As of August 29, 2016, Not All High Risk Users at NSA Had Two-Factor Authentication

For the last several weeks, all of DC has been wailing that Russia hacked the election, in part because John Podesta didn’t have two-factor authentication on his Gmail account.

So it should scare all of you shitless that, as of August 29, 2016, not all high risk users at NSA had 2FA.

That revelation comes 35 pages  into the 38 page HPSCI report on Edward Snowden. It describes how an IG Report finished on August 29 found that NSA still had not closed the Privileged Access-Related holes in the NSA’s network.

That’s not the only gaping hole: apparently even server racks in data centers were not secure.

And note that date: August 29? Congress would have heard about these glaring problems just two weeks after the first Shadow Brokers leak, and days after Hal Martin got arrested with terabytes of NSA data in his backyard shed.

I think I can understand why James Clapper and Ash Carter want to fire Mike Rogers.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

9 replies
  1. jerryy says:

    I will catch some grief over this, but a lot of 2FA schemes are meh, vastly overrated for what you get.

    As a general idea, you sign in with a username and password and then if things are not right, the ‘prize asset’ sends a code to a device (usually a phone via SMS text message — though that is only now starting to be phased out and replaced with a slightly stronger secure app on that device.) None of that was secure in reality — especially the SMS messaging — those are sent as plain text to the device.

    None of these prove you are you, only that the person using the device has the device. Shiny. Security in these areas has not advanced beyond the point used by Edna in ‘The Incredibles’.

    • George says:

      True it’s not perfect, but SMS-flavored 2FA still provides better security for people who are targets for nuisance hackers but not necessarily nation-state adversaries.

      • jerryy says:

        It is more for people who have a hard time remembering their password yet do not have it programmed into their phone’s email app. 2FA bypasses all of the built-in security by being a side-door into the castle.

        Nuisance hackers long ago figured out how to eavesdrop on text messaging.

  2. earlofhuntingdon says:

    “apparently even server racks in data centers were not secure.”

    If there were a prize for the pot calling the kettle black, the NSA would take first.  This is gross negligence for basic corporate security, let alone for an organization with NSA’s mission and resources.

  3. martin says:

    Meanwhile,

    http://arstechnica.com/security/2016/12/this-low-cost-device-may-be-the-worlds-best-hope-against-account-takeovers/

     

    Of course, if you don’t have anything to hide,.. you are a proton fleeting across the vastness of space without a care in the universe. Unfortunately, there’s already a statute that will make you criminally  liable for proving that which is a unproveable in a court of law… to exist. Arron Swartz  and Edward Snowden  are living proof

  4. scory says:

    All Federal agencies, civilian, defense, and intelligence, have been required to implement identification including an encrypted key since Homeland Security Presidential Directive 12 was issued. Depending on the level of sensitivity, many agencies choose to use the encrypted key as one of the factors. While it’s not terribly hard to implement, it is difficult to ensure all systems, and all contractors, are implementing it properly.

    Does it surprise me that the intelligence community is woefully negligent in implementing even rudimentary MFA on their systems? Not at all.

  5. earlofhuntingdon says:

    Well, being required to do something and doing it aren’t the same thing, are they? Ask any teenager. Or any money launderer, or any bankster. The framing has the imagery of the corporate apology industry.

Comments are closed.