Consultant Breached FBI's Computers

A breach of FBI databases is the latest in a string of setbacks for Director Robert S. Mueller's campaign to upgrade the agency's technical capabilities.
A breach of FBI databases is the latest in a string of setbacks for Director Robert S. Mueller's campaign to upgrade the agency's technical capabilities. (By Chris Kleponis -- Bloomberg)
By Eric M. Weiss
Washington Post Staff Writer
Thursday, July 6, 2006

A government consultant, using computer programs easily found on the Internet, managed to crack the FBI's classified computer system and gain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III.

The break-ins, which occurred four times in 2004, gave the consultant access to records in the Witness Protection Program and details on counterespionage activity, according to documents filed in U.S. District Court in Washington. As a direct result, the bureau said it was forced to temporarily shut down its network and commit thousands of man-hours and millions of dollars to ensure no sensitive information was lost or misused.

The government does not allege that the consultant, Joseph Thomas Colon, intended to harm national security. But prosecutors said Colon's "curiosity hacks" nonetheless exposed sensitive information.

Colon, 28, an employee of BAE Systems who was assigned to the FBI field office in Springfield, Ill., said in court filings that he used the passwords and other information to bypass bureaucratic obstacles and better help the FBI install its new computer system. And he said agents in the Springfield office approved his actions.

The incident is only the latest in a long string of foul-ups, delays and embarrassments that have plagued the FBI as it tries to update its computer systems to better share tips and information. Its computer technology is frequently identified as one of the key obstacles to the bureau's attempt to sharpen its focus on intelligence and terrorism.

An FBI spokesman declined to discuss the specifics of the Colon case. But the spokesman, Paul E. Bresson, said the FBI has recently implemented a "comprehensive and proactive security program'' that includes layered access controls and threat and vulnerability assessments. Beginning last year, all FBI employees and contractors have had to undergo annual information security awareness training.

Colon pleaded guilty in March to four counts of intentionally accessing a computer while exceeding authorized access and obtaining information from any department of the United States. He could face up to 18 months in prison, according to the government's sentencing guidelines. He has lost his job with BAE Systems, and his top-secret clearance has also been revoked.

In court filings, the government also said Colon exceeded his authorized access during a stint in the Navy.

While documents in the case have not been sealed in federal court, the government and Colon entered into a confidentiality agreement, which is standard in cases involving secret or top-secret access, according to a government representative. Colon was scheduled for sentencing yesterday, but it was postponed until next week.

His attorney, Richard Winelander, declined to comment.

According to Colon's plea, he entered the system using the identity of an FBI special agent and used two computer hacking programs found on the Internet to get into one of the nation's most secret databases.

Colon used a program downloaded from the Internet to extract "hashes" -- user names, encrypted passwords and other information -- from the FBI's database. Then he used another program to "crack" the passwords by using dictionary-word comparisons, lists of common passwords and character substitutions to figure out the plain-text passwords. Both programs are widely available for free on the Internet.

CONTINUED     1        >

© 2006 The Washington Post Company