Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Government Privacy Security United States News

Snowden Used Social Engineering To Get Classified Documents 276

cold fjord sends this news from Reuters: "Edward Snowden used login credentials and passwords provided unwittingly by colleagues ... to access some of the classified material he leaked. ... A handful of agency employees who gave their login details to Snowden were identified, questioned and removed from their assignments. ... Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator. ... People familiar with efforts to assess the damage to U.S. intelligence caused by Snowden's leaks have said assessments are proceeding slowly because Snowden succeeded in obscuring some electronic traces of how he accessed NSA records. ... The revelation that Snowden got access to some of the material he leaked by using colleagues' passwords surfaced as the U.S. Senate Intelligence Committee approved a bill intended in part to tighten security over U.S. intelligence data. One provision of the bill would earmark a classified sum of money ... to help fund efforts by intelligence agencies to install new software designed to spot and track attempts to access or download secret materials without proper authorization.'"
This discussion has been archived. No new comments can be posted.

Snowden Used Social Engineering To Get Classified Documents

Comments Filter:
  • Snowden is a hero! (Score:3, Insightful)

    by For a Free Internet ( 1594621 ) on Friday November 08, 2013 @12:24PM (#45369667)

    Lifting a little corner of the veil over the monstrous crimes of imperialism! Only a workers revolution will put an end to imperialist barbarism!

    • by Anonymous Coward on Friday November 08, 2013 @12:34PM (#45369813)

      I agree comrade! Snowden deserves to be recognized as a Hero of the Soviet Union [wikipedia.org], but since those are no longer available a Hero of Russia [wikipedia.org] will have to do. Perhaps the FSB [wikipedia.org] nee KGB will someday announce his promotion! Glory to the workers of the Cheka for this achievement! We stand in solidarity with those that would smash capitalism and the bourgeois internet! Long live the dictatorship of the proletariat!

      • by Anonymous Coward on Friday November 08, 2013 @02:04PM (#45370975)

        Clearly, disliking an overreaching government that wants nothing but control over it's slaves makes you a socialist now. Because, you know, socialists are totally against those things. Either that or you've been listening to way too much US government propaganda lately and the irony is lost on you.

        • Why must americans keep confusing socialism and communism? Most western countries including the United States have been moderately socialist for almost a century now and it has made us happier and more prosperous but it still is a scary word to many. Don't they teach any form of politics at school there?
      • Is it just coincidence that there hasn't been any leaks embarrassing to the Chinese or Russians?

  • Fire them (Score:5, Insightful)

    by sunderland56 ( 621843 ) on Friday November 08, 2013 @12:24PM (#45369673)

    Anyone working in the security field who gives up their password is an idiot, and should be fired.

    • I totally agree. What kind of an idiot gives their passowrd to an administrator?
      • by Qzukk ( 229616 ) on Friday November 08, 2013 @12:30PM (#45369761) Journal

        What kind of an idiot gives their passowrd to an administrator?

        Not Terry Childs!

      • by mt1955 ( 698912 )

        I totally agree. What kind of an idiot gives their passowrd to an administrator?

        Victims of the BOFH [ntk.net]

      • What kind of an idiot gives their passowrd to an administrator?

        An authoritarian - someone who breaks laws, rules and regulations if a perceived authority figure tells them to.

        Now, what kind of person is someone hiding NSAs dirty laundry likely to be?

      • by jez9999 ( 618189 )

        Never mind giving their password to an admin, you'd be amazed how many systems I've worked with through the years where the password is simply stored in plaintext. "So we can read users' passwords?", I ask. "Yes. So what? It's useful to remind them over the phone if they forget it."

        These devs also don't quite seem to understand why I store password hashes instead of plaintext passwords...

      • Not me. An administrator doesn't NEED my password to take possession of every file I own. He doesn't need my approval, permission, or anything at all - he can just TAKE possession of everything. That holds true for Linux, Windows, any Unix-like - and I suppose it holds true for any other operating system as well. Admin or root is god, the alpha and the omega, the be-all and end-all. Why should the administrator ever ASK me for a password? It's far more likely that Admin or root will tell ME what my ne

    • We have not heard Snowden's version of events.
      • Re:Fire them (Score:4, Informative)

        by cffrost ( 885375 ) on Friday November 08, 2013 @01:35PM (#45370661) Homepage

        We have not heard Snowden's version of events.

        We haven't really heard anyone's version of any alleged events; RTFA — the sources for this piece are literally referred to as "sources."

