FBI Password Database Compromised by Consultant 373
LackThereof writes "An IT consultant for the FBI, hired to work on their new 'Trilogy' computer system, apparently got hold of the username and password hash databases for the FBI's network. He then used a common dictionary attack to get usable passwords out of the hashes, including that of FBI director Robert Muller, making him able to access virtually any data stored electronically at the FBI, including Witness Protection program records. The consultant, Joseph Thomas Colon, claims he used the passwords to avoid bureaucratic obstacles, and that his actions were condoned by the FBI agents he was working with at the agency." (More below.)
"He has pleaded guilty to 4 counts of 'intentionally accessing a computer while exceeding authorized access and obtaining information from any department of the United States.' He initally gained access to the hash database by borrowing an agent's username and password; he then re-downloaded and re-cracked it three more times to keep up with the FBI's 90-day password expiration policy. Lesson: Your users are your biggest security hole. Don't trust your users, especially if they're government agents."
Upon trying to read the blurb (Score:4, Funny)
Indeed... in-deed...
Wow. (Score:5, Funny)
Good news! (Score:3, Funny)
Re:scary (Score:3, Funny)
Re:A hacker? (Score:5, Funny)
Re:Forced password expirations (Score:1, Funny)
Must have a number in it, but can't be at the beginning or end and must have a symbol in it! Expires in 90 days so you have to think up another password you can barely type, let alone remember since you have to have a different one for each site because each site has different policies! What?! I can't use my secure, hard to type, but easy for me to remember password on site Y because site Y has a different password policy?! Fuck you!
Our company's solution? Give us a program to store all our passwords in. Which can then be 'protected' by a simple password with no rules or expirations.
Rant rant rant.
Re:scary (Score:5, Funny)
Fuck that. I grow my own.
Re:And we're going to fix this... (Score:5, Funny)
>Are we also going to do something to prevent this from happening again
No. That would be wrong for the following reasons:
Re:comprise != compromise (Score:2, Funny)
Sincerely,
James Colon
Re:And we're going to fix this... (Score:5, Funny)
It only appears as Big98Boob$-311 to you since it's your password. To me it just looks like **************
So What? (Score:5, Funny)
Re:Our Government (Score:4, Funny)
If we dont get all this information together we wont be safe, and without being safe our entire country would fall apart. So we have to have complete and unfettered trust in our government that it is doing the right thing as they know everything about us!
Remember to smile for the security camera, there is an angel on the other side.
Re:Has the 'consultant' (Score:1, Funny)
Re:Yep, works for me. (Score:3, Funny)
For boys:
MyPrettyPony
BarbieIsNeat
ILikeGirls (only embarrassing up to a certain age, I suppose)
For girls:
ExtraHairy
GirlsRSmelly
BoysAreCool
Now that I've had fun dreaming these up, though, I wonder if the password could be so 'repulsive' that they will refuse to use the computer at all?