Snowden Used Social Engineering To Get Classified Documents

cold fjord sends this news from Reuters: "Edward Snowden used login credentials and passwords provided unwittingly by colleagues ... to access some of the classified material he leaked. ... A handful of agency employees who gave their login details to Snowden were identified, questioned and removed from their assignments. ... Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator. ... People familiar with efforts to assess the damage to U.S. intelligence caused by Snowden's leaks have said assessments are proceeding slowly because Snowden succeeded in obscuring some electronic traces of how he accessed NSA records. ... The revelation that Snowden got access to some of the material he leaked by using colleagues' passwords surfaced as the U.S. Senate Intelligence Committee approved a bill intended in part to tighten security over U.S. intelligence data. One provision of the bill would earmark a classified sum of money ... to help fund efforts by intelligence agencies to install new software designed to spot and track attempts to access or download secret materials without proper authorization.'"

Re:Fire them

[TheCarp]

What org was it that wrote the SELinux extentions? Oh right the NSA.

I took an SELinux class a while back, it is not necessarily the case that this is true. Its true in all my environments, but, I have never seen any environment where SELinux was actually used.

The default policy on most distros the "Targeted" policy is pretty light weight. Its the horror movie equivalent of scream. Fully locked down SELinux is more like....faces of death.

It is entirely possible to have a system administrator who does NOT have that kind of access under the NSAs mandatory access control model. That doesn't mean they have it implemented that way, but, it is possible that they could, the tools exist; and they wrote them.

Re:Fire them

[eric_herm]

You can fully divide the admin task with selinux like having 1 admin who can disable selinux ( or rather "update the policy" ), and having another doing operational stuff ( like logging as root ). So technically, the first one can disable protection for the 2nd one, but cannot do much by itself. And with protected physical access, you can pretty much have a rather locked down system. Not protected against 2 rogue admins, of course, but being protected against 1 is already better than most systems.

And regarding environment where SELinux is used ( besides targeted ), you can take a look at the openshift service from RH, they do use it a lot to separate users. But you are right that for most people, using more than targeted policy is a bit overkill, since people do not care that much about security ( and when they do care enough to not disable selinux, firewall and everything that make stuff so hard ).

Re:Fire them

[s.petry]

I have never seen any environment where SELinux was actually used.

I worked in DOD for more than a decade, we used SE Linux from the time it was available. Before that, we used LAUS. If you don't use it or know people that do, why are you going to make false claims like "Fully locked down SELinux is more like....faces of death."? If you never used it, you obviously should not be making bogus claims. Fully locked down and properly configured SELinux is a nightmare for auditors, not admins.

It is entirely possible to have a system administrator who does NOT have that kind of access under the NSAs mandatory access control model. That doesn't mean they have it implemented that way, but, it is possible that they could, the tools exist; and they wrote them.

No offense, but your second sentence contradicts your first claim. Is it not more likely that where he was working they were not using a properly configured access control system? System being architecture, implementation, and auditing to ensure people don't break things.

Probably because I have lived the life, I can speak first hand to knowing that not all DOD places were the same. I happened to build and design the first classified networked systems off of a military base (yeah yeah, big whoop wanna fight about it?). My primary responsibility was building and designing these systems, writing tools for the auditors, and writing tools to ensure everything worked all the time. At the same time, I spoke often with agents that had other customers that did nothing, or, used good old fashioned someone watching a person at a single terminal and writing things down manually. (no SELinux, no tools, no automation).

By Snowden's own claims he had access to things he should not. That to me indicates that the contractor he was working for had no real security in place. Anything I can bypass by killing syslogd or removing history is not "real", sorry. SELinux is the answer, but it's time consuming to get right and takes a dedicated regular staff of good auditors and admins to maintain. If you cut corners to save money and lack the proper staff, of course people can do things you don't know about. If you are doing illegal things that your staff questions, you just fucked yourself no matter how much staff you have.

Re:Fire them

[cffrost]

We have not heard Snowden's version of events.

We haven't really heard anyone's version of any alleged events; RTFA — the sources for this piece are literally referred to as "sources."

If this is a propagandist's attempt at a smear-piece, it's bad one. If the claims in this article are true, it's a greater indictment against NSA's security policies than it is against anything Snowden has done. What I see is NSA's propaganda/media relations contractor grasping at straws here.