re:Laws against security tools (1)

tashanna (409911) | more than 8 years ago | (#15667036)

I can see it now...

The FBI now claims that the passwords were copyrighted by the FBI and his successful circumvent of the encryption were a violation of the DMCA. The RIAA has filed an interested party brief in the case. Slashdot succumbs to the black-hole like density of the argument and gets sucked in to it all.

- Tash

Re:Laws against security tools (1)

bcat24 (914105) | more than 8 years ago | (#15667081)

When password crackers are outlawed, only outlaws will have password crackers.

Re:Laws against security tools (1)

RipSUp (987194) | more than 8 years ago | (#15667090)

You are thinking to specific. They will just outlaw the dictionary. Luckily I quit using those years ago.

Re:Laws against security tools (0)

Anonymous Coward | more than 8 years ago | (#15667177)

Obviously so... It's "too", not "to" in that context!

Passwords (2, Insightful)

metarox (883747) | more than 8 years ago | (#15666996)

I can't believe that they don't even have some sort of verification that the passwords aren't common things. Heck even here, when you try to change your passwords everywhere there are so many restrictions that it can't be a dictionary word or easy to guess. Simple rules - at least 1 CAP letter (means at least 1 letter) - at least one symbol (@#.,& etc.) - at least 1 number - at least 8 chars long How hard is it to enforce this.

oblig Beavis and Butthead (0, Offtopic)

Fnord666 (889225) | more than 8 years ago | (#15666997)

FBI spokesman Paul Bresson declined to discuss the specifics of the Colon case.
Heh heh heh He said colon.

The perils of consulting (1)

Billosaur (927319) | more than 8 years ago | (#15667012)

The consultant, Joseph Thomas Colon, claims he used the passwords to avoid bureaucratic obstacles, and that his actions were condoned by the FBI agents he was working with at the agency.

See what happens when you don't give a consultant the access he needs? He goes out and gets it himself!

Note to FBI: maybe outsourcing some things is not such a good idea.

Re:The perils of consulting (1)

z0idberg (888892) | more than 8 years ago | (#15667237)

>See what happens when you don't give a consultant the access he needs? He goes out and gets it himself!

No, this is what happens when you don't give a consultant the access he needs and he is a RAVING LUNATIC with a deathwish.

I know the feeling (1)

jokerr (618070) | more than 8 years ago | (#15667015)

We've probably all been there where company politics were causing more harm than good. "Welcome to work, you have 3 days to do X but it will take you 2 days to get clearance to logon." I can sympathize for the guy and I myself have used similar tactics to get access to do my job. Nothing like password cracking but I've still gained access when I wasn't supposed to. In some cases "Don't ask, don't tell" works, you just have to be smart about it and know how far you can go. But especially not when you're working for the government! You don't mess around with government security (and I use that term lightly) to get your job done. You're going to get caught and they will prosecute you. At least this guy was smart enough to work out a plea.

Who was this agent? (1)

imunfair (877689) | more than 8 years ago | (#15667017)

What position was the agent in that had access to this database? I mean sure he had high clearance, but not everyone with high clearance should have access to the password database... what kind of security are they running here?

If he really was in a valid position to need access to it, then they definitely need to screen the mental abilities of people they give sensitive positions more carefully - any half way decent sysadmin knows not to give their password out.

Password Expiration Policies (4, Interesting)

hattig (47930) | more than 8 years ago | (#15667027)

Surely this proves that 90 day password expiration policies encourage users to pick weaker passwords they can remember because they are having to change them all the time?

Would it have been so easily cracked if everyone had a 10+ character password that was truly strong, even if it was only changed once a year or never?

Is there an argument for password systems including a dictionary attack test phase for new passwords that if the new password fails, the user has to change it again?

And maybe when data is really important, they might wish to utilise some other form of identification besides passwords. Certainly witness protection details should be far more protected. A biometric system, fingerprints are the easiest to implement these days without much cost, in addition to the password...

Of course the consultant had an 'in', as he was consulting for them. Some minor social engineering and they're all letting him access the systems, bypassing proper procedure.

In the end, there's no excuse for data this important being accessed illegitimately like this. Security measures should be in place, access procedures should be in force, restrictions on data movement from secure to insecure should be enforced. Yet we see it every week - laptop stolen with confidential data on, unencrypted, open, in a file on the desktop probably called "Social Security Database.xls" or "List Of Witnesses On Protection Program, Do Not Show To Criminals Who Will Pay Good Money For This.doc".

Re:Password Expiration Policies (0)

Anonymous Coward | more than 8 years ago | (#15667116)

Would it have been so easily cracked if everyone had a 10+ character password that was truly strong, even if it was only changed once a year or never?

Then users will simply write down their "strong" 10+ character password someplace convenient.

