http://www.washingtonpost.co
m/wp-dyn/content/article/2006/07/05/AR2006070501489.html
By Eric M. Weiss
Washington Post Staff Writer
July 6, 2006
A government consultant, using computer programs easily
found on the
Internet, managed to crack the FBI's classified computer
system and
gain the passwords of 38,000 employees, including that of
FBI Director
Robert S. Mueller III.
The break-ins, which occurred four times in 2004, gave the
consultant
access to records in the Witness Protection Program and
details on
counterespionage activity, according to documents filed in
U.S.
District Court in Washington. As a direct result, the bureau
said it
was forced to temporarily shut down its network and commit
thousands
of man-hours and millions of dollars to ensure no sensitive
information was lost or misused.
The government does not allege that the consultant, Joseph
Thomas
Colon, intended to harm national security. But prosecutors
said
Colon's "curiosity hacks" nonetheless exposed
sensitive information.
Colon, 28, an employee of BAE Systems who was assigned to
the FBI
field office in Springfield, Ill., said in court filings
that he used
the passwords and other information to bypass bureaucratic
obstacles
and better help the FBI install its new computer system. And
he said
agents in the Springfield office approved his actions.
The incident is only the latest in a long string of
foul-ups, delays
and embarrassments that have plagued the FBI as it tries to
update its
computer systems to better share tips and information. Its
computer
technology is frequently identified as one of the key
obstacles to the
bureau's attempt to sharpen its focus on intelligence and
terrorism.
An FBI spokesman declined to discuss the specifics of the
Colon case.
But the spokesman, Paul E. Bresson, said the FBI has
recently
implemented a "comprehensive and proactive security
program'' that
includes layered access controls and threat and
vulnerability
assessments. Beginning last year, all FBI employees and
contractors
have had to undergo annual information security awareness
training.
Colon pleaded guilty in March to four counts of
intentionally
accessing a computer while exceeding authorized access and
obtaining
information from any department of the United States. He
could face up
to 18 months in prison, according to the government's
sentencing
guidelines. He has lost his job with BAE Systems, and his
top-secret
clearance has also been revoked.
In court filings, the government also said Colon exceeded
his
authorized access during a stint in the Navy.
While documents in the case have not been sealed in federal
court, the
government and Colon entered into a confidentiality
agreement, which
is standard in cases involving secret or top-secret access,
according
to a government representative. Colon was scheduled for
sentencing
yesterday, but it was postponed until next week.
His attorney, Richard Winelander, declined to comment.
According to Colon's plea, he entered the system using the
identity of
an FBI special agent and used two computer hacking programs
found on
the Internet to get into one of the nation's most secret
databases.
Colon used a program downloaded from the Internet to extract
"hashes"
-- user names, encrypted passwords and other information --
from the
FBI's database. Then he used another program to
"crack" the passwords
by using dictionary-word comparisons, lists of common
passwords and
character substitutions to figure out the plain-text
passwords. Both
programs are widely available for free on the Internet.
What Colon did was hardly cutting edge, said Joe Stewart, a
senior
researcher with Chicago-based security company LURHQ Corp.
"It was
pretty run-of-the-mill stuff five years ago," Stewart
said.
Asked if he was surprised that a secure FBI system could be
entered so
easily, Stewart said, "I'd like to say 'Sure,' but
I'm not really.
They are dealing with the same types of problems that
corporations are
dealing with."
Colon's lawyer said in a court filing that his client was
hired to
work on the FBI's "Trilogy" computer system but
became frustrated over
"bureaucratic" obstacles, such as obtaining
written authorization from
the FBI's Washington headquarters for "routine"
matters such as adding
a printer or moving a new computer onto the system. He said
Colon used
the hacked user names and passwords to bypass the
authorization
process and speed the work.
Colon's lawyers said FBI officials in the Springfield
office approved
of what he was doing, and that one agent even gave Colon his
own
password, enabling him to get to the encrypted database in
March 2004.
Because FBI employees are required to change their passwords
every 90
days, Colon hacked into the system on three later occasions
to update
his password list.
The FBI's struggle to modernize its computer system has
been a
recurring headache for Mueller and has generated
considerable
criticism from lawmakers.
Better computer technology might have enabled agents to more
closely
link men who later turned out to be involved in the Sept.
11, 2001,
attacks, according to intelligence reviews conducted after
the
terrorist strikes.
The FBI's Trilogy program cost more than $535 million but
failed to
produce a usable case-management system for agents because
of cost
overruns and technical problems, according to the Government
Accountability Office.
While Trilogy led to successful hardware upgrades and
thousands of new
PCs for bureau workers and agents, the final phase -- a
software
system called the Virtual Case File -- was abandoned last
year. The
FBI announced in March that it would spend an additional
$425 million
in an attempt to finish the job. The new system would be
called
"Sentinel."
© 2006 The Washington Post Company
_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com
|