As with Manning Leak, Snowden Leak Reveals DOD Doesn’t Protect Security

MSNBC has an update to the continuing saga of “Omigod the NSA has inadequate security.” It explains why the “thin client” system the NSA had (one source calls it 2003 technology) made it so easy for Edward Snowden to take what he wanted.

In a “thin client” system, each remote computer is essentially a glorified monitor, with most of the computing power in the central server. The individual computers tend to be assigned to specific individuals, and access for most users can be limited to specific types of files based on a user profile.

But Snowden was not most users.

[snip]

As a system administrator, Snowden was allowed to look at any file he wanted, and his actions were largely unaudited. “At certain levels, you are the audit,” said an intelligence official.

He was also able to access NSAnet, the agency’s intranet, without leaving any signature, said a person briefed on the postmortem of Snowden’s theft. He was essentially a “ghost user,” said the source, making it difficult to trace when he signed on or what files he accessed.

If he wanted, he would even have been able to pose as any other user with access to NSAnet, said the source.

The story goes on to note that being in Hawaii would have allowed Snowden to access Fort Meade’s computers well after most users were gone.

I’m particularly interested in the assertion that Snowden could pose as any other user with access to NSAnet.

Any other user. Presumably, that includes at least Cybercommander Keith Alexander’s aides.

In a world in which the NSA is increasingly an offensive organization, certain figures within NSA would be engaged in some very interesting communications and compartments, I’d imagine.

Ah well. The US won’t learn. They’ll continue to neglect these holes until someone publicly demonstrates their negligence, all the while leaving them open for whatever paid agents of foreign governments choose to exploit them.

image_print
16 replies
  1. der says:

    Blah, blah, blah, blah. I’m wondering when we’ll see a “t” and a “y” book ending that “he”. Just out of HS, young and stupid, my first summer job was on a carpentry crew. My buddy and I would roll our eyes and mock the head carpenter behind his back when he would go off on some lengthy explanation of – “this dovetail goes into this …”(us): “ballschwank, which hooks to the reostat connected to the thing-a-ma-jig” hah, hah, hah. We were maroons, clueless ones, teen years. Do they honestly think the country only cares about Miley Cyrus?

    Yes.

    MARK LEIBOVICH: When you look at the disconnect between Washington and the rest of the country, which people talk about. I mean, there’s a shorthand, “Well, Washington is out of touch,” right? People don’t fully know what that is made of. I mean, I think you see intuitively on TV or when you visit Washington, that people don’t talk and deal with people the way most Americans talk and deal with each other.

    I mean, there’s a language of obsequiousness, a language of selling, a language of spin. But most– but look– it is a wealth culture. These are people who are doing very, very well. It’s true in the demographics, it’s true in the sensibility.

    …Outside of Washington you have a truer sense of the outrage. You have a sense of an education. You have a sense of, “Oh my goodness. I’ve known Washington has been something I’ve been disappointed in. But I didn’t know it looked like this. I didn’t know it had come to all of this just this– incredible contempt for what they are supposed to be there for.” Contempt for what their constituents are, i.e., us.
    http://billmoyers.com/episode/full-show-mark-leibovich-on-americas-gilded-capital/

  2. Saul Tannenbaum says:

    Let’s deconstruct this a bit.

    There’s nothing inherently wrong with a “thin client” system. It has primary advantages of being easy to manage and difficult to attack. You don’t have to worry about malware or rogue software.

    The description of what being a system administrator allowed Snowden to do seems in line with a standard sysadmin role on a Unix-based system. The 2003 era technology description comes from this all or nothing based privilege system. You either have all privileges or you have user privileges. Once you have all privileges, you can do anything: turn auditing on and off, or, yes, impersonate another user. That’s a concept any Unix system administrator would be familiar with. If you have a user for whom something isn’t working, a standard troubleshooting technique would be to “become” them and see if it works for you. The security advantage in a more routine environment is that they wouldn’t have to disclose their password.