I'm currently working as a contractor at an organization that has a fairly strong password policy in place on paper (ie: requires 2 numbers embedded in the password [not on the end] and one non-alphanumeric character, no dictionary words, expires every 90 days, minimum 8 character length, can't repeat last X passwords, can't have substrings of your username in the password). Guess what happens? You can walk up and down any random row of cubicles and see stickynotes where people that have written their passwords for the various systems they access.

Re:Password Expiration Policies (2, Insightful)

thynk (653762) | more than 8 years ago | (#15667238)

Surely this proves that 90 day password expiration policies encourage users to pick weaker passwords they can remember because they are having to change them all the time?

Surely this really proves that the IT department wasn't enforcing strong passwords and that's about all it proves. Having strong passwords that change every 90 days is NOT an unreasonable policy and is easy to enforce with any OS.

The IT department should be on trial along with the consultant.
   

comprised, eh? (2, Informative)

gEvil (beta) (945888) | more than 8 years ago | (#15667045)

Hmmm, apparently the FBI password database was made up from a consultant. I wonder if someone possibly meant compromised? Keep up the good work, Timmy. You deserve a raise!

His Password Was... (0)

airship (242862) | more than 8 years ago | (#15667049)

And the FBI chief's password was: 'JEdgarTransvestite'.
Bad, bad choice.

Re:His Password Was... (1)

remembertomorrow (959064) | more than 8 years ago | (#15667256)

What does Eddie Murphy have to do with this story?

Why would the director (2, Insightful)

Tweekster (949766) | more than 8 years ago | (#15667052)

even have access to much of that data. Just cause he is top dog does not in any way mean he should have access to the witness protection records. He doesnt need to know that information, and if he does he should have to go through the proper channels. This is exactly why.

In many cases, the higher upthe person, the LESS data they need from the computer systems.

Disaster averted! (5, Insightful)

qwijibo (101731) | more than 8 years ago | (#15667055)

Good thing this guy pleaded guilty. Otherwise, someone might ask uncomfortable questions, like why FBI agents were active participants in this criminal act. The whole problem would have been averted if someone didn't give their username and password to this guy.

Of course, the whole thing could have also been averted if normal users didn't have access to the password file. The Unix world figured out that shadow password files are a good idea a long time ago. Too bad the wisdom there hasn't caught on.

One thing everyone should know when working for a large organization is that they have policies for everything because they assume everyone is dumber than paste. The up side of this as a consultant is that you can bill a week for 30 minutes of work because there's a week of paperwork needed before you can perform any task. This guy tried to get things done more efficiently by sidestepping the boundaries. Small companies can respect that kind of attitude, but not the government. That kind of behavior results in lower billings to the government, and that is unamerican.

Jumping through hoops, as silly as they may be, is an important part of any technical job within a large organization.

And the FBI agreed to this? (4, Insightful)

sammy baby (14909) | more than 8 years ago | (#15667077)

Talk about losing sight of the forest due to the trees...

Colon claimed that he did this because he was tired of having to seek bureaucratic authorization for every last task, including adding printers. Having worked with government agencies before, I can say I understand his frustration. But his later justification was priceless:

Colon's lawyer said in a court filing that his client was hired to work on the FBI's "Trilogy" computer system but became frustrated over "bureaucratic" obstacles, such as obtaining a written authorization from the FBI's Washington headquarters for "routine" matters such as adding a printer or moving a new computer onto the system. He said Colon used the hacked user names and passwords to bypass the authorization process and speed up the work.

Colon's lawyers said FBI officials in the Springfield office approved of what he was doing, and that one agent even gave Colon his own password, enabling him to get to the encrypted database in March 2004. Because FBI employees are required to change their passwords every 90 days, Colon hacked into the system on three later occasions to update his password list.


Okay, so: getting authorization was onerous, so he asked for permission from agents in the Springfield office to forge their superiors' credentials in order to speed up the process. And they gave it to him.

Did you get that? I was originally gonna boldface the best parts, but I couldn't decide where to start.

1. The contractor, fed up with an onerous and ridiculous authorization process,
2. asked for permission from FBI officials to crack their superiors' passwords,
3. and the FBI officials in question said yes.

Okay, so, Colon is in court. What happened to the FBI staffers who gave him the go-ahead?

Re:And the FBI agreed to this? (4, Informative)

Khammurabi (962376) | more than 8 years ago | (#15667267)

1. The contractor, fed up with an onerous and ridiculous authorization process,
2. asked for permission from FBI officials to crack their superiors' passwords,
3. and the FBI officials in question said yes.

Okay, so, Colon is in court. What happened to the FBI staffers who gave him the go-ahead?

My question exactly. I used to work for the government, and it's highly believable that the guy was given approval to do this. (You have no idea how much red tape there is, let alone the process to get an account with the type of access he was after.) However, Colon shouldn't have cracked the database multiple times (let alone once). He should have either 1) kept requesting the agent's password when it changed, or 2) quit. There's a reason those processes were there, and if he didn't like it, he should have left. Also, the staffers can claim ignorance all they want, but I find it very hard to believe that none of them knew he was doing this to get his work done.

Well, we now know the FBI doesn't audit. (4, Insightful)

tinkertim (918832) | more than 8 years ago | (#15667103)

Regular access audits would have picked this up much sooner. End of story. By hanging this poor bastard out to dry, they've basically exposed even more lack of security.

I call for this every time something like this gets published , and I'll call for it again :

We need (real) IT professionals in Congress, they need to form an oversight committee, and they need to have pretty much unrestricted access to most systems so they can be effective.

These holes have *got* to get plugged. Its not only embarrassing, its media porn and its going to encourage hacks that *do* result in something bad happening.

Nimrods.

wow (1)

oliverjms (548028) | more than 8 years ago | (#15667113)

I bet it was Administrator Password

Yikes!!! (2, Insightful)

gstoddart (321705) | more than 8 years ago | (#15667128)

The consultant, Joseph Thomas Colon, claims he used the passwords to avoid bureaucratic obstacles, and that his actions were condoned by the FBI agents he was working with at the agency.

What, like due-process, warrants, and legal considerations?

So FBI agents just stand around while he illegally accesses everything he's not supposed to so it can make their jobs easier? If there were actual agents standing around thinking this was good, we're in deep doo-doo, because they have now taken the stance that if they subcontract the illegal stuff, they're all good.

Yikes!

Next Stop: GITMO ! (0)

Anonymous Coward | more than 8 years ago | (#15667134)

Cuba, here you come! viva la revolucion!

Sh*t Rolls Downhill (1)

Detritus (11846) | more than 8 years ago | (#15667152)

While his actions weren't well thought through, they weren't malicious. It isn't smart to point out that the King has no clothes in any large bureaucracy, they tend to react by attacking the troublemaker.

I'd think that the FBI could afford to implement two-factor authentication for its employees.

The Good News Is... (1)

pedalman (958492) | more than 8 years ago | (#15667159)

That at least he didn't compromise any email accounts. [slashdot.org]

I figured as much... (0, Offtopic)

Mysticalfruit (533341) | more than 8 years ago | (#15667169)

Username: fmulder
Password: uf0s4ever

Someone forgot to salt their passwords? (0, Offtopic)

thecheatah (977630) | more than 8 years ago | (#15667191)

Hasn't this type of attack been taken care of by the introducion of salts and spices :-D. FBI needs to update their software!

Witness Protection Info on shared database? (5, Insightful)

SydShamino (547793) | more than 8 years ago | (#15667205)

So one hash file gives him access to all FBI records, including the most sensitive? No offense, but why aren't the most sensitive of services protected by isolating them in a separate system? Compromising the witness protection program could endanger the lives of everyone protected by it, and just the ideas that it might be compromised could reduce the chances of people helping the FBI and testifying.

Isn't witness protection data Need To Know? Why would the FBI director Need To Know anything at all at a moment's notice from his desktop PC? It would make much more sense to have a separate system, and have him walk down the hall, ask someone to retrieve what he needs, and maybe get ONE record made available for a limited time.

I'm not trolling or anything. Seriously, can someone suggest scenarios whereby immediate, free access to that data is valuable, especially by people who don't already know whether you or I are in the program?

Mod parent up! (1)

Jerry Coffin (824726) | more than 8 years ago | (#15667277)

This is one of the most intelligent comments in this thread. If the article is correct, it's pretty clear that the FBI isn't even making an attempt at following basic rules of security that have been well known since long before the FBI even existed...

Not Surprising (0, Redundant)

kungfuSiR (753429) | more than 8 years ago | (#15667233)

To be honest this type of thing does not really surprise me with the governments current track record

cracking common practice (1)

recharged95 (782975) | more than 8 years ago | (#15667287)

Due to the turf wars in many of the big govvy agencies, either cracking or weak passwords are common routines and has been employed for many years 'the way I see it'. Some systems are purposely blocked from users from just resource ownership, not by user need. The facade of the closed garden promotes this---everyone's at the same clearance level usually, and the data is hardly the sensitive component, but restricted by politics. Definitely nothing new here, except someone tooting their horn off on another gov't deficiency we already know about (didn't most agencies receive at highest a D+ from DHS on computer security already?).

"Don't trust your users" Really, this is the same logic as: "Don't trust your citizens" in another scenario [slashdot.org] , not a good conclusion IMO.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?