[ISN] Consultant Breached FBI's Computers

From: InfoSec News (isn@private)
Date: Wed Jul 05 2006 - 22:21:53 PDT


http://www.washingtonpost.com/wp-dyn/content/article/2006/07/05/AR2006070501489.html

By Eric M. Weiss
Washington Post Staff Writer
July 6, 2006

A government consultant, using computer programs easily found on the
Internet, managed to crack the FBI's classified computer system and
gain the passwords of 38,000 employees, including that of FBI Director
Robert S. Mueller III.

The break-ins, which occurred four times in 2004, gave the consultant
access to records in the Witness Protection Program and details on
counterespionage activity, according to documents filed in U.S.  
District Court in Washington. As a direct result, the bureau said it
was forced to temporarily shut down its network and commit thousands
of man-hours and millions of dollars to ensure no sensitive
information was lost or misused.

The government does not allege that the consultant, Joseph Thomas
Colon, intended to harm national security. But prosecutors said
Colon's "curiosity hacks" nonetheless exposed sensitive information.

Colon, 28, an employee of BAE Systems who was assigned to the FBI
field office in Springfield, Ill., said in court filings that he used
the passwords and other information to bypass bureaucratic obstacles
and better help the FBI install its new computer system. And he said
agents in the Springfield office approved his actions.

The incident is only the latest in a long string of foul-ups, delays
and embarrassments that have plagued the FBI as it tries to update its
computer systems to better share tips and information. Its computer
technology is frequently identified as one of the key obstacles to the
bureau's attempt to sharpen its focus on intelligence and terrorism.

An FBI spokesman declined to discuss the specifics of the Colon case.  
But the spokesman, Paul E. Bresson, said the FBI has recently
implemented a "comprehensive and proactive security program'' that
includes layered access controls and threat and vulnerability
assessments. Beginning last year, all FBI employees and contractors
have had to undergo annual information security awareness training.

Colon pleaded guilty in March to four counts of intentionally
accessing a computer while exceeding authorized access and obtaining
information from any department of the United States. He could face up
to 18 months in prison, according to the government's sentencing
guidelines. He has lost his job with BAE Systems, and his top-secret
clearance has also been revoked.

In court filings, the government also said Colon exceeded his
authorized access during a stint in the Navy.

While documents in the case have not been sealed in federal court, the
government and Colon entered into a confidentiality agreement, which
is standard in cases involving secret or top-secret access, according
to a government representative. Colon was scheduled for sentencing
yesterday, but it was postponed until next week.

His attorney, Richard Winelander, declined to comment.

According to Colon's plea, he entered the system using the identity of
an FBI special agent and used two computer hacking programs found on
the Internet to get into one of the nation's most secret databases.

Colon used a program downloaded from the Internet to extract "hashes"  
-- user names, encrypted passwords and other information -- from the
FBI's database. Then he used another program to "crack" the passwords
by using dictionary-word comparisons, lists of common passwords and
character substitutions to figure out the plain-text passwords. Both
programs are widely available for free on the Internet.

What Colon did was hardly cutting edge, said Joe Stewart, a senior
researcher with Chicago-based security company LURHQ Corp. "It was
pretty run-of-the-mill stuff five years ago," Stewart said.

Asked if he was surprised that a secure FBI system could be entered so
easily, Stewart said, "I'd like to say 'Sure,' but I'm not really.  
They are dealing with the same types of problems that corporations are
dealing with."

Colon's lawyer said in a court filing that his client was hired to
work on the FBI's "Trilogy" computer system but became frustrated over
"bureaucratic" obstacles, such as obtaining written authorization from
the FBI's Washington headquarters for "routine" matters such as adding
a printer or moving a new computer onto the system. He said Colon used
the hacked user names and passwords to bypass the authorization
process and speed the work.

Colon's lawyers said FBI officials in the Springfield office approved
of what he was doing, and that one agent even gave Colon his own
password, enabling him to get to the encrypted database in March 2004.  
Because FBI employees are required to change their passwords every 90
days, Colon hacked into the system on three later occasions to update
his password list.

The FBI's struggle to modernize its computer system has been a
recurring headache for Mueller and has generated considerable
criticism from lawmakers.

Better computer technology might have enabled agents to more closely
link men who later turned out to be involved in the Sept. 11, 2001,
attacks, according to intelligence reviews conducted after the
terrorist strikes.

The FBI's Trilogy program cost more than $535 million but failed to
produce a usable case-management system for agents because of cost
overruns and technical problems, according to the Government
Accountability Office.

While Trilogy led to successful hardware upgrades and thousands of new
PCs for bureau workers and agents, the final phase -- a software
system called the Virtual Case File -- was abandoned last year. The
FBI announced in March that it would spend an additional $425 million
in an attempt to finish the job. The new system would be called
"Sentinel."

© 2006 The Washington Post Company



_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Wed Jul 05 2006 - 22:46:40 PDT