backtop


Print 24 comment(s) - last by marvdmartian.. on Nov 12 at 7:32 AM

Snowden then accessed and downloaded secret NSA documents with that information

A new detail about the U.S. National Security Agency (NSA) leaks has emerged: agency employees gave former NSA contractor Edward Snowden their login credentials. 

According to a new report from Reuters, Snowden conned between 20 to 25 NSA employees to give him their login credentials and passwords. Snowden did this while working as a computer systems administrator at the NSA regional operations center for a month in Hawaii last spring.

Snowden reportedly told the NSA employees that he needed their passwords in order to do his job. 

However, Snowden used their information to access classified documents that he wasn't supposed to see. He downloaded tens of thousands of secret NSA documents (as well as documents from its British counterpart, Government Communication Headquarters) as a result, and leaked them to the media. 


The report added that a "handful" of NSA employees who gave their passwords to Snowden were identified and removed from their assignments. It wasn't clear whether they were put on other assignments or fired. 

This new information regarding Snowden's use of NSA passwords was revealed when the U.S. Senate Intelligence Committee approved a bill that will strengthen security over U.S. intelligence data. The bill will push for the installation of new software that can identify and track attempts to access or download secret materials without authorization.

In addition, the bill will require intelligence contractors to immediately report to spy agencies on incidents in which data networks have been accessed by unauthorized personnel.

Last month, it was reported that the NSA didn't install the most up-to-date, anti-leak software at the Hawaii operations center before Snowden arrived there for work.

In August, reports said that the NSA admitted to touching 1.6 percent of total globe Web traffic. Its technique was to filter data after harvesting it, which led to over-collection on a major scale. 

Google Executive Chairman Eric Schmidt recently called the NSA's spying on data centers "outrageous" and that its strategies of pulling hundreds of millions of records to find a few hundred is "bad public policy" and even "illegal."

Source: Reuters



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

NSA security practices... hah!
By techxx on 11/8/2013 10:50:32 AM , Rating: 5
It's amazing that so many employees would violate such a simple security 101 rule - in such a top secret agency!




RE: NSA security practices... hah!
By TSS on 11/8/2013 11:19:02 AM , Rating: 5
They should play more video games. I don't know how many times i've seen the tip at the loading screen say "<company> employees will never ask for your password!".

That said though, it's not uncommon for system admins to ask or get passwords. I remember when i was just an intern at a school i worked at, there was a problem with the directors profile and i was sent to fix it. When i arrived, he had to go to a meeting so he didn't have time to stay there with me. Considering a few reboots where required, i asked his password and got it. Well i didn't even really ask for it i told him i had to log in a few times and he decided to just give it to me because he had to go to a meeting.

It's one of the reasons you only want people you trust (and are paid well) in a system administrator position. The superadmin can just reset or view the passwords in the active directory of anybody, and access all of the data, as well as delete logs so nobody would know. Ofcourse there will be levels of clearance, but how is ye old regular employee supposed to know who has what clearance as they usually don't deal with system admins unless something breaks down.

No the only way to really secure sensitive info that's not supposed to be accessed by system operators (or indeed anybody without clearance *at that time*) is to install monitoring software, connect it up to the security department, and show who downloads what document and when, including wether or not clearance has been given to do so through temporary acces accounts. Basically giving people only temporary, not permanent, access to certain files. And even then it's not 100% secure because if the guy giving the access goes rogue you're still going to have the same problem.

It's a hassle. But considering what went on at the NSA (and still is going on) you'd expect them to go through the trouble. Afterall, almost all hacking is done through social engineering, rather then some nerd sitting behind a PC looking through code, surviving only on mountain dew and pizza.


RE: NSA security practices... hah!
By nafhan on 11/8/2013 12:21:45 PM , Rating: 4
quote:
it's not uncommon for system admins to ask or get passwords
I can't speak to how common asking for passwords is industry wide, but I can say that's a very bad practice on top of being unnecessary and inconvenient. There are tools (i.e. su, runas) that allow a sysadmin to work as another user, if needed. I would never ask for a password, and will do what I can to make sure I don't ever have a users password in an unencrypted format (i.e. if I manually change a password, I set it to require a password change immediately).

"Superadmins"/root users will often have access to the encrypted password database, and with time a knowledgeable admin might be able to decrypt these passwords, but that's extremely different from having access to plaintext passwords.

