In previous posts "Are cyber criminals or bureaucrats the industry's top performer?", and "Insiders - insights, trends and possible solutions" I emphasized on how bureaucracy results in major insecurities, and provided further info on various issues related to insiders and risk management solutions -- ones the FBI is obviously far from implementing given the access control issues they have in place. It seems like two years ago, a Consultant Breached FBI's Computers :
"A government consultant, using computer programs easily found on the Internet, managed to crack the FBI's classified computer system and gain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III. The break-ins, which occurred four times in 2004, gave the consultant access to records in the Witness Protection Program and details on counterespionage activity, according to documents filed in U.S. District Court in Washington. As a direct result, the bureau said it was forced to temporarily shut down its network and commit thousands of man-hours and millions of dollars to ensure no sensitive information was lost or misused."
How he did it? With access to hashes and 90 days password expiration period, he had all the time in the world, excluding the fact that according to the article a FBI agent even game him his password.
Passwords are a hot topic, and so are the insecurities posed by them. Moreover, spending near $1B for a non-existent case system, while dealing with access control issues is rather unserious for thought to be serious institution -- have you guys considered an open source alternative? You wouldn't come across lots of developers with top-secret clearances applying for the top, but obviously a top-secret clearance cannot prevent insider behavior as well.
Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Thursday, July 06, 2006
$960M and the FBI's Art of Branding Insecurity
Tags:
Data Breach,
Data Leak,
FBI,
Information Security,
Insider,
Insider Monitoring,
Insider Threat,
Personal Data,
Security
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com