In previous posts "Are cyber criminals or bureaucrats the industry's top performer?", and "Insiders - insights, trends and possible solutions" I emphasized on how bureaucracy results in major insecurities, and provided further info on various issues related to insiders and risk management solutions -- ones the FBI is obviously far from implementing given the access control issues they have in place. It seems like two years ago, a Consultant Breached FBI's Computers :
"A government consultant, using computer programs easily found on the Internet, managed to crack the FBI's classified computer system and gain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III. The break-ins, which occurred four times in 2004, gave the consultant access to records in the Witness Protection Program and details on counterespionage activity, according to documents filed in U.S. District Court in Washington. As a direct result, the bureau said it was forced to temporarily shut down its network and commit thousands of man-hours and millions of dollars to ensure no sensitive information was lost or misused."
How he did it? With access to hashes and 90 days password expiration period, he had all the time in the world, excluding the fact that according to the article a FBI agent even game him his password.
Passwords are a hot topic, and so are the insecurities posed by them. Moreover, spending near $1B for a non-existent case system, while dealing with access control issues is rather unserious for thought to be serious institution -- have you guys considered an open source alternative? You wouldn't come across lots of developers with top-secret clearances applying for the top, but obviously a top-secret clearance cannot prevent insider behavior as well. Continue reading →
"A government consultant, using computer programs easily found on the Internet, managed to crack the FBI's classified computer system and gain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III. The break-ins, which occurred four times in 2004, gave the consultant access to records in the Witness Protection Program and details on counterespionage activity, according to documents filed in U.S. District Court in Washington. As a direct result, the bureau said it was forced to temporarily shut down its network and commit thousands of man-hours and millions of dollars to ensure no sensitive information was lost or misused."
How he did it? With access to hashes and 90 days password expiration period, he had all the time in the world, excluding the fact that according to the article a FBI agent even game him his password.
Passwords are a hot topic, and so are the insecurities posed by them. Moreover, spending near $1B for a non-existent case system, while dealing with access control issues is rather unserious for thought to be serious institution -- have you guys considered an open source alternative? You wouldn't come across lots of developers with top-secret clearances applying for the top, but obviously a top-secret clearance cannot prevent insider behavior as well. Continue reading →
RSS Feed