FBI Password Database Compromised by Consultant

LackThereof writes "An IT consultant for the FBI, hired to work on their new 'Trilogy' computer system, apparently got hold of the username and password hash databases for the FBI's network. He then used a common dictionary attack to get usable passwords out of the hashes, including that of FBI director Robert Muller, making him able to access virtually any data stored electronically at the FBI, including Witness Protection program records. The consultant, Joseph Thomas Colon, claims he used the passwords to avoid bureaucratic obstacles, and that his actions were condoned by the FBI agents he was working with at the agency." (More below.)

"He has pleaded guilty to 4 counts of 'intentionally accessing a computer while exceeding authorized access and obtaining information from any department of the United States.' He initally gained access to the hash database by borrowing an agent's username and password; he then re-downloaded and re-cracked it three more times to keep up with the FBI's 90-day password expiration policy. Lesson: Your users are your biggest security hole. Don't trust your users, especially if they're government agents."

Briefly...

[LoyalOpposition]

s/comprised/compromised

Re:Most Common Passwords

[Martin Blank]

Just poor wording on the part of the author. Colon may have been provided access to the database by that FBI employee, and used a Perl script or any of several apps that can do their own SQL-connections to pull the data, only part of which would have been the hash.

And just for some additional information for others not familiar with this kind of thing, there are dozens of programs that can do brute-force comparisons. It's also possible that he just used a rainbow table, which are available on (sometimes more than one) DVD for relatively small sums for the comparison. With a few really good computers, or a distributed computing project, it's not terribly hard to build up a sizable rainbow table in a relatively short period of time.

comprised, eh?

[gEvil (beta)]

Hmmm, apparently the FBI password database was made up from a consultant. I wonder if someone possibly meant compromised? Keep up the good work, Timmy. You deserve a raise!

Re:Forced password expirations

[jbeaupre]

We had a system like this on a student run server in 1991 at NMSU. The server was continually trying to crack passwords. When it did, you got an automatic email telling you of the crack and to change your password.

I thought it had two things going for it. Suceptible passwords were weeded out and in theory your password should be cracked by a friendly before someone else.

Re:Unqualfied moron

[Moby Cock]

Agreed. You've heard the phase "knows enough to be dangerous". This guy heard about John the Ripper (or whatever he used. I can't RTFA, its been slashdotted) somewhere and decided that it would be easy to use. What on earth was going through his head?

Re:Forced password expirations

[unsigned integer]

Is it any wonder that they are floundering, when the executive branch is set and determined to push out 'bad facts' people and replace them with 'good facts' yes-men? The article references the CIA, but I'm sure the FBI has felt the push as well. Imagine the loss of talent and people who want to do a good job, do it right, and not have to be encumbered by coming up with 'politically convenient' reports.

http://service.spiegel.de/cache/international/0,15 18,415638,00.html [spiegel.de]

Re:And the FBI agreed to this?

[Khammurabi]

1. The contractor, fed up with an onerous and ridiculous authorization process,
2. asked for permission from FBI officials to crack their superiors' passwords,
3. and the FBI officials in question said yes.

Okay, so, Colon is in court. What happened to the FBI staffers who gave him the go-ahead?

My question exactly. I used to work for the government, and it's highly believable that the guy was given approval to do this. (You have no idea how much red tape there is, let alone the process to get an account with the type of access he was after.) However, Colon shouldn't have cracked the database multiple times (let alone once). He should have either 1) kept requesting the agent's password when it changed, or 2) quit. There's a reason those processes were there, and if he didn't like it, he should have left. Also, the staffers can claim ignorance all they want, but I find it very hard to believe that none of them knew he was doing this to get his work done.

How about educating the programmers?

[Moraelin]

Sure, complaining about the users is easy and a favourite geek passtime, but how about educating the programmers before we let them loose on something that important?

The classic newbie mistake is thinking, basically, "I know, I'll take the password as it is, run it through MD5 and store the hash. It's uber-secure because it's MD5, right?" Turns out: wrong. An attacker can, yes:

1) download a program that will try every word in the dictionary until it finds a match, like this guy did. (And it _will_ find a match. There'll always be someone who took a password like "kitten" or "sex" or whatever, no matter how much you tried to educated them.) Or, better yet,

2) use so-called "rainbow tables" which are basically key-value pairs. The key is a hash value, and the value is one password that's known to hash to the key. Hackers have been building such tables for a long while, so there are a _ton_ of passwords which can be instantly un-hashed. It doesn't matter if the user's password is "kitten" or "1+l0v3+b00b13z". If that password has been harvested once (e.g., he's also used it on some warez site), it can be de-hashed for ever after by a simple lookup.

So what smart programmers do is "salt" the password first. Add some arbitrary value before MD5-ing it. E.g., add the hash of the user name at the end of the password, _then_ MD5 it. Add your program's name. Whatever.

Yes, it's "security by obscurity", because essentially you rely on an attacker not knowing wth you've salted the passwords with. But it tends to work nevertheless. A generic de-hashing program downloaded over the net can run through a dictionary all it wants, and it still won't decrypt your passwords unless it was created for exactly your salting method. Ditto for rainbow table lookups.

Basically, seriously. Before picking on the users, I wish someone educated their programmers about even the basics of security. If this guy could pull this stunt, then chances are so could anyone else having any access to that building. So there is no excuse to have such vulnerabilities. Did anyone even do a security review there?

Re:Forced password expirations

[GigsVT]

That doesn't solve the problem of nonrevocability.

Adding three weak locks with inherent flaws doesn't solve the problem of your lock being weak, only triples the effort required to get in.

Re:scary

[Rolan]

How many FBI agents were on board the planes that crashed into the WTC? How many people would whine about invasion of privacy and wasting tax payers money if the government put FBI agents on every single flight inside, or into the US?

This is called the Air Marshall system (yes, I know they're not FBI), and nobody has ever griped about it being an invasion of privacy or a waste of money.

Re:Forced password expirations

[vertinox]

The problem with a biometric system is that when someone manages to fool it and impersonate someone, you can't change their access token. At least if my password is compromised I can change it; not so with my thumbprint.

If someone infiltrates the FBI and has managed to get their thumb prints, retinas, facial structure, and blood type to match an FBI director... And they have secretly replaced the directory with this doppleganger.... Well you are pretty much hosed anyways so worrying about about the issue you mentioned is quite moot.

It would make a good movie though.

But seriously, the point of really "good" bio-metrics is that they can't be duplicated without some major invasive measure such as cutting off their hands eyes or head to place before a camera. I mean if you saw a guy go up to a console at the FBI building with a severed hand, I think that would raise a few red flags. Secondly, passwords are not always secure as biometrics because you can always torture someone into giving you their passwords.

Where as holding them hostage while you work your way through biometric security is a bit more difficult.

Re:And we're going to fix this...

[iivel]

I've posted this before, but it always seems to help a few people out. I give my users access to an internal page like this one: http://www.levii.com/cipher.php [levii.com] It helps them come up with a strong password, and they just print out the card to keep in their wallet should they forget it. Since the page is *mostly* random - and *some* physical security is maintained on the password it's the best compromise I can come up with for my users.

Re:Actually, that is not a secure password...

[danpat]

Actually, you can have a pretty secure password that's not dictionary based and easy to remember. So long as you have enough characters, it'll be difficult to break.

Take a look at password generation tools like "apg" and "pwgen". They use tools like trigraphs, triphthongs, diphthongs to make easy-to-remember, non-dictionary passwords. Sure, using these techniques reduces the keyspace for a brute force attack, but keyspace size and easy-to-remember are pretty much mutually exclusive.

http://pwgen.org/ [pwgen.org]
http://www.puroga.com/webtools/apgonline/index.php [puroga.com]