Thursday, July 06, 2006
Comments on the FBI case
You must already have read about how a consultant for the FBI compromised 38,00 FBI passwords.
The technical details are not very interesting. A senior researcher for security firm LURHQ, Joe Stewart, said "It was pretty run-of-the-mill stuff five years ago". Actually, over ten years ago. I know of a high-profile case like this from 1994 and it wasn't a new thing then.
This was possible because of two inexcusable blunders by the FBI:
One report says he got access to the files of the Witness Protection Program. Fortunately he wasn't malicious. What about the next intruder? How much would organized crime pay for that information?
|
The technical details are not very interesting. A senior researcher for security firm LURHQ, Joe Stewart, said "It was pretty run-of-the-mill stuff five years ago". Actually, over ten years ago. I know of a high-profile case like this from 1994 and it wasn't a new thing then.
This was possible because of two inexcusable blunders by the FBI:
- They were continuing to use obsolete operating systems which are missing protections that have been out since around 1990
- They didn't automatically check passwords for quality. For this attack to work, they must have been using passwords so obvious that a computer program could guess them
One report says he got access to the files of the Witness Protection Program. Fortunately he wasn't malicious. What about the next intruder? How much would organized crime pay for that information?
# posted by Frederick @ 10:37 AM Email to a friend:
Haloscan: they provide trackback