Friday, July 14, 2006

Government Treats Computer Hacker With Kid Gloves

A computer consultant working in an FBI field office in Springfield, Illinois managed to hack into the FBI's classified secret database which contained information about the federal witness protection program and counterintelligent activities among other things. And if that wasn't bad enough, he also gained access to hundreds of FBI employee user names and passwords, including that of FBI Director Robert Mueller. His sentence: six months home detention and $20,000 in restitution. The State Journal-Register reports:

A former Springfield man accused of hacking into computers at the local FBI field office was sentenced in federal court in Washington Thursday to six months of home detention and ordered to pay $20,000 in restitution to the agency.

Joseph T. Colon, 28, a computer consultant who did some work in the Springfield field office in 2004, was accused of using software he downloaded from the Internet to access the FBI's classified secret database. The database contains, among other things, information about the witness protection program and counterintelligence activities.

Federal prosecutors said Colon gained access to hundreds of user names and encrypted passwords, including that of FBI Director Robert Mueller.

They did not think Colon was trying to compromise national security or use the information for financial gain. Still, they said in court papers, the FBI was forced to take significant steps to make sure there was no harm from Colon’s actions.

He pleaded guilty to four misdemeanor counts of intentionally exceeding his authorized computer access. Federal prosecutors had recommended a year in prison and $42,500 in restitution, while Colon’s attorney asked for a year’s probation.

His sentence includes three years’ probation following his release from house arrest. Colon, who is married with three children, moved from Springfield to Maryland about 10 months ago, according to his attorney. He formerly lived in the 8100 block of Tack Lane on the south side of Lake Springfield.

At the time of the crimes, Colon was an information technology specialist for BAE Systems, a contractor employed by the FBI to help the agency convert to a new classified computer networking system that was part of the now-abandoned Trilogy project.

According to court documents, Colon and the Springfield FBI’s information technology department felt the transition work was being bogged down by bureaucratic delays from the FBI’s Washington field office for “such routine and mundane tasks as setting up workstations, printers, user accounts and to move individual computers from one operating system to another.” Each step of the work required a “ticket,” which could take from one to three days to obtain.

An agent in the Springfield FBI information technology department gave Colon a password to allow him access to the agency’s secret internal computer network where usernames and passwords were kept in special files, according to a court document filed by Colon’s attorney.

Now granted the guy was initially granted access his supervisor should never have given him to the internal computer network, but he clearly abused the limited privilege he was granted. This guy is not even a government employee and look at the sensitive information he was easily able to access and the value of that information in the wrong hands. Incidentally, his employer, BAE, is a British-owned company.

1 comment:

Jerry Nelson said...

In court filings Colin claimed that he used the passwords and other information to bypass bureaucratic obstacles and better help the FBI install its then-new but now failed Trilogy computer system. Colon was frustrated over "bureaucratic" obstacles, such as obtaining a written authorization from the FBI's Washington headquarters for "routine" matters such as adding a printer or moving a new computer onto the system. Colon used the hacked user names and passwords to bypass the authorization process and speed up the work. Because FBI employees are required to change their passwords every 90 days, Colon hacked into the system on three later occasions to update his password list.

Colon's lawyers said FBI officials in the Springfield office approved of what he was doing, and that one agent even gave Colon his own password, enabling him to get to the encrypted database in March 2004.

The Trilogy system Colon was workng on is a celebrated failure in the annals of information technology. Before being abandoned in 2005 after $535 million in Federal expenditures, Trilogy achieved some successful hardware upgrades, bringing thousands of new PCs to bureau workers and agents. But the project's goal, the creation of a software system called the Virtual Case File — was abandoned last year.

The FBI announced in March that it would spend an additional $425 million in an attempt to finish the job. The new system would be called "Sentinel." Will we pass the 1-billion dollar mark? Stay tuned.

Reviewing the failure of the originall Virtual Case File (VCF) system in a devastating 81-page audit last year, Glenn A. Fine, the U.S. Department of Justice's inspector general, described eight factors that contributed to the VCF's failure. Among them: poorly defined and slowly evolving design requirements; overly ambitious schedules; and the lack of a plan to guide hardware purchases, network deployments, and software development for the bureau. Now we can add to the inspector general Fine's list: maddening bureaucratic obstacles thrown in the path of anyone hired to add even a new printer.

Fine concluded that four years after terrorists crashed jetliners into the World Trade Center and the Pentagon, the FBI, which had been criticized for not "connecting the dots" in time to prevent the attacks, still did not have the software necessary to connect any new dots that might come along. And won't for years to come.

"The archaic Automated Case Support system which some agents have avoided using is cumbersome, inefficient, and limited in its capabilities, and does not manage, link, research, analyze, and share information as effectively or timely as needed," Fine wrote. "[T]he continued delays in developing the VCF affect the FBI's ability to carry out its critical missions."

The incident is the latest in a long string of foul-ups, delays and embarrassments that have plagued the FBI as it tries to update its computer systems. Better computer technology might have enabled agents to more closely link men who later turned out to be involved in the Sept. 11 attacks, according to government reviews.

Forget Republican or Dem -- just vote for competance. If you can find it.