Skip to navigation
   
Davey Winder's Blog
RSS

How to hack the FBI

By Davey Winder in Editorial

Posted in networks, Data Protection, Blog, Security on May 31, 2008 at 11:57 am

Permalink | Author Profile

It appears that a professional penetration tester with some 17 years experience in the job has managed to hack his way through from an unnamed civilian government agency network right into the heart of a not at all civilian FBI crime database in less than six hours from start to finish.

The report reveals how the security consultant at PatchAdvisor was able to uncover unpatched vulnerabilities within the government agency web server and network during a routine and otherwise harmless scan. This kick started a chain of events that began with grabbing logins being reused on a number of enterprise systems which then became open to inspection, and in turn revealed unsecured account details to provide the pen tester with Windows domain admin privileges. As anyone who has the slightest experience on either side of the hacking fence will recognise, this has become a classic case of an escalation-of-privileges exploit.

So it should come as no surprise that it led to the ability to access a police workstation on-site, nor that in turn this led to the pen tester being able to install monitoring software upon it to discover applications connecting to the FBI National Crime Information Center database. If he had so wished, and it seems he did not, then the next step would have been installing a keylogger to grab the logins required to access it.

I guess the moral of this tale comes down to the obvious and oft repeated mantra of no matter how solid the security further up the food chain (in this case that FBI database) if the small fish are allowed to swim freely around at the bottom of the tank then eventually some shark is going to come along and gobble up everything. Patch management coupled with sensible firewalling of that police network could surely have prevented what has become something of an embarrassing as well as potentially serious, in the face of the ongoing war on terror, security slip up.

12345
Rated: 100% (2 votes)
Loading ... Loading ...

Previous Post | Next Post

 
 
Comments

Comment by Gary Gemmell - June 3, 2008 on 10:11 am

Even worse is publicising it - giving the terrorists even more grist for the mill.
I can see in this day and age why companies would rather not publicise their security failures.

For an agency like this there is no excuse mind you the UK government are doing quite well in this field too - only a couple of million national insurance numbers , names addresses etc have been compromised oh and not to mention the failure of the new NHS system - What a joke - My question is where do they get all these overpaid consultants and what do they actually do apart from sit all day pontificating.

We only seem to learn when there is a big disaster ala TKMaxx then shore up the defences much like the flooding in England!

Its not as if patch management or securing a firewall is a hard job either!

Comment by battery - June 13, 2008 on 7:34 am

[…] Read the rest of this great post here […]

Make a comment

* required

* required

We stop spam using reCaptcha.
Type the words below and click Submit Comment.

   
Tag cloud

data theft Microchip FBI SMS millions copyright payments survey stupid data protection staffing e-commerce IBM code Eee PC Adobe second life stupidity global scam BSI fool Mobile Phone Health AMD gaming Funny productivity MessageLabs politics Linux Blogging worm world of warcraft remote Google xmas InfoSec privacy Microsoft ISPA Twitter phishing Steve Jobs economics ecommerce OS compromise service The Federation worker holidays web 2.0 Hack home symantec migration Gartner Web Development Battery ASUS Texas Instruments virtual machine open source Lotus virus banks China trust VPN remote working Programming chips Bill Gates iPhone credit card fraud students Flash mobile fraud office fun scan hacking BOFH Internet exploit social networking dumb banking search XP Rumour christmas statistics Noro tech Ballmer Eee green OCR CAPTCHA Olympics graphics Software Facebook crime documentation size hypervisor MSN email development Texting universe virtual world Obama Energy help work NASA IP Windows MSNBC web Paris Hilton hacker Application Big Brother Trojan spam network terrorism environment printing storage news library Firefox Digg shopping Vista standards Zango Deal IDC Business man-in-the-middle Research Rant iPhone 3G adware Kill Switch prison Windows 7 hubdub computing malware report Space SSL digitise Supercomputer Top 500 avatar NBC debian rootkits betting teleworking Russia MiniBook Silverlight ID Theft Mars USA payment server security black hat Finjan policy scareware archiving workplace sick Yahoo VM transactional security biometrics patch management Apple money Jesus Phone books Performance computing museum broadband DNS Project hardware technology Video Death Government botnet linkedin outsourcing science carbon copy computer HPC surveys
Advertisement

   
Archives

   
Most commented posts

   
Highest Rated Blog Posts

Advertisement
Advertisement