Security Bytes: Consultant cracks FBI database

Article

Security Bytes: Consultant cracks FBI database

SearchSecurity.com Staff

Consultant cracks FBI database
A computer consultant unlocked the FBI's classified database and accessed the passwords of 38,000 agency employees -- including that of FBI Director Robert S. Mueller III -- using hacking tools freely available on the Internet.

According to The Washington Post, in a series of four break-ins that occurred two years ago, the consultant accessed records relating to the Witness Protection Program and details on counterespionage activity. The details were revealed in documents filed in U.S. District Court in Washington. Because of the breach, the bureau had to temporarily shut down its network and spend thousands of man-hours and millions of dollars to ensure no sensitive information was lost or misused, the newspaper reported.

The consultant, Joseph Thomas Colon, isn't accused of trying to jeopardize national security, but prosecutors said Colon's "curiosity hacks" did expose sensitive information. Colon, 28, an employee of BAE Systems who was assigned to the FBI field office in Springfield, Ill., said in court filings that he used the passwords and other information to bypass bureaucratic obstacles and better help the FBI install its new computer system, The Washington Post reported. He said agents in the Springfield office approved his actions.

Google Reader flaw is fixed
Attackers could have launched cross-site scripting attacks and stolen sensitive data from end-users by exploiting a security hole in Google Reader.

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

But the search giant has fixed the problem with its Web content aggregation program.

According to a posting on the Ha.ckers.org blog, digital desperados could embed HTML scripts in Web postings or input fields on a Web site to exploit the problem.

"What are the implications of this attack for Google?" the blog posting asked. "Well, for starters, I can put a phishing site on Google. 'Sign up for Google World Beta.' I can steal cookies to log in as the user in question ... I can steal your phone number from the /sendtophone application ... get your address because maps.google.com is mirrored ... The list of potential vulnerabilities goes on and on. The vulnerabilities only grow as Google builds out [its] portal experience."

Wednesday, Google said it learned of the problem earlier in the day and moved quickly to fix it.

Three OpenOffice flaws addressed
OpenOffice.org 2.0.3 has been released to fix three flaws attackers could exploit to tamper with files.

"Although there are currently no known exploits, we urge all users of 2.0.x prior to 2.0.2 to upgrade to the new version or install their vendor's patches accordingly," the OpenOffice Project said in an advisory. "Patches for users of OpenOffice.org 1.1.5 will be available shortly."

The first flaw may allow certain Java applets to break through the "sandbox" and therefore have full access to system resources with current user privileges. The offending Applets may be constructed to destroy/replace files, read or send private data and/or cause additional security issues.

The second flaw may make it possible to inject documents with basic code, which is executed upon loading of the document. The user will not be asked or notified and the macro will have full access to system resources with current user's privileges, the advisory said. As a result, the macro may delete/replace files, read/send private data and/or cause additional security issues.

Finally, a buffer overflow allows for a value to be written to an arbitrary location in memory. This may lead to command execution in the context of the current user, the OpenOffice Project said.

The flaws also affected Sun Microsystems Inc.'s StarOffice productivity software. Sun released patches late last week.