backtop


Print 24 comment(s) - last by marvdmartian.. on Nov 12 at 7:32 AM

Snowden then accessed and downloaded secret NSA documents with that information

A new detail about the U.S. National Security Agency (NSA) leaks has emerged: agency employees gave former NSA contractor Edward Snowden their login credentials. 

According to a new report from Reuters, Snowden conned between 20 to 25 NSA employees to give him their login credentials and passwords. Snowden did this while working as a computer systems administrator at the NSA regional operations center for a month in Hawaii last spring.

Snowden reportedly told the NSA employees that he needed their passwords in order to do his job. 

However, Snowden used their information to access classified documents that he wasn't supposed to see. He downloaded tens of thousands of secret NSA documents (as well as documents from its British counterpart, Government Communication Headquarters) as a result, and leaked them to the media. 


The report added that a "handful" of NSA employees who gave their passwords to Snowden were identified and removed from their assignments. It wasn't clear whether they were put on other assignments or fired. 

This new information regarding Snowden's use of NSA passwords was revealed when the U.S. Senate Intelligence Committee approved a bill that will strengthen security over U.S. intelligence data. The bill will push for the installation of new software that can identify and track attempts to access or download secret materials without authorization.

In addition, the bill will require intelligence contractors to immediately report to spy agencies on incidents in which data networks have been accessed by unauthorized personnel.

Last month, it was reported that the NSA didn't install the most up-to-date, anti-leak software at the Hawaii operations center before Snowden arrived there for work.

In August, reports said that the NSA admitted to touching 1.6 percent of total globe Web traffic. Its technique was to filter data after harvesting it, which led to over-collection on a major scale. 

Google Executive Chairman Eric Schmidt recently called the NSA's spying on data centers "outrageous" and that its strategies of pulling hundreds of millions of records to find a few hundred is "bad public policy" and even "illegal."

Source: Reuters



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: NSA security practices... hah!
By nafhan on 11/8/2013 12:21:45 PM , Rating: 4
quote:
it's not uncommon for system admins to ask or get passwords
I can't speak to how common asking for passwords is industry wide, but I can say that's a very bad practice on top of being unnecessary and inconvenient. There are tools (i.e. su, runas) that allow a sysadmin to work as another user, if needed. I would never ask for a password, and will do what I can to make sure I don't ever have a users password in an unencrypted format (i.e. if I manually change a password, I set it to require a password change immediately).

"Superadmins"/root users will often have access to the encrypted password database, and with time a knowledgeable admin might be able to decrypt these passwords, but that's extremely different from having access to plaintext passwords.

The NSA should be segmenting and compartmentalizing their sysadmins, encrypting more stuff, and the employees with access to sensitive material apparently need a refresher course on basic security. All the monitoring tools and temporary access in the world won't help much while you've got admins with to much access and users who are willing to give away their login credentials.


RE: NSA security practices... hah!
By SAN-Man on 11/8/2013 4:32:41 PM , Rating: 3
All the years I have been a Sys Admin I have never asked someone for their password - not once. I started in 1995.


"We’re Apple. We don’t wear suits. We don’t even own suits." -- Apple CEO Steve Jobs














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki