The FBI hacker Joseph Thomas Colon accused of illegally accessing the bureau's secret network in 2004, using FBI agent's password has recently received a sentence that spared him of jail time.
Although he was facing a potential four years behind bars for hacking the FBI's network while working at BAE Systems on the Trilogy project to upgrade the federal institution's aged IT infrastructure, Colon has successfully proven that his hack, while premeditated, did nothing to threaten national security. Based on this argument U.S. District Judge Richard Leon sentenced Colon to only six months of home detention. In addition the hacker will have to pay $20.000 in restitution to the Federal Bureau of Investigation.
Colon had pleaded guilty to four misdemeanor counts. All of them concerned premeditated access of governmental information while exceeding the authorization level. In doing so, Colon had sensitive data of no less than 38.000 FBI employees at his fingertips. In his defense, the accused stated numerous times that he actually meant to bring to the surface the systems' vulnerabilities while increasing network processes performance and speed, as was his job, and not to hack into the system.This is not a case of al-Qaeda people trying to sneak into the FBI system, stated Judge Richard J. Leon when he delivered his ruling.
This sounds pretty fair. The judge is right; this wasn't a terrorist attempting to damage America or anything. However, what Joseph did was illegal and beyond his scope of work, therefore he got in trouble.
From what I gather, he had access to the network and used a password brute-forcer on some entry point (LDAP, AD, etc). The simple fact that he was able to do this proves two points that are well known in the computer security industry.
- Internal network security is just as important as external network security.
- Insider attacks are a real danger and normally are harder to detect.
This case just points out that the FBI, like most huge corporations in the world, are pretty vulnerable once an attacker is beyond the perimeter security.
I like to call it "M&M Security" - hard on the outside; soft in the middle.
No comments:
Post a Comment