    But the NSA isn’t a routine environment. The problems of an all-or-nothing privilege environment are obvious to anyone worrying about security. A good privilege managment system is much more finely grained. You have the privilege to look at all files but not turn off auditing, for example.

    This, also, puts a new perspective on “fire 90% of the sysadmins”. Perhaps that means “take away sysadmin privileges from 90% of the people who have it” which seems prudent in the same way that closing the barn door after the cow has wandered out seems prudent.

    It’s also interesting to compare Snowden and Manning. Manning wasn’t a sysadmin, he was just a user and had tremendous access routinely. The implication is that Snowden had to be a sysadmin to do what he did. That actually reflects *better* security than in the Manning case. But it’s also what people refer to as “crunchy outer shell, softy gooey interior” security. The barrier is there – you had to be a sysadmin – but once you passed that barrier, all bets were off.

    Like I said in another comment here a few weeks ago, I have some sympathy for the NSA here. It’s really, really hard to make a change to a privilege model that’s likely deeply embedded in the institutional culture. It’s highly disruptive, and when you have a legitimate counter argument – “Disrupt this system and people might die!” – inertia tends to win out. It takes a disaster like Snowden to change the incentives.

    I’m betting there are senior information security people and sysadmins in the NSA who have been muttering “we told you so” since this started. Snowden is the inevitable outcome of this kind of security model, something that wouldn’t have been lost on anyone who understood this.

  3. JTMinIA says:

    It is completely possible that Snowden could “pose” as any other (non-admin) user. I can do that on the system we have here at work. All that means, really, in 10-years-plus-old technology, is that log-ins are tied to the account and not the hardware of the computer being used. The system I run could be set up to check the hard-coded ID of the network card, as well as the account (and verify that they match), but so many people use multiple computers and/or share computers that we don’t bother. If the NSA’s system was account-only-based, then it’s simple for an admin to “pose” as anyone else.

  4. JTMinIA says:

    Oops. Posts crossed.

    I agree with Saul that the problem isn’t the use of a thin client system; in fact, that’s preferred. The problem is with how much effort is being put into authentification. Account-only systems are too easy to fool. You need dongles and/or hardware checks, too.

  5. Saul Tannenbaum says:

    @JTMinIA: I have to believe that the NSA uses strong two factor authentication (at least) and that it wasn’t authentication that was the problem. Snowden didn’t log in as Keith Alexander.

    Once Snowden logged in as Snowden (with dongles, one time passwords, biometrics, whatever), he was tagged as a sysadmin. How he did what he did next depends a lot on specific choices that the NSA made, but on a stock Unix system (like my MacBook), becoming someone else is as simple as:

    Pop up a terminal window
    sudo -s
    type root password
    sudo keitha

    and then I’m doing things as if I’m keith a. It’s a good working assumption that, for the NSA, there’s something a bit more complex than “type root password”, but the reason you give someone sysadmin privileges is so that they can become “root”, the Unix designation for the account that has privileges to do anything.

    The irony here is that, in the Linux world, the folks who contributed mandatory access controls to Linux were …. the NSA. See this for their description of the root access problem and how they fixed it:
    http://www.nsa.gov/research/selinux/faqs.shtml#I2

  6. What Constitution? says:

    Certainly there are holes to be punched in “security” philosophy of the NSA architecture, and certainly there must be some people on the inside muttering “I told you so” over Snowden, and certainly there will be people whose reaction is “fire the humans” and go for a Forbin Project.

    Dylan had it right: “To live outside the law you must be honest.” I’m not referring to Snowden, I’m referring to the effort to create, oversee and secrete an unconstitutional system of spying on the populace. The presumption that this can be done and that nobody will develop the conscience to disclose it is the principal hubris of the current situation. The structure of the system itself is not honest and the disclosure of the system’s fundamental inconsistency with the established principles of US society guaranteed its eventual disclosure. It’s why Snowden is to be thanked, and it’s why Obama’s perception of “mission” as being “restore trust” rather than “assess viability” is wholly misguided.

