backtop


Print 24 comment(s) - last by marvdmartian.. on Nov 12 at 7:32 AM

Snowden then accessed and downloaded secret NSA documents with that information

A new detail about the U.S. National Security Agency (NSA) leaks has emerged: agency employees gave former NSA contractor Edward Snowden their login credentials. 

According to a new report from Reuters, Snowden conned between 20 to 25 NSA employees to give him their login credentials and passwords. Snowden did this while working as a computer systems administrator at the NSA regional operations center for a month in Hawaii last spring.

Snowden reportedly told the NSA employees that he needed their passwords in order to do his job. 

However, Snowden used their information to access classified documents that he wasn't supposed to see. He downloaded tens of thousands of secret NSA documents (as well as documents from its British counterpart, Government Communication Headquarters) as a result, and leaked them to the media. 


The report added that a "handful" of NSA employees who gave their passwords to Snowden were identified and removed from their assignments. It wasn't clear whether they were put on other assignments or fired. 

This new information regarding Snowden's use of NSA passwords was revealed when the U.S. Senate Intelligence Committee approved a bill that will strengthen security over U.S. intelligence data. The bill will push for the installation of new software that can identify and track attempts to access or download secret materials without authorization.

In addition, the bill will require intelligence contractors to immediately report to spy agencies on incidents in which data networks have been accessed by unauthorized personnel.

Last month, it was reported that the NSA didn't install the most up-to-date, anti-leak software at the Hawaii operations center before Snowden arrived there for work.

In August, reports said that the NSA admitted to touching 1.6 percent of total globe Web traffic. Its technique was to filter data after harvesting it, which led to over-collection on a major scale. 

Google Executive Chairman Eric Schmidt recently called the NSA's spying on data centers "outrageous" and that its strategies of pulling hundreds of millions of records to find a few hundred is "bad public policy" and even "illegal."

Source: Reuters



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

NSA security practices... hah!
By techxx on 11/8/2013 10:50:32 AM , Rating: 5
It's amazing that so many employees would violate such a simple security 101 rule - in such a top secret agency!




RE: NSA security practices... hah!
By TSS on 11/8/2013 11:19:02 AM , Rating: 5
They should play more video games. I don't know how many times i've seen the tip at the loading screen say "<company> employees will never ask for your password!".

That said though, it's not uncommon for system admins to ask or get passwords. I remember when i was just an intern at a school i worked at, there was a problem with the directors profile and i was sent to fix it. When i arrived, he had to go to a meeting so he didn't have time to stay there with me. Considering a few reboots where required, i asked his password and got it. Well i didn't even really ask for it i told him i had to log in a few times and he decided to just give it to me because he had to go to a meeting.

It's one of the reasons you only want people you trust (and are paid well) in a system administrator position. The superadmin can just reset or view the passwords in the active directory of anybody, and access all of the data, as well as delete logs so nobody would know. Ofcourse there will be levels of clearance, but how is ye old regular employee supposed to know who has what clearance as they usually don't deal with system admins unless something breaks down.

No the only way to really secure sensitive info that's not supposed to be accessed by system operators (or indeed anybody without clearance *at that time*) is to install monitoring software, connect it up to the security department, and show who downloads what document and when, including wether or not clearance has been given to do so through temporary acces accounts. Basically giving people only temporary, not permanent, access to certain files. And even then it's not 100% secure because if the guy giving the access goes rogue you're still going to have the same problem.

It's a hassle. But considering what went on at the NSA (and still is going on) you'd expect them to go through the trouble. Afterall, almost all hacking is done through social engineering, rather then some nerd sitting behind a PC looking through code, surviving only on mountain dew and pizza.


RE: NSA security practices... hah!
By nafhan on 11/8/2013 12:21:45 PM , Rating: 4
quote:
it's not uncommon for system admins to ask or get passwords
I can't speak to how common asking for passwords is industry wide, but I can say that's a very bad practice on top of being unnecessary and inconvenient. There are tools (i.e. su, runas) that allow a sysadmin to work as another user, if needed. I would never ask for a password, and will do what I can to make sure I don't ever have a users password in an unencrypted format (i.e. if I manually change a password, I set it to require a password change immediately).

"Superadmins"/root users will often have access to the encrypted password database, and with time a knowledgeable admin might be able to decrypt these passwords, but that's extremely different from having access to plaintext passwords.

The NSA should be segmenting and compartmentalizing their sysadmins, encrypting more stuff, and the employees with access to sensitive material apparently need a refresher course on basic security. All the monitoring tools and temporary access in the world won't help much while you've got admins with to much access and users who are willing to give away their login credentials.


RE: NSA security practices... hah!
By SAN-Man on 11/8/2013 4:32:41 PM , Rating: 3
All the years I have been a Sys Admin I have never asked someone for their password - not once. I started in 1995.


