By Eric M. Weiss
Washington Post
July 6, 2006
SourceWASHINGTON — A government consultant, using computer programs easily found on the Internet, managed to crack the FBI's classified computer system and gain the passwords of 38,000 employees, including that of FBI Director Robert Mueller.
The break-ins, which occurred four times in 2004, gave the consultant access to records in the Witness Protection program and details on counter-espionage activity, according to documents filed in U.S. District Court in Washington. As a direct result, the bureau said it was forced to temporarily shut down its network and commit thousands of man-hours and millions of dollars to ensure no sensitive information was lost or misused.
The government does not allege that the consultant, Joseph Thomas Colon, intended to harm national security. But prosecutors said Colon's "curiosity hacks" nonetheless exposed sensitive information.
Colon, 28, an employee of BAE Systems who was assigned to the FBI field office in Springfield, Ill., said in court filings that he used the passwords and other information to bypass bureaucratic obstacles and better help the FBI install its new computer system. And he said agents in the Springfield office approved his actions.
The incident is the latest in a long string of foul-ups, delays and embarrassments that have plagued the FBI as it tries to update its computer systems to better share tips and information. Its computer technology is frequently identified as one of the key obstacles to the bureau's attempt to sharpen its focus on intelligence and terrorism.
FBI spokesman Paul Bresson declined to discuss the specifics of the Colon case. But he said the FBI has recently implemented a "comprehensive" security program.
Pleaded guilty
Colon pleaded guilty in March to four counts of intentionally accessing a computer while exceeding authorized access and obtaining information from any department of the United States. He could face up to 18 months in prison when sentenced next week. He has lost his job with BAE Systems, and his top-secret clearance has been revoked.
His attorney, Richard Winelander, declined to comment.
According to Colon's plea, he entered the system using the identity of a FBI special agent and used two computer hacking programs found on the Internet to get into one of the nation's most secret databases.
Colon used a program downloaded from the Internet to extract "hashes" — user names, encrypted passwords and other information — from the FBI's database. Then he used another program to crack the passwords by using dictionary word comparisons, lists of common passwords and character substitutions to figure out the plain text passwords.
What Colon did was hardly cutting edge, said Joe Stewart, a senior researcher with Chicago-based security company LURHQ. "It was pretty run-of-the-mill stuff five years ago," Stewart said.
Asked if he was surprised that a secure FBI system could be entered so easily, Stewart said, "I'd like to say, 'Sure' — but I'm not really. They are dealing with the same types of problems that corporations are dealing with."
Obstacles
Colon's lawyer said in a court filing that his client was hired to work on the FBI's "Trilogy" computer system but became frustrated over "bureaucratic" obstacles, such as obtaining a written authorization from the FBI's Washington headquarters for "routine" matters such as adding a printer or moving a new computer onto the system. He said Colon used the hacked user names and passwords to bypass the authorization process and speed up the work.
Colon's lawyers said FBI officials in the Springfield office approved of what he was doing, and that one agent even gave Colon his own password, enabling him to get to the encrypted database in March 2004. Because FBI employees are required to change their passwords every 90 days, Colon hacked into the system on three later occasions to update his password list.
The FBI's struggle to modernize its computer system has been a recurring headache for Mueller and has earned it considerable criticism from lawmakers.
Better computer technology might have enabled agents to more closely link men who later turned out to be involved in the Sept. 11 attacks, according to intelligence reviews conducted after the terrorist strikes.
The FBI's Trilogy program cost more than $535 million but failed to produce a usable case-management system for agents because of cost overruns and technical problems, according to the Government Accountability Office.
While Trilogy led to successful hardware upgrades and thousands of new PCs for bureau workers and agents, the final phase — a software system called the Virtual Case File — was abandoned last year. The FBI announced in March that it would spend an additional $425 million in an attempt to finish the job. The new system would be called "Sentinel."
Copyright © 2006 The Seattle Times Company