  7. Bill Michtom says:

    @Saul Tannenbaum: When I was a systems programmer for a large corporation (with IBM mainframes), we had security levels designated A-H (if memory serves), with increasing levels of privilege.

  8. lefty665 says:

    @Saul Tannenbaum: Nice post!

    Sorta why we call them systems administrators isn’t it? Generally SAs are really bright techies who can make systems stand up and talk to them. It is a pretty independent culture, “You employ me to keep this pile of iron you call a system running, so get out of my way”.

    “I’m betting there are senior information security people and sysadmins in the NSA who have been muttering “we told you so” since this started.” You can frame that, maybe they are being listened to now.

    Wonder what was going on in HI that a newbie like Snowden could root around unsupervised. Any bets his ex-boss is now cleaning johns someplace like Diego Garcia?

  9. Stephen says:

    “I’m particularly interested in the assertion that Snowden could pose as any other user with access to NSAnet.”

    I used to be a sysadmin myself. While I do not know anything about the NSA’s computing system, posing as another user is quite possible at an operating system level under UNIX and Linux systems, at least at a command prompt–as distinct from a GUI–level, provided you have access to the root account.

    The root account is what’s called the superuser account. Once you log on to it using the “su” command you can then use the “su” command to log on to any other account. Now normally when you use “su” you need to enter the username and password for the account you wish to log on to. However, because of the way the “root” account works all you need is the username when you use “su” as the root user. You are NOT prompted for a password!

    Just how far such access could be taken would depend on the NSA;s own systems. For example, whether it would give someone like Snowden access to NSA databases, since these woukld (probably) have their authentication system, and that would (presumably!) be independent of the OS ones.

    “Any other user. Presumably, that includes at least Cybercommander Keith Alexander’s aides.”

    Or Alexander himself. As the head of the NSA he would almost certainly have an NSA account of his own.

    One further point. In all computing systems usernames and passwords are stored in a file. Anyone with root level access would have no problem copying that file to (say) a thumb drive then walking out the door to a computer with a password cracking tool on it. Given the sheer number of users the NSA would have with access to its systems, there would almost certainly be some who would use comparatively weak passwords, and therefore ones which a good cracking tool would have no problem decoding.

    In fact, the NSA itself probably uses (and maybe developed) such tools itself, tools which could potentially be turmed against the NSA’s own password files–and and that isn’t counting the various encryption breaking tools it would doubtless have at its disposal, which might also be turned against the cncrypted passwords in a password file, whether on the NSA’s own computing systems or (if they could somehow be ported offsite and installed elsewhere) used on one’s own home computer.

  10. jerryy says:

    For a different point of view, I am going to suggest that we need to lessen these types of security a bit, not tighten it.

    Look at what the Manning and Snowden revelations have shown as a whole. That groups of people out of our cultures, supposedly sharing our values can be talked into using their talents to treat us as a people as an enemy, that the laws we use as rules for our society are only applicable on those currently deemed less worthy.

    We need more Snowdens and Mannings (and the others who have been leaking info but whose names are not right now in spotlights). The only destruction of security these leaks have caused is that our public knows the government’s powers have been misused against them.

    Changing the sudoer’s list so that the sys admins have fewer abilities will not make our national security more secure, as long as the folks running the show can be persuaded to use their powers against the societies they live in.

  11. Saul Tannenbaum says:

    @jerryy: I’ve written sudo configuration files so I understand what it can and cannot do. I’ve written sudo config files. But it doesn’t sound like the NSA had sudo or anything else that gave any sort of granularity to privilege assignment.

  12. earlofhuntingdon says:

    Using 2003 technology? What a hoot. At the rate in which IT norms change, that’s like flying a 707 across the Pacific, with three stops en route to Beijing. I’m pretty sure Beijing, Tokyo, Delhi and Moscow, to name a few, use more recently upgraded IT defenses. But perhaps they haven’t outsourced as much of their security and intel needs as the US and its corporations (to companies at least as beholden to their host governments as US corporations are to theirs).

