Consultant Breached FBI's Computers

[Richard Forno <rforno () infowarrior org>]

Consultant Breached FBI's Computers
Frustrated by Bureaucracy, Hacker Says Agents Approved and Aided Break-Ins

By Eric M. Weiss
Washington Post Staff Writer
Thursday, July 6, 2006; A05

http://www.washingtonpost.com/wp-dyn/content/article/2006/07/05/AR2006070501
489_pf.html

A government consultant, using computer programs easily found on the
Internet, managed to crack the FBI's classified computer system and gain the
passwords of 38,000 employees, including that of FBI Director Robert S.
Mueller III.

The break-ins, which occurred four times in 2004, gave the consultant access
to records in the Witness Protection Program and details on counterespionage
activity, according to documents filed in U.S. District Court in Washington.
As a direct result, the bureau said it was forced to temporarily shut down
its network and commit thousands of man-hours and millions of dollars to
ensure no sensitive information was lost or misused.

The government does not allege that the consultant, Joseph Thomas Colon,
intended to harm national security. But prosecutors said Colon's "curiosity
hacks" nonetheless exposed sensitive information.

Colon, 28, an employee of BAE Systems who was assigned to the FBI field
office in Springfield, Ill., said in court filings that he used the
passwords and other information to bypass bureaucratic obstacles and better
help the FBI install its new computer system. And he said agents in the
Springfield office approved his actions.

The incident is only the latest in a long string of foul-ups, delays and
embarrassments that have plagued the FBI as it tries to update its computer
systems to better share tips and information. Its computer technology is
frequently identified as one of the key obstacles to the bureau's attempt to
sharpen its focus on intelligence and terrorism.

An FBI spokesman declined to discuss the specifics of the Colon case. But
the spokesman, Paul E. Bresson, said the FBI has recently implemented a
"comprehensive and proactive security program'' that includes layered access
controls and threat and vulnerability assessments. Beginning last year, all
FBI employees and contractors have had to undergo annual information
security awareness training.

Colon pleaded guilty in March to four counts of intentionally accessing a
computer while exceeding authorized access and obtaining information from
any department of the United States. He could face up to 18 months in
prison, according to the government's sentencing guidelines. He has lost his
job with BAE Systems, and his top-secret clearance has also been revoked.

In court filings, the government also said Colon exceeded his authorized
access during a stint in the Navy.

While documents in the case have not been sealed in federal court, the
government and Colon entered into a confidentiality agreement, which is
standard in cases involving secret or top-secret access, according to a
government representative. Colon was scheduled for sentencing yesterday, but
it was postponed until next week.

His attorney, Richard Winelander, declined to comment.

According to Colon's plea, he entered the system using the identity of an
FBI special agent and used two computer hacking programs found on the
Internet to get into one of the nation's most secret databases.

Colon used a program downloaded from the Internet to extract "hashes" --
user names, encrypted passwords and other information -- from the FBI's
database. Then he used another program to "crack" the passwords by using
dictionary-word comparisons, lists of common passwords and character
substitutions to figure out the plain-text passwords. Both programs are
widely available for free on the Internet.

What Colon did was hardly cutting edge, said Joe Stewart, a senior
researcher with Chicago-based security company LURHQ Corp. "It was pretty
run-of-the-mill stuff five years ago," Stewart said.

Asked if he was surprised that a secure FBI system could be entered so
easily, Stewart said, "I'd like to say 'Sure,' but I'm not really. They are
dealing with the same types of problems that corporations are dealing with."

Colon's lawyer said in a court filing that his client was hired to work on
the FBI's "Trilogy" computer system but became frustrated over
"bureaucratic" obstacles, such as obtaining written authorization from the
FBI's Washington headquarters for "routine" matters such as adding a printer
or moving a new computer onto the system. He said Colon used the hacked user
names and passwords to bypass the authorization process and speed the work.

Colon's lawyers said FBI officials in the Springfield office approved of
what he was doing, and that one agent even gave Colon his own password,
enabling him to get to the encrypted database in March 2004. Because FBI
employees are required to change their passwords every 90 days, Colon hacked
into the system on three later occasions to update his password list.

The FBI's struggle to modernize its computer system has been a recurring
headache for Mueller and has generated considerable criticism from
lawmakers.

Better computer technology might have enabled agents to more closely link
men who later turned out to be involved in the Sept. 11, 2001, attacks,
according to intelligence reviews conducted after the terrorist strikes.

The FBI's Trilogy program cost more than $535 million but failed to produce
a usable case-management system for agents because of cost overruns and
technical problems, according to the Government Accountability Office.

While Trilogy led to successful hardware upgrades and thousands of new PCs
for bureau workers and agents, the final phase -- a software system called
the Virtual Case File -- was abandoned last year. The FBI announced in March
that it would spend an additional $425 million in an attempt to finish the
job. The new system would be called "Sentinel."
© 2006 The Washington Post Company


_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/errata/dataloss/