FBI Password Database Compromised by Consultant 373
LackThereof writes "An IT consultant for the FBI, hired to work on their new 'Trilogy' computer system, apparently got hold of the username and password hash databases for the FBI's network. He then used a common dictionary attack to get usable passwords out of the hashes, including that of FBI director Robert Muller, making him able to access virtually any data stored electronically at the FBI, including Witness Protection program records. The consultant, Joseph Thomas Colon, claims he used the passwords to avoid bureaucratic obstacles, and that his actions were condoned by the FBI agents he was working with at the agency." (More below.)
"He has pleaded guilty to 4 counts of 'intentionally accessing a computer while exceeding authorized access and obtaining information from any department of the United States.' He initally gained access to the hash database by borrowing an agent's username and password; he then re-downloaded and re-cracked it three more times to keep up with the FBI's 90-day password expiration policy. Lesson: Your users are your biggest security hole. Don't trust your users, especially if they're government agents."
Briefly... (Score:4, Informative)
Re:Most Common Passwords (Score:5, Informative)
And just for some additional information for others not familiar with this kind of thing, there are dozens of programs that can do brute-force comparisons. It's also possible that he just used a rainbow table, which are available on (sometimes more than one) DVD for relatively small sums for the comparison. With a few really good computers, or a distributed computing project, it's not terribly hard to build up a sizable rainbow table in a relatively short period of time.
comprised, eh? (Score:3, Informative)
Re:Forced password expirations (Score:5, Informative)
I thought it had two things going for it. Suceptible passwords were weeded out and in theory your password should be cracked by a friendly before someone else.
Re:Unqualfied moron (Score:4, Informative)
Re:Forced password expirations (Score:2, Informative)
http://service.spiegel.de/cache/international/0,1
Re:And the FBI agreed to this? (Score:5, Informative)
My question exactly. I used to work for the government, and it's highly believable that the guy was given approval to do this. (You have no idea how much red tape there is, let alone the process to get an account with the type of access he was after.) However, Colon shouldn't have cracked the database multiple times (let alone once). He should have either 1) kept requesting the agent's password when it changed, or 2) quit. There's a reason those processes were there, and if he didn't like it, he should have left. Also, the staffers can claim ignorance all they want, but I find it very hard to believe that none of them knew he was doing this to get his work done.
How about educating the programmers? (Score:3, Informative)
The classic newbie mistake is thinking, basically, "I know, I'll take the password as it is, run it through MD5 and store the hash. It's uber-secure because it's MD5, right?" Turns out: wrong. An attacker can, yes:
1) download a program that will try every word in the dictionary until it finds a match, like this guy did. (And it _will_ find a match. There'll always be someone who took a password like "kitten" or "sex" or whatever, no matter how much you tried to educated them.) Or, better yet,
2) use so-called "rainbow tables" which are basically key-value pairs. The key is a hash value, and the value is one password that's known to hash to the key. Hackers have been building such tables for a long while, so there are a _ton_ of passwords which can be instantly un-hashed. It doesn't matter if the user's password is "kitten" or "1+l0v3+b00b13z". If that password has been harvested once (e.g., he's also used it on some warez site), it can be de-hashed for ever after by a simple lookup.
So what smart programmers do is "salt" the password first. Add some arbitrary value before MD5-ing it. E.g., add the hash of the user name at the end of the password, _then_ MD5 it. Add your program's name. Whatever.
Yes, it's "security by obscurity", because essentially you rely on an attacker not knowing wth you've salted the passwords with. But it tends to work nevertheless. A generic de-hashing program downloaded over the net can run through a dictionary all it wants, and it still won't decrypt your passwords unless it was created for exactly your salting method. Ditto for rainbow table lookups.
Basically, seriously. Before picking on the users, I wish someone educated their programmers about even the basics of security. If this guy could pull this stunt, then chances are so could anyone else having any access to that building. So there is no excuse to have such vulnerabilities. Did anyone even do a security review there?
Re:Forced password expirations (Score:2, Informative)
Adding three weak locks with inherent flaws doesn't solve the problem of your lock being weak, only triples the effort required to get in.
Re:scary (Score:3, Informative)
Re:Forced password expirations (Score:2, Informative)
If someone infiltrates the FBI and has managed to get their thumb prints, retinas, facial structure, and blood type to match an FBI director... And they have secretly replaced the directory with this doppleganger.... Well you are pretty much hosed anyways so worrying about about the issue you mentioned is quite moot.
It would make a good movie though.
But seriously, the point of really "good" bio-metrics is that they can't be duplicated without some major invasive measure such as cutting off their hands eyes or head to place before a camera. I mean if you saw a guy go up to a console at the FBI building with a severed hand, I think that would raise a few red flags. Secondly, passwords are not always secure as biometrics because you can always torture someone into giving you their passwords.
Where as holding them hostage while you work your way through biometric security is a bit more difficult.
Re:And we're going to fix this... (Score:2, Informative)
Re:Actually, that is not a secure password... (Score:3, Informative)
Take a look at password generation tools like "apg" and "pwgen". They use tools like trigraphs, triphthongs, diphthongs to make easy-to-remember, non-dictionary passwords. Sure, using these techniques reduces the keyspace for a brute force attack, but keyspace size and easy-to-remember are pretty much mutually exclusive.
http://pwgen.org/ [pwgen.org]
http://www.puroga.com/webtools/apgonline/index.ph