  13. Mindrayge says:

    I am not buying the tale being spun to NBC. There many products out there by various contractors that are much more secure than anything this article portrays. Yet for some reason the article tries to give the impression that with an ordinary PC and a “thin client” Snowden could go traipsing everywhere. That is, there are no other means across the entire NSANET – including the InsiderThreat programs and EINSTEIN – to have identified the kinds of activity alleged to have occurred.

    Just a cursory look into systems like TVE and TNE from General Dynamics (among large entities) or Securutor Systems (amongst smaller ones) shows that both network and storage of files, web sites, databases, etc. all operate in different levels of security classifications and access. That is not all System Administrators would have access to any and all systems, servers, applications, databases, network paths, or entire networks. There are other vendors with products certified and on the Unified Cross Domain Management Office’s (UCDMO) Cross Domain Baseline list.

    It doesn’t explain how Snowden managed to come up with FISA Court documents that allegedly only existed in two places. Nor does it explain how it is that every document he managed to get was unencrypted. It doesn’t explain how he determined what files were on what server in order to take them.

    It claims that he could impersonate other users but doesn’t explain how he could have avoided the monitoring systems that would know he had done so let alone detect that a given user was active on more than one system. And even there, it would have required Snowden to know which accounts had access to what systems, files, etc.

    In the last two paragraphs what I am saying is that unless Snowden knew in advance which servers held which files and what user accounts were necessary to get to them in advance then he would have been on a fishing expedition. Snowden clearly would have had work assignments and he would have to complete those lest people became suspicious of his activities – or fired him because he couldn’t complete his assignments. The more activity he would have undertaken to take the documents that he did the greater the chance he would be discovered.

    Remember he still had to get whatever he collected out of the facility he was at and very likely get it out of his possession or hide it – physically or electronically just in case someone did get suspicious.

    The assertion that he could rummage around in Fort Meade because most people have gone home for dinner is quite frankly bullshit. Fort Meade is a 24/7/365 operation.

    Left unexplained is how Snowden managed to get out of the country condering, under Executive Order 12333 Section 2.3:

    2.3 Collection of Information. Agencies within the Intelligence Community are authorized to collect, retain or disseminate information concerning United States persons only in accordance with procedures established by the head of the agency concerned and approved by the Attorney General, consistent with the authorities provided by Part 1 of this Order. Those procedures shall permit collection, retention and dissemination of the following types of information:

    (e): Information needed to protect foreign intelligence or counterintelligence sources or methods from unauthorized disclosure.

    Collection within the United States shall be undertaken by the FBI except that other agencies of the Intelligence Community may also collect such information concerning present or former employees, present or former intelligence agency contractors or their present or former employees, or applicants for any such employment or contracting;

    And under section 2.4:

    2.4 Collection Techniques. Agencies within the Intelligence Community shall use the least intrusive collection techniques feasible within the United States or directed against United States persons abroad. Agencies are not authorized to use such techniques as electronic surveillance, unconsented physical search, mail surveillance, physical surveillance, or monitoring devices unless they are in accordance with procedures established by the head of the agency concerned and approved by the Attorney General. Such procedures shall protect constitutional and other legal rights and limit use of such information to lawful governmental purposes. These procedures shall not authorize:

    (c) Physical surveillance of a United States person in the United States by agencies other than the FBI, except for:
    (1) Physical surveillance of present or former employees, present or former intelligence agency contractors or their present of former employees, or applicants for any such employment or contracting; and
    (2) Physical surveillance of a military person employed by a nonintelligence element of a military service.

    It is entirely possible that the government chose not to monitor what Snowden was doing in his communications and travels. Nothings says they had to do surveillance on him. But considering that Insider Threat and its pre-cursors were already being ramped up after the Manning episode it is rather curious that Snowden’s movements were unknown to them.

  14. Snarki, child of Loki says:

    “Ah well. The US won’t learn. They’ll continue to neglect these holes until someone publicly demonstrates their negligence, all the while leaving them open for whatever paid agents of foreign governments choose to exploit them.”

    With an added dollop of “shoot the messenger”, just to motivate improvement from within (not).

Comments are closed.