Thu 6 Jul 2006
On /., LackThereof writes:
“An IT consultant for the FBI, hired to work on their new ‘Trilogy’ computer system, apparently got hold of the username and password hash databases for the FBI’s network. He then used a common dictionary attack to get usable passwords out of the hashes, including that of FBI director Robert Muller, making him able to access virtually any data stored electronically at the FBI, including Witness Protection program records. The consultant, Joseph Thomas Colon, claims he used the passwords to avoid bureaucratic obstacles, and that his actions were condoned by the FBI agents he was working with at the agency.”
“He has pleaded guilty to 4 counts of ‘intentionally accessing a computer while exceeding authorized access and obtaining information from any department of the United States.’ He initally gained access to the hash database by borrowing an agent’s username and password; he then re-downloaded and re-cracked it three more times to keep up with the FBI’s 90-day password expiration policy. Lesson: Your users are your biggest security hole. Don’t trust your users, especially if they’re government agents.”