FBI E-Mail Server Breached

voma writes "The FBI said Friday it has shut down an e-mail system that it uses to communicate with the public because of a possible security breach. The bureau is investigating whether someone hacked into the www.fbi.gov e-mail system, which is run by a private company, officials said. 'We use these accounts to communicate with you folks, view internet sites, and conduct other non-sensitive bureau business such as sending out press releases,' Special Agent Steve Lazarus, the FBI's media coordinator in Atlanta, said in an e-mail describing the problem."

They use an email server to surf the web???

[dos4who]

"'We use these accounts to ...view internet sites...".

I'm sorry, but when I hear a media spokesperson hiccup like that, my bullshit detector sends up an immediate flag. What was this email server really used for???

No Wonder 9/11 Happened!

[eno2001]

The FBI said Friday it has shut down an e-mail system that it uses to communicate with the public because of a possible security breach. The bureau is investigating whether someone hacked into the www.fbi.gov e-mail system, which is run by a private company, officials said. 'We use these accounts to communicate with you folks, view internet sites, and conduct other non-sensitive bureau business such as sending out press releases,' Special Agent Steve Lazarus, the FBI's media coordinator in Atlanta, said in an e-mail describing the problem.

OMFG!!!! The FBI can't tell the difference between the web www.fbi.gov and e-mail user@fbi.gov! Not only that, but they use their e-mail system to "view internet sites"???!!! WTF!!!? That's like a friend of mine asking me about a web address that looks like: http://user@fbi.gov! And the final nail in the coffin is that Special Agent Steve Lazarus sent an e-mail describing the problem to "communicate with you folks". Any guess that they are still using the same web/e-mail system to send out the press release? Wahoo it's so fun to participate in the idiotry of Slashdot!!! ;P

Here come the conspiracy theories...

[Jack Taylor]

Sending out press releases designed to provoke your suspect is a tried and tested method in law enforcement. What if they had a mission-critical email server that had been hacked but had to stay online no matter what? (Think of secure intelligence channels.) This press release could be to try and prevent him from coming back...

It would also explain how they were able to send the email ;)

Who wants to bet?

[hanshotfirst]

I'll wager 10:1 the "hacker" breaching the system was the RIAA bot searching for P2P software and mp3's on the server.

Originally I started thinking of this post as a joke, THEN I started thinking... what if the FBI really DID have a server with a collection of confiscated mp3's being held as "evidence" for "review" by agents at their convenience? And what if RIAA really did have such as hack-bot programmed and authorized to shutdown P2P systems?

Food for thought.

Re:Request

[BlueTooth]

THANK YOU! I'm not a MS fanboy or anything, but this is a very good point. A well configured, well patched Windows machine (especially a server) isn't going to be very vulnerable. The same can be said of Linux. Further, an unpatched, poorly configured Windows machine will drop dead very quickly, and the same can be said for Linux. You might even argue that a talentless admin would have an _easier_ time securing up a Windows machine (since sever 2003, anyway, where all services shipped off).

Yes, there seem to be a lot more exploits found for Windows, and yes an unpatched windows box will probably drop dead _faster_ than a similarly out of date linux box, but a lot of this can be attributed to market penetration.

Re:How?

[commodoresloat]

You beat me to it! My first experience with the WWW was retrieving documents through email. I still remember the sense of excitement realizing I could get documents mailed to me by another computer. I didn't know what the web was at the time (this must have been 1992 or 1993; it was well before Mosaic). I don't know if it was the same software (don't recall the name agora) but it was the same trick, and it rocked. I remember being blown away when I learned about lynx; thinking, wow, I don't have to wait for the computer to email it to me!

Re:Request

[brlancer]

I'm not a MS fanboy or anything, but this is a very good point. A well configured, well patched Windows machine (especially a server) isn't going to be very vulnerable.

I call bullshit.

Will it be a cakewalk to crack? No. Will it be "very vulnerable"? Yes. Why, you ask? Because there are vulnerabilities that are still unpatched years after reports. Many "minor" vulnerabilities are actually stepping stones to administrator privileges; Bugtraq has more than a few posts regarding stringing a half dozen "minor" ones together.

Can you make a Windows server secure? I don't think so--not to the degree which would be necessary, and not to the level which a *nix box could achieve with the same amount of effort (time+money). This is especially true WRT services that use IIS.

I'm not being a Linux/Unix/Be zealot--I've been a Unix admin and a Windows admin and the failure is in the design of the system. Windows was never designed (and still is not being designed) with security in mind. It's that simple and reading a few security manuals will evidence that.

Re:zerg

[Happy go Lucky]

Out of curiosity, does the FBI have any "normal" agents? Cause if they're all "special" agents, are they really that special?

It's a way of constraining them. If you ever go to a federal building and see a bunch of people standing around claiming to be the "Federal Police," they're actually titled "special

police officers." The reason for this is that no Fed actually has true general police powers. The way the statute is written, they have the powers of "sheriffs and constables" when in the course of some other duties.

However, they're walked on an amazingly short leash compared to, say, your city's police department. And for good reason: the feds have a large proportion of people too stupid to function as real cops.

I believe that "Special Agents" are the same situation. They have arrest and warrant powers when in the course of investigating certain matters explicitly given them by statute, but they don't get to just roll up and arrest you if you slug your wife while driving drunk or whatever.

For the "Special Police Officers," see 40 USC 318. I don't know how that affects "Special Agents."

Us & Them

[MSTCrow5429]

'We use these accounts to communicate with you folks, view internet sites, and conduct other non-sensitive bureau business such as sending out press releases.'

You folks? Gee, thanks alot, we don't trust you much either.

The "usually armed" part is NOT special.

[Ungrounded Lightning]

A special agent is a federal investigative employee who has powers of arrest and is usually armed. This is "special" when compared to the powers of an ordinary federal employee, not to other agents within the FBI.

Only the powers of arrest part is "special". A mind-boggling range of government employees have federal permission to carry guns. (And this permission, like post-office driving rules, overrides state laws.)

This was apparently first noticed when an airport security employee leaked the list of agencies whose members could carry thorugh airports. In 1997, according to a GAO study (the source for info in this [64.233.167.104] libertarian party press release) the nubmer of agencies was 45 and the number of gun-toters approaching 60,000 and had grown by over 2,400 in the previous year. I've heard nothing to indicate that the number has not continued to climb since then.

Some non-law-enforcement worker categories:

Poultry inspectors.
Disaster aid workers.
IRS auditors.

Some agencies with "special agents":

Small Business Administration
NASA
Department of Education
U.S. Fish & Wildlife Service
Department of Veterans Affairs

The Energy Department has access to machine guns and other agencies can summon tanks and military helicopters.

According to the Western Journalism Center these agencies have SWAT teams:

The National Park Service
the Department of Health & Human Services