A government consultant, using computer programs easily found on the Internet, managed to crack the FBI’s classified computer system and gain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III.
The break-ins, which occurred four times in 2004, gave the consultant access to records in the Witness Protection Program and details on counterespionage activity, according to documents filed in U.S. District Court in Washington. As a direct result, the bureau said it was forced to temporarily shut down its network and commit thousands of man-hours and millions of dollars to ensure no sensitive information was lost or misused.
The government does not allege that the consultant, Joseph Thomas Colon, intended to harm national security. But prosecutors said Colon’s “curiosity hacks” nonetheless exposed sensitive information. […]
Colon‘s lawyer said in a court filing that his client was hired to work on the FBI’s “Trilogy” computer system but became frustrated over “bureaucratic” obstacles, such as obtaining written authorization from the FBI’s Washington headquarters for “routine” matters such as adding a printer or moving a new computer onto the system. He said Colon used the hacked user names and passwords to bypass the authorization process and speed the work.
Colon’s lawyers said FBI officials in the Springfield office approved of what he was doing, and that one agent even gave Colon his own password, enabling him to get to the encrypted database in March 2004. Because FBI employees are required to change their passwords every 90 days, Colon hacked into the system on three later occasions to update his password list.
Perhaps a little too inside-technical-security-baseball for most of you, but the case illustrates some important lessons:
The geek in me can empathize with Mr. Colon; to move at Internet speed requires policies and processes that the “regular” work environment has yet to adapt to. This is particularly true to a hide-bound, paper-centric place like the FBI, where I’m not surprised to learn that one would need a double-signed, thrice-copied memo to do something like move a computer across a room. I’d be lying to you if I said I’d never played fast and loose with “the rules” to get things done, though I never had to hack a password file to do it.
On the other hand, the security practitioner and manager in me would like to smack Joe up-side the head. We have configuration control policies for a reason; a particularly important policy for a place that can’t keep track of its IT assets. And while his work “ethic” is admirable, he was hired to do a specific job and just that job. I’m fairly sure that the statement of work didn’t include language that authorized misuse and abuse. One can only hope that while Joe is cooling his heels in a federal pen, the well-meaning but misguided Special Agents who let him run rough-shod over the system also get to spend some quality time contemplating their decisions.
The larger issue is the sorry state of the soft-squishy middle of the FBI’s computer networks. That one person using ancient hack tools can get into so many disparate systems so easily should disturb us all. Remember, this is the place that said the Hanssen case was going to change things. Apparently they have yet to grasp the concept of compartmentalization. One has to wonder: if the insides are so soft, just how tough is the outer shell?
InfoWorld Updates that Colon was sentenced to 12-18 months plus $40k in damages.
