The National Security Agency (NSA) is the font of information security wisdom for the US defense and intelligence communities. But apparently, the NSA’s own network security is so weak that a single administrator was able to hijack the credentials of a number of NSA employees with high-level security clearances and use them to download data from the agency’s internal networks. That administrator was Edward Snowden.
Under Department of Defense (DOD) Directive 8500.2, the director of the NSA, Gen. Keith Alexander, is tasked with approving all the cryptographic hardware and software used by the DOD. The NSA also provides “information assurance” and information system security engineering services to DOD branches and agencies. And along with the National Institute of Standards and Technology, the NSA maintains the master guide for DOD information security systems: the Information Assurance Technical Framework (IATF).
But in what appears to be a case of “do as I say, not as I do,” the NSA’s internal IT security schemes allowed Snowden, a contractor sysadmin, to pull off a classic insider attack on the agency. An investigation by NBC found that Snowden had used the digital identities of several upper-level NSA officials to log into NSAnet, the agency’s intranet—giving him access to data far beyond the needs of a lowly system administrator.
My last post discussed how the internet would be broken if the NSA could any decrypt online communications. One of the things I said this would allow is the gathering of passwords and the ability to ‘look’ like someone else in order to access anything on the Web.Without leaving a trace.
Looks like that is exactly what Snowden did. He broke people’s passwords and then just went where he wanted to to get information. Any of it. Anywhere.
This paragraph is one of the most firghtening I have ever read:
In order to pull this off without raising alarms, Snowden would have needed access to the full credentials of the users whose identities he borrowed. He would have needed to somehow either gain access to the public key infrastructure (PKI) keys found in their user authentication or he would have needed to override multi-factor authentication to gain access to the systems. He also would have needed to avoid detection by audit logs in making those changes (or delete the record of changes after the fact). He managed to do all of these things, download the content, and get it past the NSA’s physical security.
He did to the NSA what the NSA might be able to do to any of us. Gain access to important information by pretending to be us, because they cracked security, and then do whatever, all without leaving a trace.