        If this is a propagandist's attempt at a smear-piece, it's bad one. If the claims in this article are true, it's a greater indictment against NSA's security policies than it is against anything Snowden has done. What I see is NSA's propaganda/media relations contractor grasping at straws here.

    • Re:Fire them (Score:4, Interesting)

      by g01d4 ( 888748 ) on Friday November 08, 2013 @12:51PM (#45370025)
      An admin requesting your password raises flags, but it's possible many provided it because they didn't want to argue. That being said, you'd think at least one of the 20+ would have gone to their local security person as a follow up.
      • yeah i woudl have been in our security officers office raising 7 kinds of hell.
      • I do our new hire IT Security training and those are exactly the instructions I give.

        Do not give anyone your password, for any reason.

        If you feel your job is in jeopardy because of the person asking, comply with the request but immediately contact myself or HR

        • by cdrudge ( 68377 )

          How did doing that turn out for Terry Childs again?

        • by jafac ( 1449 )

          This is the content of every single (mandatory) security training I've been required to take, over the years. It just seems unbelievable to me, that various government agencies spend so much money in this training, and developing strong security practices, that the NSA, of all agencies, would not be following these procedures.

    • And these people had ts security clearance - looks like a basic IQ test might be better than a polygraph and requiring at least a security+ certification to even get an interview.

      Some one senior at both the NSA and Booz Allen needs to be fired over this if you did this at any uk bank you woudl get canned on the spot certainly the CEO and Chairman of the contractor needs to fall on their sword.
    • by Strawser ( 22927 )

      Anyone working in the security field who gives up their password is an idiot, and should be fired.

      There should have been extremely clear training on that. This is the fault of the people who were managing the staff. If it were one, maybe even two people, sure. But when 25 people don't know that you're not supposed to give your creds to anyone, including an admin, that's bad management.

    • Agree completely. This is pretty amazingly incompetent. I'm beginning to think that the major danger to the NSA collecting all the data they do is that they can't be trusted to follow the most basic security practices, so completely fail to secure the data.
  • by DexterIsADog ( 2954149 ) on Friday November 08, 2013 @12:25PM (#45369685)
    ...though his revelations of the intelligence gathering practices of the NSA are a gift that just keeps on giving.

    Funny that the people he duped to obtain some of the information are being relieved of their jobs (though not their lives, presumably), but the people participating in the overreach won't suffer any consequences.
    • by MrEricSir ( 398214 ) on Friday November 08, 2013 @01:01PM (#45370153) Homepage

      Funny that the people he duped to obtain some of the information are being relieved of their jobs (though not their lives, presumably), but the people participating in the overreach won't suffer any consequences.

      The real question is how many other times these same NSA morons were duped by our country's actual enemies. Only a fool would believe Snowden was the first to come across all of this information.

    • by gstoddart ( 321705 ) on Friday November 08, 2013 @01:08PM (#45370267) Homepage

      Funny that the people he duped to obtain some of the information are being relieved of their jobs

      Not funny, but arguably well deserved.

      If your job is to work with sensitive data which has extremely limited access, providing someone with your password is an epic lapse in judgement, or a downright lack of understanding of basic security protocol.

      If the NSA doesn't have a training course which loudly tells you to never give your passwords to anyone, they're idiots. If you didn't listen to that training and do give your password, then you have no business safeguarding sensitive data.

      but the people participating in the overreach won't suffer any consequences.

      Two different things, really. In their minds, the surveillance was legal and authorized (which, from their perspective is probably technically true). But completely failing to adhere to security policy means that you can't really be trusted.

      I should think if you fall for social engineering at the NSA, you've completed a huge faux pas and demonstrated you might be the weakest link.

      Hell, most companies routinely do phishing tests and the like, and failing that will get you onto the remedial information security policy -- and repeated lapses might lose you your job. I get fake phishing emails from our security department all the time -- and everyone I report right back to them and get told "congratulations, you did what we hoped you would".

      I work in the private sector, and I take security very seriously. I'm often the one making the most noise about security, to the point that I preface many things with "look, I know I say this a lot, but ...". How someone in the NSA could be so stupid as to do this boggles the mind.

  • by compro01 ( 777531 ) on Friday November 08, 2013 @12:26PM (#45369687)

    Not only does the NSA have your data, probably any other organization interested in it is able to obtain it from them.

  • How is a sum of money classified in a budget? "Hey, out of our $30,000,000 budget for projects A, B, and C, we spent $10,000,000 on A, $5,000,000 on B, and a classified amount on item C."
    • It's more like we had $30,000,000 for a number of classified projects, of which we broke it down into X1 through Xn.

    • there are undisclosed sums in bills out of Congress all the time when it comes to security. the way it works is, there is a backroom deal between the chairman and the agency, and Treasury is told there is authorization for $???,???,???.?? for account XYZ.

      committee chairmen are in on a ton of secrets, and go along with a bunch more on the order of "I need this sum (flashes paper quickly and back in the pocket) on authorization of the President for national security purposes." the rest of the committee trust

    • by Hatta ( 162192 )

      $500 hammers.

  • by WillRobinson ( 159226 ) on Friday November 08, 2013 @12:30PM (#45369755) Journal

    There are no secrets.. They eventually get out.

    What I am curious about, is with all this data they are sifting how come there is nobody from Washington in Jail? You know they are
    mostly self serving scumbags.

    What bothers me more about all this data, and is never mentioned, is that it is possible now for people who have access to all this
    big data, to profit from it on the stock market very easily.

  • ....the guy who installs your logging software has a good chance of subverting it.

  • by Remus Shepherd ( 32833 ) <remus@panix.com> on Friday November 08, 2013 @12:31PM (#45369769) Homepage

    In other news, there are a lot of stupid employees at the NSA regional operations center in Hawaii.

    If the NSA had trained its employees competently, they wouldn't be so naive as to give their login passwords to anyone, even an admin.

    • by Dan667 ( 564390 )
      if the nsa did not have such overreaching programs to spy on people they shouldn't be then they would also have a lot less problems. Instead of curtaining nsa programs they will just plow on do some hand waving that everything is ok.
    • In other news, there are a lot of stupid employees at every office for every company everywhere.

      Everybody can be fooled, and in a "secure" environment where everybody has gone through a vetting process already, it's actually easier. Imagine you work on the latest top-secret missile project. While out grocery shopping one day, someone comes up and starts asking you detailed questions about work. Of course, that will raise a few flags. Now suppose you're sitting at your desk at work, and a coworker from down

    • by fermion ( 181285 )
      A handful of agency employees who gave their login details to Snowden were identified, questioned and removed from their assignments.

      No, it is a consequences problems. Snowden has been charged with espionage, which can put a capital punishment situation on the table. If these guys aided and abetted, they should be charged as an accessory, not moved to a new assignment. If the NSA were interested in security, and not just optics, this is what they would do.

      All too often officials are just interested i

    • by jafac ( 1449 )

      SERIOUSLY: If the NSA wants to relocate me to Hawaii and pay me 6-figures, I am totally down with that, and I *promise* not to share my creds with anyone!

  • Not shocked (Score:5, Insightful)

    by TheCarp ( 96830 ) <sjc@@@carpanet...net> on Friday November 08, 2013 @12:31PM (#45369777) Homepage

    As someone who has been a sysadmin for years, I can say, unequivocally, I never ask people for their passwords. If I need access to your account, I can have it. If I really need to do an end to end test, I can probably do it by swapping out your password hash and then restoring it so I never need your password. If that can't be done, i will change it and then reset it so you have to change it again.

    Yet... despite this... from time to time people just.... send me their passwords.

    "Account X on machine Y with password Z can't login, can you check it?"

    So no shock at all here.

    • by Idbar ( 1034346 )

      What? You mean you haven't gotten to a desktop computer with the password written on a post-it affixed to the monitor? I think you're among the lucky ones!

      • Re: (Score:2, Funny)

        by Anonymous Coward

        This is the NSA we're talking about - the elite security professionals. They know better than to stick a post-it with their password onto their monitor.

        They stick the post-it under their keyboard.

      • by TheCarp ( 96830 )

        sure I have, but not since I was doing desktop support.

        Actually my favorite wasn't those. It was the post-it notes where someone had my direct phone line on it. They were not supposed to be calling me directly but the tech I replaced had been pretty loose with it.... a few times I waited till the user wasn't looking and then shoved the post-it with my number on it in my pocket :)

        Of course, back then, the user password was a 5 character upper case alphanumeric string, generated by an internal system, which c

    • What surprises me is that he felt safer asking than using some technical means (a logger) to achieve the same ends. They must have things somewhat buttoned down.
    • by Xest ( 935314 )

      The problem is that puerile see it as an IT thing. They don't see any aspect of IT security as part of their job so they just don't care. They just figure if they give you all the information then it's your problem to deal with and they can forget about it.

      Until companies start enforcing and having meaningful penalties enforced upon them for such misdemeanors I don't see this changing.

      Give a verbal warning, followed by a written warning followed by the sack. I'd wager 99% of employees never reach the sack a

  • "would earmark a classified sum of money" .... again this classified BS - what do they have to hide? The crap tax-$$'s burnt on all this pipe dream?

    This whole pandora box gets never cleaned out. Needs the method how the gordian knot was solved...
  • If you'd like to know what really happened, post your slashdot username and password in a reply, and I'll let you in on the secret...

    • My Slashdot username is Sarten-X.

      My password is Glernhab75.

      That's not actually the password for my Slashdot account, but your instructions weren't clear enough on that matter.

  • Ahh Power is fleeting. It is but a illusion. And secrets are but a dream. Maybe if the NSA spent more time worrying about what they do than about what other people do they wouldn't be in the mess they are. They are so concerned about the toothpick in someone else's eye that they can't see the beam stuck in theirs.
  • by nbauman ( 624611 ) on Friday November 08, 2013 @12:45PM (#45369963) Homepage Journal

    Why shouldn't they trust him? He was polygraphed.

    FTA:

    "In the classified world, there is a sharp distinction between insiders and outsiders. If you've been cleared and especially if you've been polygraphed, you're an insider and you are presumed to be trustworthy," said Steven Aftergood, a secrecy expert with the Federation of American Scientists.

    http://www.reuters.com/article/2013/11/08/net-us-usa-security-snowden-idUSBRE9A703020131108 [reuters.com]

    • by bledri ( 1283728 )
      He was polygraphed? That's nothing. I was Etch A Sketched!
    • by rk ( 6314 )

      Which is stupid, because polygraphs are pretty much theater and have very little scientific support. Even in someone untrained in beating them, they are far from perfect. If you know a few countermeasures they are worse than useless. Anyone who bases their measure of trustworthiness on the polygraph has not a single clue what trustworthiness is, and frankly deserve to get burned time and time again for it until they get a clue.

    • by jafac ( 1449 )

      "cleared" == background, criminal, and credit-history check.

      So, if you don't have any credit problems, if you don't have a criminal history, AND if they interview your friends and family, and they don't say you're a lying cheating scumbag, then you're golden.

  • Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator

    If people working with Top Secret/Classified information are so easily manipulated, you more or less have to conclude they had very few policies and controls in place.

    This super-duper secret surveillance plan clearly wasn't relying on anything other than good manners to secu

    • This super-duper secret surveillance plan clearly wasn't relying on anything other than good manners to secure the information, and likely it was ripe for being abused by just about anybody there.

      That's not a bug. It's a feature. It allows the agency to ignore its already-flimsy privacy protections, at any time, for any reason.

  • I'm getting really sick of this shit over and over....

    We've finally concluded that Snowden is no hero, by some a traitor, for others a dupe...and we're over it...

    The media fucked up reporting this **from day 1**

    We knew this in **2006** NSA has massive database of Americans' phone calls [usatoday.com]

    yet there was no public outcry...

    then the big one...PATRIOT ACT

    full text of the Patriot Act has been reported on and available to anyone with an internet connection or library card since 2001...

    I'm sick of Snowden's puppet mas

  • And there's some reason to believe that there isn't--then Snowden purposely used social engineering to fool colleagues into giving him their passwords. Do the ends justify the means? He's exposed the NSA's domestic spying, but now the wave's continuing onward and we're getting our normal espionage practices exposed. Are we allowed to ask if doing so does indeed put us more at the mercy of Russia, China, their actors, and Al Qaeda? At what point does this process stop? At what point does the good that was do
    • Do the ends justify the means?

      When the means is social engineering? Yes. Edward Snowden isn't even a hot chick, how many NSA employee's have handed out their credentials to even less 'trustworthy' people?

      • That is a very good point. I suppose I would be interested to know exactly how easy it would be to social-engineer the NSA from within, plus if it's been done before.
    • by DarkOx ( 621550 )

      We are no where near the point where this does any real harm. At worst its revealed some services and tools are not so safe to some minor criminal enterprises who probably already could have guessed.

      Beyond that NOTHING Snowden has revealed has done anything but confirm things people had been hearing murmured rumors about and speculating on for some time. I know people who worked at the telco and were well aware of various people around who were feds, they could guess what they were up to based on which bu

  • by DarkOx ( 621550 ) on Friday November 08, 2013 @01:02PM (#45370171) Journal

    One provision of the bill would earmark a classified sum of money

    Nothing like unaccountable monies in unknown quantity; that'll show'em. The NSA will never make such mistakes again after getting such harsh treatment.

  • So they plan to waste millions on a project that will "install new software designed to spot and track attempts to access or download secret materials without proper authorization."? If he gets the credentials from users authorized to access the information how will this work? Swing and miss!
  • I can safely predict one thing:

    If you're a systems type working at any US national security TLA*, your job is going to get a whole lot harder. Maybe your whole life, since you're going to be under massively more suspicion and scrutinly ALL THE TIME. And the tools you need to do your job (not just software tools, but interactions and communications with those you're supporting) will be harder to use, and much more restricted, and viewed with more suspicion.

    NSA may just wind up cutting itself off at its technical knees in a rampage of self-inspection and the internal purges I suspect are underway right now.

    *TLA: Three-Letter Agency. By odd coincidence, most organs of the U.S. intelligence apparatus seem to name themselves by three-word names, and therefore are colloquially named by three-letter initialisms.

  • Are those who gave him the passwords going to be charged with treason?
  • by Lumpy ( 12016 ) on Friday November 08, 2013 @01:11PM (#45370307) Homepage

    He just read off of the post it note in their cubicle...

  • This Thing Reeks (Score:5, Interesting)

    by cffrost ( 885375 ) on Friday November 08, 2013 @01:11PM (#45370313) Homepage

    Excerpts from Reuters "article:"

    (Reuters) - Former U.S. National Security Agency contractor Edward Snowden used login credentials and passwords provided unwittingly by colleagues at a spy base in Hawaii to access some of the classified material he leaked to the media, sources said.

    Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator, a second source said.

    While the U.S. government now believes it has a good idea of all the data to which Snowden could have accessed, investigators are not positive which and how much of that data Snowden actually downloaded, the sources said.

    This garbage has the same quality sourcing as the hit-piece published by The New York Times and The New Yorker that spread unsubstantiated rumors claiming that Snowden had given classified documents (i.e., unpublished material) to Chinese and Russian officials.

  • Who says he duped anyone? I do some sysadmin work and I've probably had just as many people over the past year send in support tickets like:
    "HEPL!! My computers broke and I can't make it work! The red thingy is blinking! Numbers are due out tomorrow!!! My logins XXXXX and pass is ???? Employee # 123456 Please call me asap! @ 555-5555"
    etc... etc... etc...
    Next ticket is "You broke it even worse! Now my accounts locked!!!"
    to which I reply "Yes, corporate security will be contacting you shortly about that. In t

  • Not only is the NSA breaking the law, they also consist of idiots who ought to know better about social engineering and the likes ... Does anybody need more proof that the NSA should be shut down?

  • " One provision of the bill would earmark a classified sum of money ... to help fund efforts by intelligence agencies to install new software designed to spot and track attempts to access or download secret materials without proper authorization.'"

    Ok, so they will spy on those who spy on Internet users. But who will spy on them, in turn?

  • Is this story true? I have no reason to believe this at all. Admins don't need users passwords. Admins "own" the systems that they work on and can become any user they want to be without passwords.

    The NSA lies. If we are to believe anything that comes out of that agency they better have hard evidence verified by the third source if one exists. This is a claim, nothing else.

  • by Geste ( 527302 ) on Friday November 08, 2013 @05:12PM (#45372969)

    Who has been telling the truth since June? Snowden.

    I am amazed that so many are taking this sniff-test-doubtful story at face value and debating whether the engineered sysadmins should be fired or shot.

    Ain't it funny how these "sources" might layer on a bit of devious sociopathy, to try to make Snowden fit the role of criminal wrecker?

    Among the principals (NSA, GHCQ, executive branch, most politicians, Snowden) it is pretty much only Snowden's testimony and participation that hasn't been full to the gills with half-truths, contradictions, lies and attempts at character assassination.

    Oh and how devious:

    "People familiar with efforts to assess the damage to U.S. intelligence caused by Snowden's leaks have said assessments are proceeding slowly because Snowden succeeded in obscuring some electronic traces of how he accessed NSA records."

    Read: "You ought to believe that Snowden did more than totally embarrass us, but he is so devious that you'll ave to take that on faith!"

    "Sources said". Blech

    NO CLEMENCY FOR FEINSTEIN

After all is said and done, a hell of a lot more is said than done.

Working...