September 22nd, 2003, 06:22 PM
Robert Hanssen's Espionage Activities
The DOJ web site has the executive summary of a 600+ page top secret report on Hanssen's espionage activities, including some of his computer exploits. The reaction of the FBI computer security and physical security "professionals" is pretty scarey. Summary report is at
Some interesting tidbits include
Let's see now, I was only checking security Boss.
Audit log reviews are a waste of time, right?
While in the NSTL Unit, Hanssen committed two serious and flagrant security breaches. First, he hacked into the FBI's computer system and accessed highly sensitive Soviet counterintelligence documents located on the hard drives of his colleagues and supervisors in the National Security Division. Hanssen grew nervous about what he had done and decided to report it to FBI management in the guise of revealing a flaw in the FBI's computer security. Hanssen's ruse succeeded, and no one questioned his breach of computer security......
Installing hardware is a challenge to all of us, right?
During Hanssen's detail to the State Department, the FBI provided him with a desktop computer that was connected to the FBI's ACS computer system. The ACS system gave Hanssen access to thousands of internal FBI classified documents for which he had no "need to know." To determine whether he was under investigation by the FBI, Hanssen also frequently searched the ACS system for references to his own name and address. In addition, he successfully mined the system for information concerning the FBI's most sensitive espionage investigations. While the ACS system had audit capability, Hanssen's improper searches went undetected because the FBI did not conduct audit trail reviews absent an allegation of wrongdoing.
The rest of it is interesting also, of course only our government would think a 21 page summary was short enough to be useful.
Hanssen's most egregious security breach at OFM - an attempt to install password breaker software on his FBI computer - was discovered by the FBI's computer specialists, who documented the incident and referred it to the FBI's Security Programs Manager. Hanssen told the Security Programs Manager that he had installed the hacking program in order to connect to a color printer, however, and he suffered no negative consequences as a result of this misconduct. As with Hanssen's other security violations, nothing about the matter was recorded in either his personnel or security file.
September 22nd, 2003, 06:49 PM
How given all of the security in place (well I guess they would actually had to look at it) How did they not catch this guy years ago. too busy looking out to look in I guess.
[Shadow] have you ever noticed work is like a tree full of monkeys you look down and all you see is monkeys below you then you look up and all you see is a bunch of *******s above
September 22nd, 2003, 07:03 PM
Why Don"t They Catch Them??
Let's count the ways
1. Managers don't listen to security, because all security prefessionals are zealots.
2. Managers don't want to let stuff like security get in the way of important things.
3. It's too much trouble to review reports from IDSs and other security devices.
4. All our employees are devoted to the company and would never ....
5. They'll never strike here.
6. All bad guys are at the CIA and none in the FBI.
It might be fun to think of other "reasons," but I have to go convince some managers that they should do something about providing adequate funding for security.
September 22nd, 2003, 08:13 PM
Your Right Gandalf, it's not easy convincing managers and co-workers (sometimes even one's own self) that the cube dawg you have beers with is a spy or hacker.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
September 23rd, 2003, 04:10 AM
I guess it is the old "bureau versus agency" squabble? we have it here 5 versus 6? let Burgess, Philby and Maclean get away with it for ages. As I recall James Jesus Angleton was aware that there was a problem, as was Dulles (spelling?), anyway, we all fall for it.
But I have to admit that I have been given authority that I should not... just to "get the job done"............It is a matter of trust?...I was trusted.....but should still not have been given the unsupervised authority.
Interesting post, thanks
September 23rd, 2003, 05:53 AM
Very classic stuff, from the sound of it. We get similar things, thank goodness the results aren't going to kill people. I found a faculty person's system filled with copyrighted software he was sharing out to the world, with MS key codes, he also had copyrighted games and was performing work for another organization on our systems.
Took it to the director of IT, who met with the faculty person. "Well, he didn't know what he was doing. He thought it was just a local share. He won't do it again."
This is our IT Director. The faculty person was teaching network OS, network design and a few other things along those lines.
I had to bring up the same issue because the faculty person again set up the share, this time involving one of our servers. That time, I took steps to insure that the faculty person's privileges would be revoked until some action was taken. He tried the same story, but this time he had to tell a VP with the IT Director there.
I don't think the problem lies with us security geeks. I think it lies with the upper management. They are too busy giving lip service to security, playing politics and trying to be "sensitive" to the needs of their employees (all except us security geeks) to fully understand the impact of their actions, or lack thereof.
September 23rd, 2003, 08:05 PM
One of the worst cases I remember involved a government contractor employee who was deliberately sending classified data in e-mails to his friends because "everyone has a right to know this stuff." When he was caught by the local security people, they took away his computer and his security clearance. He turned out to be a friend of the cabinet official who ran the organization he contracted with. The cabinet official directed that the security people immediately restore his clearance, his computer privileges, and quit harrassing him!! It was finally resolved, but he sent classified information over the internet for more than a year while it was sorted out among the managers.