backtop


Print 24 comment(s) - last by marvdmartian.. on Nov 12 at 7:32 AM

Snowden then accessed and downloaded secret NSA documents with that information

A new detail about the U.S. National Security Agency (NSA) leaks has emerged: agency employees gave former NSA contractor Edward Snowden their login credentials. 

According to a new report from Reuters, Snowden conned between 20 to 25 NSA employees to give him their login credentials and passwords. Snowden did this while working as a computer systems administrator at the NSA regional operations center for a month in Hawaii last spring.

Snowden reportedly told the NSA employees that he needed their passwords in order to do his job. 

However, Snowden used their information to access classified documents that he wasn't supposed to see. He downloaded tens of thousands of secret NSA documents (as well as documents from its British counterpart, Government Communication Headquarters) as a result, and leaked them to the media. 


The report added that a "handful" of NSA employees who gave their passwords to Snowden were identified and removed from their assignments. It wasn't clear whether they were put on other assignments or fired. 

This new information regarding Snowden's use of NSA passwords was revealed when the U.S. Senate Intelligence Committee approved a bill that will strengthen security over U.S. intelligence data. The bill will push for the installation of new software that can identify and track attempts to access or download secret materials without authorization.

In addition, the bill will require intelligence contractors to immediately report to spy agencies on incidents in which data networks have been accessed by unauthorized personnel.

Last month, it was reported that the NSA didn't install the most up-to-date, anti-leak software at the Hawaii operations center before Snowden arrived there for work.

In August, reports said that the NSA admitted to touching 1.6 percent of total globe Web traffic. Its technique was to filter data after harvesting it, which led to over-collection on a major scale. 

Google Executive Chairman Eric Schmidt recently called the NSA's spying on data centers "outrageous" and that its strategies of pulling hundreds of millions of records to find a few hundred is "bad public policy" and even "illegal."

Source: Reuters



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: NSA security practices... hah!
By TSS on 11/8/2013 11:19:02 AM , Rating: 5
They should play more video games. I don't know how many times i've seen the tip at the loading screen say "<company> employees will never ask for your password!".

That said though, it's not uncommon for system admins to ask or get passwords. I remember when i was just an intern at a school i worked at, there was a problem with the directors profile and i was sent to fix it. When i arrived, he had to go to a meeting so he didn't have time to stay there with me. Considering a few reboots where required, i asked his password and got it. Well i didn't even really ask for it i told him i had to log in a few times and he decided to just give it to me because he had to go to a meeting.

It's one of the reasons you only want people you trust (and are paid well) in a system administrator position. The superadmin can just reset or view the passwords in the active directory of anybody, and access all of the data, as well as delete logs so nobody would know. Ofcourse there will be levels of clearance, but how is ye old regular employee supposed to know who has what clearance as they usually don't deal with system admins unless something breaks down.

No the only way to really secure sensitive info that's not supposed to be accessed by system operators (or indeed anybody without clearance *at that time*) is to install monitoring software, connect it up to the security department, and show who downloads what document and when, including wether or not clearance has been given to do so through temporary acces accounts. Basically giving people only temporary, not permanent, access to certain files. And even then it's not 100% secure because if the guy giving the access goes rogue you're still going to have the same problem.

It's a hassle. But considering what went on at the NSA (and still is going on) you'd expect them to go through the trouble. Afterall, almost all hacking is done through social engineering, rather then some nerd sitting behind a PC looking through code, surviving only on mountain dew and pizza.


RE: NSA security practices... hah!
By nafhan on 11/8/2013 12:21:45 PM , Rating: 4
quote:
it's not uncommon for system admins to ask or get passwords
I can't speak to how common asking for passwords is industry wide, but I can say that's a very bad practice on top of being unnecessary and inconvenient. There are tools (i.e. su, runas) that allow a sysadmin to work as another user, if needed. I would never ask for a password, and will do what I can to make sure I don't ever have a users password in an unencrypted format (i.e. if I manually change a password, I set it to require a password change immediately).

"Superadmins"/root users will often have access to the encrypted password database, and with time a knowledgeable admin might be able to decrypt these passwords, but that's extremely different from having access to plaintext passwords.

The NSA should be segmenting and compartmentalizing their sysadmins, encrypting more stuff, and the employees with access to sensitive material apparently need a refresher course on basic security. All the monitoring tools and temporary access in the world won't help much while you've got admins with to much access and users who are willing to give away their login credentials.


RE: NSA security practices... hah!
By SAN-Man on 11/8/2013 4:32:41 PM , Rating: 3
All the years I have been a Sys Admin I have never asked someone for their password - not once. I started in 1995.


RE: NSA security practices... hah!
By ritualm on 11/8/2013 5:02:15 PM , Rating: 2
quote:
Afterall, almost all hacking is done through social engineering, rather then some nerd sitting behind a PC looking through code, surviving only on mountain dew and pizza.

So true.

Leave a CD full of custom-built autorun malware and a USB thumb drive with the same contents in a parking lot. These days, many users don't have DVD drives on their computers anymore, so the big round discs get ignored as trash. USB drives can be reused. People would pick them up and plug them into their computers.

Without the hacker(s) needing to tell them what to do.

Humans are the weakest point in security, and physical access alone trumps every other security measure. Ironically, critical security lapses like these turn out to be the public's best weapons available for keeping tabs on governments and NSA...


RE: NSA security practices... hah!
By kattanna on 11/11/2013 12:02:07 PM , Rating: 2
quote:
Humans are the weakest point in security, and physical access alone trumps every other security measure


too true.

A company we took over had an admin who thought he was being super secure by making up those complicated random hashes for the wireless passwords, but then had no issue with standard employees printing them out in large type on a printer and taping the printed password on walls clearly visible to people walking by outside..

SIGH....



"I want people to see my movies in the best formats possible. For [Paramount] to deny people who have Blu-ray sucks!" -- Movie Director Michael Bay














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki