FBI security issues....and no strong passwords, yikes.
This is a pretty amazing story breaking today, and one that raises some SERIOUS questions about consulting, the FBI security policies, and much more. A consultant working with the FBI's project "Trilogy" downloaded the hashed userkey/password list from the FBI, and ran online cracking programs to match the encrypted passwords to common dictionary words. Here are some points that truly amaze me:
1) An FBI agent gave him his userkey/pw to gain access to the system
2) Many (most?) of 38,000 passwords were matched to common words, and thereby revealed. This includes FBI director Robert Muller, which allowed the consultant to view all digital content the FBI has stored.
3) This consultant is charged with 4 counts of this offense...but the concern to me isn't the consultant, but the FBI not enforcing strong password requirements, which would have prevented this type of dictionary cracking.
4) Because of 90 day password expiration policies, this occurred 3 more times. At what point would the agent think 'hey, this is getting a little weird'?
5) I don't think that this consultant had any plans of doing something harmful, but it serves as a solid reminder to all of us to use test environments & accounts, NOT PRODUCTION accounts! Fighting through bureaucratic procedures can be tedious, but mistakes happen, and you can be burned badly by the backlash.
Original: http://seattletimes.nwsource.com/html/nationworld/2003107651_fbi06.html
Slashdot: http://it.slashdot.org/article.pl?sid=06/07/06/1431256&from=rss