Government

Penetration testing: Hacking the FBI

One penetration tester was able to hack into the FBI's database in about six hours. Could something like that be the career for you?

There's something about penetration testing that is just so attractive. Can you imagine being paid to find embarrassing security holes? It's the ultimate puzzle with the ultimate "I'm smarter than you" grand prize.

And I just know that it would appeal to some of the people who read my blogs, as evidenced by the unmitigated glee they get when they can point out a typo. [Beginning of rant: For example, in a piece I posted in the IT Leadership blog, I typed an X instead of a Y in referring to the millennials. For that one mistaken letter, a few people indicted my research skills and totally disregarded the real point of the blog. Okay, rant over.]

Back to penetration testing.

Chris Goggans, senior security consultant at security firm PatchAdvisor Inc. in Alexandria, Virginia, has been a pen tester since 1991. You'd think he'd be pretty immune to some network vulnerabilities, having been discovering them for all those years. But imagine how he felt when he was able to hack the FBI's database in about six hours. According to a piece in ComputerWorld by Sandra Gittlen,

During a routine network scan, Goggans discovered a series of unpatched vulnerabilities in the civilian government agency's Web server, as well as other parts of the enterprise.

He used a hole in the Web server to pull down usernames and passwords that were reused on a host of enterprise systems. In those systems, he found further account details that allowed him to get Windows domain administrator privileges -- a classic escalation-of-privileges attack.

Using this privileged access, he was able to gain full control of almost all Windows-based systems in the enterprise, including workstations used by the on-site police force. He noticed that several police workstations had a second networking card installed that used the SNA protocol to directly talk to an IBM mainframe.

By covertly installing remote control software on those workstations, he found programs on their desktops that automatically connected the workstations to the FBI's NCIC database. "That software, coupled with a keystroke capture program, would allow an attacker to grab the credentials needed to log into the FBI's National Crime Information Center database," he says.

Another consultant at a Big Four company was able to immediately gain full administration access to all of that organization's applications.

To read about this and more, see the rest of the ComputerWorld piece.

About

Toni Bowers is Managing Editor of TechRepublic and is the award-winning blogger of the Career Management blog. She has edited newsletters, books, and web sites pertaining to software, IT career, and IT management issues.

14 comments
Asperg
Asperg

sounds interesting. Long live America. Dr. Hans Asperger came out with the diagnosis of asperger's syndrome. He diagnosed Hitler. Hitler was the lead aspie.

NotSoChiGuy
NotSoChiGuy

This comes of little surprise. In one of my courses for my grad program, we covered the case study for the FBI's VCF (virtual case file) project. The federal government would have been better off taking the hundreds of millions of dollars that went into the project, and lighting them on fire. At least one tangible benefit (heat) would have been derived. Scope creep, management carousel, resources out of their areas of expertise, antiquated legacy systems that wouldn't be going offline, hubris...you couldn't conceive of a worse blend of factors going into a project. If there already isn't a team of 'white hats' within the government (or contracted by), trying to access any and all federal systems with any sort of confidential information, there ought to be!

BALTHOR
BALTHOR

They have spiders in their heads,snakes in their stomachs and no conscience.(You could delete one of their files if you renamed it "X".)

Inkling
Inkling

Several of them, actually. The vulnerabilities they find are frightening.

Neon Samurai
Neon Samurai

Pentesting? Youbetcha. I only wish I'd known of such things as the CEH, CCSP, CSSIP back in my higschool days, when "computers" was the total sum of specializations in IT. I just can't get used to the hat colour titles though. I cringe every time someone tells another technically literate person that they are a "White Hat Hacker" (redundant) versus a "Black Hat Hacker" which can simply be refered to as a criminal; no hackerdom title, nothing special. Now where is that list of Toronto located security auditing consultancies...

Michael Kassner
Michael Kassner

I did not see in the article if the pen tester had permission to run the attacks. Also if it was a white hat attack, I'm very surprised that he went active, by installing RA programs. That is usually a no-no in contract pen testing.

Neon Samurai
Neon Samurai

Long, long ago on a contract far, far away.. I had a little time in the IT department on base. One of the more fun days was when the server Admin came into the office and said he'd just had some odd things on the machine and would likely be on the phone with Ottawa for the next while. I think he got a hit ever six months or so and; if you are breached, they know the system needs attention, if you are not breached and didn't call it in right way, they know the administrator needs some attention. The term "tigerteam" comes from the US militarie's base security auditing teams. You can bet the teams number more than one or two SEAL units and are as capable with physical or digital challenges. Actually, that does bring a question to mind; was having a civilian contractor performing the audit too fulfill a requirnment for third party auditing? Most business seem to require third party audits for insurance purposes. (now where is that list of Toronto based third parties..)

Michael Kassner
Michael Kassner

I see your point and it is extremely valid. Wrong is wrong. Thanks.

toni.bowers_b
toni.bowers_b

The original piece the blog links to says he was hired by a civilian government agency.

Neon Samurai
Neon Samurai

Cheers, that was a great read and nice history reminder. The last computers that defaulted to BASIC where just disapearing when I was becoming more capable than just playing cartriges on the Adam. I'll have to keep that url handy for the next time I get the "well what is a hacker then?" question as the wikipedia and jargon pages can be a bit heavy for a quick explination. If you see something, say something. (and now, so long before the next quarterly comes out)

Neon Samurai
Neon Samurai

The comment was meant more in general rather than being direct at any particular writer but thank you. I think it's an important distinction that the media, for it's benefit, often avoids making though I am trying to mellow from my past rants on the topic.

Neon Samurai
Neon Samurai

With it being an article mentioning the breach without a "evil hacker terrorist attacks FBI" title and no mention of his arrest, I assumed it was an approved pentest. That was my own guess though as I hadn't considered the question until you mentioned it.

Editor's Picks