The NSA should be segmenting and compartmentalizing their sysadmins, encrypting more stuff, and the employees with access to sensitive material apparently need a refresher course on basic security. All the monitoring tools and temporary access in the world won't help much while you've got admins with to much access and users who are willing to give away their login credentials.


RE: NSA security practices... hah!
By SAN-Man on 11/8/2013 4:32:41 PM , Rating: 3
All the years I have been a Sys Admin I have never asked someone for their password - not once. I started in 1995.


RE: NSA security practices... hah!
By ritualm on 11/8/2013 5:02:15 PM , Rating: 2
quote:
Afterall, almost all hacking is done through social engineering, rather then some nerd sitting behind a PC looking through code, surviving only on mountain dew and pizza.

So true.

Leave a CD full of custom-built autorun malware and a USB thumb drive with the same contents in a parking lot. These days, many users don't have DVD drives on their computers anymore, so the big round discs get ignored as trash. USB drives can be reused. People would pick them up and plug them into their computers.

Without the hacker(s) needing to tell them what to do.

Humans are the weakest point in security, and physical access alone trumps every other security measure. Ironically, critical security lapses like these turn out to be the public's best weapons available for keeping tabs on governments and NSA...


RE: NSA security practices... hah!
By kattanna on 11/11/2013 12:02:07 PM , Rating: 2
quote:
Humans are the weakest point in security, and physical access alone trumps every other security measure


too true.

A company we took over had an admin who thought he was being super secure by making up those complicated random hashes for the wireless passwords, but then had no issue with standard employees printing them out in large type on a printer and taping the printed password on walls clearly visible to people walking by outside..

SIGH....



RE: NSA security practices... hah!
By Mitch101 on 11/8/2013 12:32:12 PM , Rating: 3
Lets also do the math and help them out because it sounds like they need it.

20 to 25 NSA employees gave him their login credentials and passwords.

A "handful" of NSA employees who gave their passwords to Snowden were identified and removed from their assignments.

That leaves 15-20 Idiots still working for the NSA.


RE: NSA security practices... hah!
By drycrust3 on 11/8/2013 2:25:12 PM , Rating: 2
quote:
It's amazing that so many employees would violate such a simple security 101 rule - in such a top secret agency!

That is a bit unfair. Without the say so of the Systems Administrator they have no access to any computer system, so they can't do their job, or they have no email, or, if they forgot which password was to be used on which system and it logged them out, then it could be a while (like several days) before they could get to try again. Some of them may have had problems getting employment, or be in trouble because they weren't snooping on every one, and would be nervous that if they didn't comply with an official request then they could loose their job or be "demoted" ... which is exactly what happened to them because they did follow what they believed was an official request.
Yes, I know Snowden was acting outside of his authority, but they wouldn't know this, even if they didn't trust him they still would have believed he was acting on an official request from a higher authority and that they had to comply ... like the Systems Administrator that demanded my treasured Microsoft Word 4 hard cover hand book when we were shifting offices, promised to return it, and never did.
As an aside, I do feel this is a sad indictment on what Snowden has done ... I guess I shouldn't be surprised, but it does give his halo a more of a greyish tint than the shiny white it previously was. I do hope they don't overlook this when the movie comes out.


RE: NSA security practices... hah!
By nafhan on 11/8/2013 3:06:20 PM , Rating: 2
quote:
That is a bit unfair.
Nope. It's completely fair. These people are charged with the safekeeping of top secret documents and they're giving out their passwords (`- almost certainly in violation of policy.
quote:
I do feel this is a sad indictment on what Snowden has done
Why? He exploited an insecure system, which we already knew. This is just specifics. If you feel like what Snowden did was right, then these people whose passwords he snagged were doing something wrong by not similarly exposing the illegal activities of the NSA.


RE: NSA security practices... hah!
By BifurcatedBoat on 11/8/2013 3:36:09 PM , Rating: 2
It's easy to say that now, but if you are not that familiar with the technology, and you have the administrator convincing you that he needs your credentials in order to solve a problem - maybe one that he created himself for the sole purpose of getting your credentials - and he seems personable, and the reason sounds legitimate, you might think, "OK, whatever, just do what you need to do so I can get back to work."

If everybody followed protocol on everything, all the time, working conditions in most places would be nearly unbearable, and almost nothing would actually get done.


By Reclaimer77 on 11/9/2013 9:35:15 AM , Rating: 2
quote:
If everybody followed protocol on everything, all the time, working conditions in most places would be nearly unbearable, and almost nothing would actually get done .


Which in the case of the NSA, might not be such a bad thing.