RE: NSA security practices... hah!
By ritualm on 11/8/2013 5:02:15 PM , Rating: 2
quote:
Afterall, almost all hacking is done through social engineering, rather then some nerd sitting behind a PC looking through code, surviving only on mountain dew and pizza.

So true.

Leave a CD full of custom-built autorun malware and a USB thumb drive with the same contents in a parking lot. These days, many users don't have DVD drives on their computers anymore, so the big round discs get ignored as trash. USB drives can be reused. People would pick them up and plug them into their computers.

Without the hacker(s) needing to tell them what to do.

Humans are the weakest point in security, and physical access alone trumps every other security measure. Ironically, critical security lapses like these turn out to be the public's best weapons available for keeping tabs on governments and NSA...


RE: NSA security practices... hah!
By kattanna on 11/11/2013 12:02:07 PM , Rating: 2
quote:
Humans are the weakest point in security, and physical access alone trumps every other security measure


too true.

A company we took over had an admin who thought he was being super secure by making up those complicated random hashes for the wireless passwords, but then had no issue with standard employees printing them out in large type on a printer and taping the printed password on walls clearly visible to people walking by outside..

SIGH....



RE: NSA security practices... hah!
By Mitch101 on 11/8/2013 12:32:12 PM , Rating: 3
Lets also do the math and help them out because it sounds like they need it.

20 to 25 NSA employees gave him their login credentials and passwords.

A "handful" of NSA employees who gave their passwords to Snowden were identified and removed from their assignments.

That leaves 15-20 Idiots still working for the NSA.


RE: NSA security practices... hah!
By drycrust3 on 11/8/2013 2:25:12 PM , Rating: 2
quote:
It's amazing that so many employees would violate such a simple security 101 rule - in such a top secret agency!

That is a bit unfair. Without the say so of the Systems Administrator they have no access to any computer system, so they can't do their job, or they have no email, or, if they forgot which password was to be used on which system and it logged them out, then it could be a while (like several days) before they could get to try again. Some of them may have had problems getting employment, or be in trouble because they weren't snooping on every one, and would be nervous that if they didn't comply with an official request then they could loose their job or be "demoted" ... which is exactly what happened to them because they did follow what they believed was an official request.
Yes, I know Snowden was acting outside of his authority, but they wouldn't know this, even if they didn't trust him they still would have believed he was acting on an official request from a higher authority and that they had to comply ... like the Systems Administrator that demanded my treasured Microsoft Word 4 hard cover hand book when we were shifting offices, promised to return it, and never did.
As an aside, I do feel this is a sad indictment on what Snowden has done ... I guess I shouldn't be surprised, but it does give his halo a more of a greyish tint than the shiny white it previously was. I do hope they don't overlook this when the movie comes out.


RE: NSA security practices... hah!
By nafhan on 11/8/2013 3:06:20 PM , Rating: 2
quote:
That is a bit unfair.
Nope. It's completely fair. These people are charged with the safekeeping of top secret documents and they're giving out their passwords (`- almost certainly in violation of policy.
quote:
I do feel this is a sad indictment on what Snowden has done
Why? He exploited an insecure system, which we already knew. This is just specifics. If you feel like what Snowden did was right, then these people whose passwords he snagged were doing something wrong by not similarly exposing the illegal activities of the NSA.


RE: NSA security practices... hah!
By BifurcatedBoat on 11/8/2013 3:36:09 PM , Rating: 2
It's easy to say that now, but if you are not that familiar with the technology, and you have the administrator convincing you that he needs your credentials in order to solve a problem - maybe one that he created himself for the sole purpose of getting your credentials - and he seems personable, and the reason sounds legitimate, you might think, "OK, whatever, just do what you need to do so I can get back to work."

If everybody followed protocol on everything, all the time, working conditions in most places would be nearly unbearable, and almost nothing would actually get done.


By Reclaimer77 on 11/9/2013 9:35:15 AM , Rating: 2
quote:
If everybody followed protocol on everything, all the time, working conditions in most places would be nearly unbearable, and almost nothing would actually get done .


Which in the case of the NSA, might not be such a bad thing.


By Reclaimer77 on 11/8/2013 4:52:16 PM , Rating: 2
There's nothing "amazing" about it. Government bureaucracy basically breeds incompetent individuals.


By ones & zeros on 11/12/2013 1:02:26 AM , Rating: 2
What are friends for?


By marvdmartian on 11/12/2013 7:32:51 AM , Rating: 2
Probably the higher ups, who blew off doing their CBT's (computer based training) that would have told them NOT to do it.


"I mean, if you wanna break down someone's door, why don't you start with AT&T, for God sakes? They make your amazing phone unusable as a phone!" -- Jon Stewart on Apple and the iPhone














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki