FBI Password Database Compromised by Consultant 373
LackThereof writes "An IT consultant for the FBI, hired to work on their new 'Trilogy' computer system, apparently got hold of the username and password hash databases for the FBI's network. He then used a common dictionary attack to get usable passwords out of the hashes, including that of FBI director Robert Muller, making him able to access virtually any data stored electronically at the FBI, including Witness Protection program records. The consultant, Joseph Thomas Colon, claims he used the passwords to avoid bureaucratic obstacles, and that his actions were condoned by the FBI agents he was working with at the agency." (More below.)
"He has pleaded guilty to 4 counts of 'intentionally accessing a computer while exceeding authorized access and obtaining information from any department of the United States.' He initally gained access to the hash database by borrowing an agent's username and password; he then re-downloaded and re-cracked it three more times to keep up with the FBI's 90-day password expiration policy. Lesson: Your users are your biggest security hole. Don't trust your users, especially if they're government agents."
scary (Score:5, Insightful)
And we're going to fix this... (Score:5, Insightful)
The only thing interesting to me is the pricetag. (Score:5, Insightful)
I need to check the Government Accountability Office more often. It's good to know we're spending 1 billion dollars to found a, most likely, failed attempt at secure computing for the FBI. Doh.
A hacker? (Score:4, Insightful)
Unqualfied moron (Score:5, Insightful)
Employees suck! (Score:4, Insightful)
Employers need to be more careful about whom they hire and what their employees are doing. Even the members of
Laws against security tools (Score:3, Insightful)
Passwords (Score:2, Insightful)
Re:Forced password expirations (Score:3, Insightful)
Or better yet, use a biometric system. It's amazing to think that the FBI, which was always on the cutting edge of technology back from its inception in order to better get ahead of the bad guys, is now foundering in the Internet age. Is it any wonder data sharing and coordination is such a problem?
Why would the director (Score:3, Insightful)
In many cases, the higher upthe person, the LESS data they need from the computer systems.
Disaster averted! (Score:5, Insightful)
Of course, the whole thing could have also been averted if normal users didn't have access to the password file. The Unix world figured out that shadow password files are a good idea a long time ago. Too bad the wisdom there hasn't caught on.
One thing everyone should know when working for a large organization is that they have policies for everything because they assume everyone is dumber than paste. The up side of this as a consultant is that you can bill a week for 30 minutes of work because there's a week of paperwork needed before you can perform any task. This guy tried to get things done more efficiently by sidestepping the boundaries. Small companies can respect that kind of attitude, but not the government. That kind of behavior results in lower billings to the government, and that is unamerican.
Jumping through hoops, as silly as they may be, is an important part of any technical job within a large organization.
Re:And we're going to fix this... (Score:5, Insightful)
A dictionary attack.... OMFG!
If the director had a secure password then it would not have been a big deal.
Listen kids, Big98Boob$-311 as your password is pretty damned secure and makes a dictionaty attack useless against it.
Next question, WTF is the feds doing not using securID on all of their logins to eliminate such a problem??
And the FBI agreed to this? (Score:5, Insightful)
Colon claimed that he did this because he was tired of having to seek bureaucratic authorization for every last task, including adding printers. Having worked with government agencies before, I can say I understand his frustration. But his later justification was priceless:
Okay, so: getting authorization was onerous, so he asked for permission from agents in the Springfield office to forge their superiors' credentials in order to speed up the process. And they gave it to him.
Did you get that? I was originally gonna boldface the best parts, but I couldn't decide where to start.
1. The contractor, fed up with an onerous and ridiculous authorization process,
2. asked for permission from FBI officials to crack their superiors' passwords,
3. and the FBI officials in question said yes.
Okay, so, Colon is in court. What happened to the FBI staffers who gave him the go-ahead?
Re:scary (Score:5, Insightful)
Rely on yourself for survival - rely on others to grow.
Has the 'consultant' (Score:3, Insightful)
the database he had tenative acccess to. If he needed greater acces, he would have had it. The
article is , at best, lacking in solid information. At least to me it is.
Re:And we're going to fix this... (Score:5, Insightful)
Well, we now know the FBI doesn't audit. (Score:5, Insightful)
I call for this every time something like this gets published , and I'll call for it again :
We need (real) IT professionals in Congress, they need to form an oversight committee, and they need to have pretty much unrestricted access to most systems so they can be effective.
These holes have *got* to get plugged. Its not only embarrassing, its media porn and its going to encourage hacks that *do* result in something bad happening.
Nimrods.
Re:Employees suck! (Score:5, Insightful)
Employers need to be more careful about whom they hire and what their employees are doing.
In the U.S. the workplace has developed an adversarial relationship between employers and employees. The mantra, "nothing personal, this is just business" has removed the major factor stopping employees from screwing over their employer. If it is just business when an employer lies to the employees, fires them when they need a boost in the numbers, outsources their job, cancels benefits, or takes other action that affects the employees negatively then it is also just business when the employee lies to the employer, walks off with equipment, moves to another job at a bad time without giving any notice, or loots the database for info they can sell.
You see, it was not the law that prevented this sort of behavior, it was an ethical motivation. People, in general, don't like to hurt or even disappoint others. They want to do right by them. When they are treated unethically in turn, that motivation disappears. Do you want your employees to be loyal and honest? I certainly recommend checking up on each one, but more importantly, treat them well and with concern. Make sure they know, even if they screw up they won't be fired. Make sure they know you're doing the best you can to provide them with a reasonable income, friendly workplace, and what they need to be happy. Make sure you reward their good works. Make sure that if they run into money troubles you're the first person they talk to. Make sure they know you respect them. This is not only ethical, it is good business.
Yikes!!! (Score:3, Insightful)
What, like due-process, warrants, and legal considerations?
So FBI agents just stand around while he illegally accesses everything he's not supposed to so it can make their jobs easier? If there were actual agents standing around thinking this was good, we're in deep doo-doo, because they have now taken the stance that if they subcontract the illegal stuff, they're all good.
Yikes!
Re:Unqualfied moron (Score:2, Insightful)
Admins, security depts and managers (though to a lesser extent generally) usually get pretty uppity with sharing passwords on ANY systems, and thats on internal systems for small time companys with sweet FA worth breaking in to. What the hell was this guy thinking? I suppose he thought those relaxed, easy going folks over at the FBI wouldnt mind if he ran some random script/program off the internet to retrieve some passwords so he can get on with the job.
I mean, its only a cracking/hacking script, people that write those are usually pretty stand-up guys right? And its only the FBI here, its not the NSA or anything! And I need to crack those passwords so I can do my job so that should be cool, right?
Is this the kind of consultant they have working on this new system? I imagine the security being implemented with it is state of the art then!
Witness Protection Info on shared database? (Score:5, Insightful)
Isn't witness protection data Need To Know? Why would the FBI director Need To Know anything at all at a moment's notice from his desktop PC? It would make much more sense to have a separate system, and have him walk down the hall, ask someone to retrieve what he needs, and maybe get ONE record made available for a limited time.
I'm not trolling or anything. Seriously, can someone suggest scenarios whereby immediate, free access to that data is valuable, especially by people who don't already know whether you or I are in the program?
Re:Forced password expirations (Score:5, Insightful)
Re:Employees suck! (Score:3, Insightful)
Re:Password Expiration Policies (Score:3, Insightful)
Surely this really proves that the IT department wasn't enforcing strong passwords and that's about all it proves. Having strong passwords that change every 90 days is NOT an unreasonable policy and is easy to enforce with any OS.
The IT department should be on trial along with the consultant.
Would that it were that easy. (Score:4, Insightful)
As for two-factor, I know VA is moving towards it (and was before the whole laptop debacle). Might be fed-wide. Hopefully this will light a fire under it.
Re:scary (Score:4, Insightful)
Huh?
What ever gave you that idea? What evidence is there? Next, people will believe that "Homeland Security" is... Or the war in Iraq was...
Re:Employees suck! (Score:3, Insightful)
However, there is no legal justification to large scale theft, regardless of how good Office Space was.
Laws are not a very good way to motivate behavior. The death penalty is not a good deterrent because most killers are either desperate, emotionally driven, or believe they will not be caught anyway. Similarly, threat of punishment is a terribly way to motivate employees to not steal and that is what the laws are really. Don't steal or we'll throw you in jail is not nearly as effective as the ethical motivation of don't steal because you'll be betraying a trust and being a jerk. There have been some great studies and books written on the subject, detailing exactly how well various motivations work.