By Reclaimer77 on 11/8/2013 4:52:16 PM , Rating: 2
There's nothing "amazing" about it. Government bureaucracy basically breeds incompetent individuals.


By ones & zeros on 11/12/2013 1:02:26 AM , Rating: 2
What are friends for?


By marvdmartian on 11/12/2013 7:32:51 AM , Rating: 2
Probably the higher ups, who blew off doing their CBT's (computer based training) that would have told them NOT to do it.


The demonizing continues
By roykahn on 11/8/2013 3:31:40 PM , Rating: 2
In related news:

Sir John Sawers, head of MI6, claimed Snowden’s leaks have caused damage. "The leaks from Snowden have been very damaging. They’ve put our operations at risk. It’s clear that our adversaries are rubbing their hands with glee. Al-Qaeda is lapping it up."

Translation: "If our spying efforts aren't kept secret, the terrorists win". He's almost saying that Snowden was aiding terrorists.

Leaking information about spying programs = harmful.
Secretly spying on millions of innocent people = necessary.

It seems like those doing the spying don't like the taste of their own medicine. Please sir, can I classify my own communications as 'top secret'.




RE: The demonizing continues
By superstition on 11/8/2013 4:08:45 PM , Rating: 2
They also claimed that Glenn Greenwald's partner is a terrorist and spy because he was working for the Guardian and had a copy of the Snowden documents.

quote:
"For all the lecturing it doles out to the world about press freedoms, the UK offers virtually none...They are absolutely and explicitly equating terrorism with journalism," Greenwald said.


Watch Pauline Neville-Jones, a technology "expert" make a fool of herself trying to toe the government's sensationalist line: (31:50 in) http://www.youtube.com/watch?v=WkGDTnsOkxM


RE: The demonizing continues
By Reclaimer77 on 11/10/2013 6:28:04 PM , Rating: 2
UK citizens have no true freedoms because they are all expressly granted by the state. And that which is bequeathed by the state can be recinded just as easily and arbitrarily.


Oh the irony...
By Apone on 11/8/2013 12:43:25 PM , Rating: 2
quote:
Last month, it was reported that the NSA didn't install the most up-to-date, anti-leak software at the Hawaii operations center before Snowden arrived there for work.


I guess the agency is definitely putting the "Security" in National Security Agency. Maybe they're redefining the concept?

Once again, your tax dollars hard at work folks....




RE: Oh the irony...
By Reclaimer77 on 11/10/2013 10:06:56 PM , Rating: 2
We're seeing Government incompetence across the board.

Maybe now us Conservatives and Libertarians don't sound so crazy after all? And that Government shouldn't be the answer to everything.

If people take away anything from this NSA fiasco and the Healthcare.gov disaster, I sincerely hope it's to open their eyes to the fact that a big Government isn't the end-all-the-all.


I call bull!##!
By tayb on 11/8/2013 4:03:58 PM , Rating: 2
"He bullied people into handing over their passwords" sounds a hell of a lot better than "Our security procedures were grossly inadequate and our employees were incompetent."




RE: I call bull!##!
By SAN-Man on 11/8/2013 4:34:48 PM , Rating: 2
Pretty much. He's easy to point the finger at. Smart people know the difference though. Whether the NSA is at fault or Fast Eddie is as fault, the bottom line is the NSA is at fault because it's their responsibility.


Lots of comments by sys admins
By Johnny5canuck on 11/10/2013 8:35:34 AM , Rating: 2
There's lots of comments here by sys admins who obviously know better. Rather than just point the finger at the 20-25 users who unknowingly gave up their password to an IT admin, how about their IT training? I suspect they've received inadequate IT security training, so I'd point some fingers at management and possibly IT management as well.




RE: Lots of comments by sys admins
By ritualm on 11/10/2013 2:19:47 PM , Rating: 2
You're dealing with two big issues:
1. Security 101 - "never give out your passwords to anyone" not practiced by people that routinely handle sensitive information
2. Government - if you receive an order from your superiors, you are expected to do it, and any resistance from yours truly gets treated as disobedience - punishments can range from written reprimands all the way to criminal court.


NSA got phished!
By milktea on 11/8/2013 12:41:16 PM , Rating: 2
Cannot believed the most secretive organization get phished by their own. Lack of training or just too much alcohol? :)




"Intel is investing heavily (think gazillions of dollars and bazillions of engineering man hours) in resources to create an Intel host controllers spec in order to speed time to market of the USB 3.0 technology." -- Intel blogger Nick Knupffer














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki