Snowden Spoofed Top Officials' Identity To Mine NSA Secrets 743
schnell writes "As government investigators continue to try to figure out just how much data whistleblower Edward Snowden had access to, MSNBC is reporting that Snowden used his sysadmin privileges to assume the user profiles of top NSA officials in order to gain access to the most sensitive files. His sysadmin privileges also enabled him to do something other NSA users can't — download classified files from NSAnet onto a thumb drive. 'Every day, they are learning how brilliant [Snowden] was,' said a former U.S. official with knowledge of the case. 'This is why you don't hire brilliant people for jobs like this. You hire smart people. Brilliant people get you in trouble.'"
Brilliant? (Score:5, Informative)
Surely someone at the NSA knows about multi-level security, SELinux, and the like. No one should have had root access. Having architected the system so poorly, it hardly took a genius to walk off with their secrets.
Re:Brilliant? (Score:4, Informative)
Best comment I have read in a long time.
For those who don't get it (although this is SD, so there shouldn't be), the NSA wrote SELinux.
Re:Snowden was never a "Whistleblower" (Score:3, Informative)
Quite a shrill shill. Crackpots and paranoids and conspiracy theorists knew the government was listening to everything all of us do all the time.
Now we all do. That's an achievement. Maybe not worthy of the mission impossible theme song, but an achievement nonetheless.
This message will self destruct in 5 seconds...
Re:"Brilliant"? Hardly (Score:4, Informative)
Not in any system I've ever seen.
The admin needs to be able to pretty much do everything on the system .. create stuff, delete stuff, raw access to whatever the data is stored in. That's kind of how you do the admin stuff in the first place.
I've been the admin on various systems over the years, and I've never seen a system where you don't have access to everything. That I only look at stuff when I'm supposed to, and even then strictly just enough to do what I need to means I take it seriously. And because I don't want the hassle of knowing more than I need to in order to do my job (and keep it).
I've also been in places where the admin did step outside of their role and poke into things out of curiosity or spite. Those can be fun to identify or fix.
You essentially have to trust your admins and choose carefully. But if you need someone to be able to fix or repair stuff, that requires full access in most cases.
I can almost guarantee you, your DBA, your Exchange Admin, and your sys admin can access pretty much everything on those systems. I'm not even sure what you'd need to have in order to have a system which allowed you to not trust the admin -- but it would have to be a significant departure from most everything we have now. And it would probably leave you a lot of situations in which the admin looks at you and says "bummer dude, but you guys locked me out, so I can't help you".
Re:Brilliant? (Score:5, Informative)
Perhaps if the right people make Snowden seem like a mad brilliant genius, the public will brush aside questions of how secure processes at the NSA are?
Re:Amended quote (Score:5, Informative)
Just goes to show what utter trash journalism has become. Invariably, if you have any knowledge of a subject you can't get over just how badly "journalists" get things wrong or intentionally leave out crucial details.
A sysadmin had root? Imagine that?
Re:so he did in fact break the law (Score:2, Informative)
They've done even more. The Pentagon has concluded that no harm has occurred as a result of the leaks.
https://en.wikipedia.org/wiki/Afghan_War_documents_leak#Informants_named
"On 11 August 2010, a spokesman for the Pentagon told the Washington Post that "We have yet to see any harm come to anyone in Afghanistan that we can directly tie to exposure in the WikiLeaks documents",[55] although the spokesman asserted "there is in all likelihood a lag between exposure of these documents and jeopardy in the field." On 17 August, the Associated Press reported that "so far there is no evidence that any Afghans named in the leaked documents as defectors or informants from the Taliban insurgency have been harmed in retaliation."[56]
In October, the Pentagon concluded that the leak "did not disclose any sensitive intelligence sources or methods", and that furthermore "there has not been a single case of Afghans needing protection or to be moved because of the leak."[57] Both Wikileaks and Greenwald pointed to this report as clear evidence that the danger caused by the leak had been vastly overstated.[58][59]"
Re:Amended quote (Score:4, Informative)
I think some are misrepresenting this as easy. (Score:3, Informative)
I think some are misrepresenting this as easy.
If Snowden did in fact impersonate identities to access the information, and the systems in question are correctly configured, then about the only way to do what he did is on the servers in question themselves.
A properly configured system uses authenticated channels into the server, and that authentication is by means of the accessing system doing a couple things which are difficult to forge, without modifying the attacking system and installing foreign software.
Specifically, the server is a member of an SA - Security Association - and the client machine joins the SA through an attestation process which uses a distributed security certificate. So far, so good. Now a connection is established to the server through a secure point to point link; AFP and SMB use such links, NFS does not (NFS uses remote attestation, which is a point of vulnerability).
A credential is associated on the client side of the link, and it's also associated with the server side of the link through an attestation process to being a particular member of the SA. This attestation goes over the secure link to the server, and the server verifies it with the SA. Because the verification process between the server and the SA is incapable of being intermediated by the client, you have to have all authentication factors in hand. This is why you can't "su uid", as you can in an NFS, environment in order to effectively assume an identity.
Since they are using at least two factor authentication - and these guys do at least that; they use CAC (Common Access Card) attestation using cryptographic smart cards - identity is very difficult to forge.
So you end up with a connection to the server, and a UUID and.or GUID in your credential associated with the connection on the server side, and then ACLs are enforced on server objects you attempt to access over the connection using the UUID/GUID to compare ACL ownership, rights grants, group membership for which ownership or rights grants exist on the object, and so on.
Thus the only way this could have been done is with administrator access *on a server*, not merely administrator access on the network or on a client node on the network ( assuming a lack of sophisticated software).
That said... administrator rights would have been enough. There's no impersonation requirement needed in order to establish access, so he would not have needed to impersonate anyone in order to get the information, and given the authentication and attestation barriers in place, it would have actually been more difficult to obtain the information via impersonation, rather than just being local to the server itself and grabbing it.
This kind of looks like a "pile on the charges" gambit to try and get him for other crimes that could be associated with the attack, had he been silly and done it the way they are claiming he did in the article.
Re:Amended quote (Score:5, Informative)
Mod this up. I know one large pharmaceutical company that requires dual logins (i.e. two sysadmins) to do anything out of the ordinary - and everything is logged. Why the f-ing NSA can't do this is beyond me.