Regardless of your ethical beliefs, plenty of people feel no guilt whatsoever stealing from people who treat them not as a person, but as a worker. It changes the dynamic of a relationship from one between people to one between two impersonal machines, following predefined rules and policies. If they know you will fire them regardless of what they do and your feelings toward them, when the head office says to lay off 15 people, then they will react by treating you impersonally as well. That means the main motivation for their not stealing from you is gone.
Most good businessmen recognize the value of loyal, dedicated employees. In some places employees have worked without pay or any expectation of it for months to help out a struggling company to whom they are loyal. Unfortunately, most managers and executives these days are not actually interested in the welfare of the company that employs them, They too have an adversarial relationship and that means they will screw over the company's future for short term gains that allow them to move up or get more money. They are expected to regularly move on to other companies anyway and often looked down upon for being content where they are.
As a result, most employees have little loyalty to their company and this sort of theft is commonplace. One particularly interesting study I read was involving petty theft. When presented with an honor system, who steals and who pays and when. Theft rate was effected by holidays, bad weather, and company hierarchies. Theft spiked near the holidays, when the weather was bad, on floors where upper management was quartered. I think that particular study was in the book "Freakonomics." Pick it up if you have any interest.
Re:And the FBI agreed to this? (Score:5, Insightful)
Re:Witness Protection Info on shared database? (Score:2, Insightful)
Re:scary (Score:3, Insightful)
Well to be fair, you are more likley to die from a drunk driver so I'd be more concerned how your local State Troopers are behaving.
Re:Employees suck! (Score:3, Insightful)
While I agree that the qualities you've listed make for a better business, both in terms of a better workplace as well as a business that is concerned more with the next 10 years than the next quarter, I have to disagree with the above statement. It makes it sound like your average worker is one bad meeting or one lousy review away from ripping you off. In my experience that's not the case. Most people I've worked with at least try to act honestly and fairly with others (if I've got enough anecdotes it proves something -- right?).
To tweak your point slightly I'd say that there's always a certain small percentage of the workforce that, if given the opportunity, will act unethically in order to achieve some larger (either personal or corporate) goal. The change in the U.S. workplace environment just gave those people the bad example they needed to justify their behavior. After all, if major business can crap all over their employees and enjoy record profits and AT&T can sell your information to the feds who cares if I crack my bosses password to make things a little easier (or to see the results of my review a few weeks early).
I think the key distinction though is that these employees were already the type of people that would do whatever they could get away with (and they've just seen the bar for "what you can get away with" ascend into the stratosphere) and not your typical office worker.
Re:And we're going to fix this... (Score:5, Insightful)
Re:Has the 'consultant' (Score:5, Insightful)
Way worse than what Merlyn did (Score:5, Insightful)
Compare that to the clearly less harmful actions of Randal Schwartz [google.com], who went gray-hat (one time, without using the logins, as a security warning). Three felony convictions and a rather severe sentence.
Re:scary (Score:5, Insightful)
[ Same answer as "why does the whitehouse need to know who every undercover CIA agent is ?" ]
Re:And we're going to fix this... (Score:2, Insightful)
And now for the "flip-side"... (Score:3, Insightful)
Situation: Contractor entrusted with compiling "the numbers" on "that important account" is involved in an accident (yup, you guessed it) the morning of "the big presentation." Oh, but all her work is (by company policy) safe and sound on the server instead of on her (now smashed) laptop. Great! Just one little problem: nobody knows her password, and (also by company policy) access to anyone's server-side account other than the person to whom that account is assigned is strictly verboten! No "emergency plan" exists to cover such a contingency, and the critical hour (minute) fast approaches.
Solution: A quick call to IT (from the contractor's manager's phone) went something like this: "Hey, Suzy Q's password needs to be reset; her account's locked out. You want me to just tell her the password is 'password' and she needs to change it the first time she logs in? No problem. Yeah, and I'll see to it the password-reset form gets done and drop it off to you ASAP; I know you gotta cover things on your end. Thanks!" Almost five whole minutes, and the "company policy" that was no doubt pored-over for hour upon hour by some of the finest administrative (and legal) minds in the company's employ was artfully dodged by "just some dude." I think one of us asked the guy if he felt bad about lying to the person in IT, and his response was that he didn't lie; the account was locked-out (after he had tried to guess the password three times...) so the password did need to be reset and as soon as he saw "Suzy Q" he would be sure to tell her what her new password was! Unethical? Yup. Sneaky? Yup. Effective? Yup. The presentation was retrieved, the account was saved, and the world continued to revolve. A simplistic example, sure, but [insert "slippery-slope" analogy here]...
I'm not saying I condone it and I'm not saying I'd do it, I'm just saying you've got to be stupid to think you can throw obstacles in front of motivated people and they won't figure a way to avoid them, and it's wise to occassionally evaluate whether or not we're doing just that.
Re:And we're going to fix this... (Score:4, Insightful)
It's not that the higher ups are idiots for choosing crackable passwords. It's that passwords don't work. Not well enough to do what we want them to do.
They can be made less dysfunctiona by checking for things like dictionary attacks, but a password that is strong enough to be used for something like tracking terrorists or launching nuclear missiles is too strong for a human to remember.
And there have been solutions for this around forever. Lotus Notes has had two factor security with strong crypto for twenty years now. RSA and other vendors have been selling solutions that work for basically forever.
This guy was foolish to do what he did. Not because it was wrong, but because the results to himself were predictable. The FBI reaction in this case reminds me of the Catholic Church's reaction to priest pedophilia. The Church has a rule that it is wrong to bring the Church into disrepute. But instead of interpreting this rule as "don't do anything that is shameful", it became "don't let the truth about shameful things get out."
So, what we have here is a geek who just wanted to get his job done, up against the slowness of the bureacracy. Why is the bureacracy slow? Because slow is safe. Decisions that don't get made don't leave anybody responsible. But bureacracies are still jealous of their rights to make decisions, even if they are put off indefinitely. Making things happen fast, and along the way exposing weaknesses that attach to individuals, that's almost unimaginably evil from that point of view.
Re:scary (Score:3, Insightful)
Re:Forced password expirations (Score:5, Insightful)
1 - biometric (fingerprint, voice, retina, etc.)
2 - item (SecureID card, etc.)
3 - password
If biometric fails, the cracker still doesn't have the item or password. If the item is stolen, the cracker doesn't have a fingerprint or password. If the doofus tells someone his password, the cracker doesn't have the fingerprint or item.
jfs
Re:Forced password expirations (Score:2, Insightful)
I.E.
User sets inititial password to "MyP@ssw0rd1"
90-day expiration comes, user sets their password to "MyP@ssw0rd2"
90-day expiration comes, user sets their password to "MyP@ssw0rd3"
Once a hacker cracks a user's password (the hard part?), they can continue to use it just by incrementing a digit in the user's password after each 90-day period, therefore, rendering any password expiration policies useless.
Re:scary (Score:5, Insightful)
What do you expect? (Score:2, Insightful)
As we all know the net upshot of forcing users to change passwords every 90 day easy to remember passwords and/or writing them down. In this case I think its an even worse policy. If an FBI password is compremised the worst damage is going to happen within a day or two.
Re:scary (Score:2, Insightful)
Well, I'd certainly complain if they started rifling through my luggage mid-flight.
The biggest complaint one could really have is that a rather expensive program at $660 million dollars a year of funding, with very little to show for it. They haven't completed a single assessment of their own efficacy, and the last note about this is that in 2005, the project to determine how much less completed guidelines one how to assess their own operations.
Attacks between 1990 and September 10, 2001 involving terrorists aboard U.S. aircraft: 0
Federal Air Marshals in active commercial flight duty, same period: max. 50 (33 agents on 9/11/2001)
Attacks following September 11, 2001 involving terrorists aboard U.S. aircraft: 0
Federal Air Marshals in active commercial flight duty, same period: "thousands" (numbers no longer released)
Indeed, the only real news about FAM operations seems to be when they mistakely shot and killed a passenger who was distressed over a spousal argument and stormed off of the plane upon their arrival in Miami, in the mistaken belief he was a terrorist.
So hey, for millions of added dollars, we've gotten the same efficacy we had before the single milestone event that caused the agency's expansion. Zero. But on the plus side, there's one less tourist in Miami.
I suppose the moral of this is the same as ever other post: for the right price, your government can certainly instill in you an illusion of security. The most effective ways of fighting crime tend to assume everyone is a criminal to begin with, and work from there.
Sources:
http://www.whitehouse.gov/omb/expectmore/detail.1
http://en.wikipedia.org/wiki/Federal_Air_Marshal_
http://www.colorado.edu/hazards/wp/wp107/wp107.ht