Snowden Used Social Engineering To Get Classified Documents

cold fjord sends this news from Reuters: "Edward Snowden used login credentials and passwords provided unwittingly by colleagues ... to access some of the classified material he leaked. ... A handful of agency employees who gave their login details to Snowden were identified, questioned and removed from their assignments. ... Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator. ... People familiar with efforts to assess the damage to U.S. intelligence caused by Snowden's leaks have said assessments are proceeding slowly because Snowden succeeded in obscuring some electronic traces of how he accessed NSA records. ... The revelation that Snowden got access to some of the material he leaked by using colleagues' passwords surfaced as the U.S. Senate Intelligence Committee approved a bill intended in part to tighten security over U.S. intelligence data. One provision of the bill would earmark a classified sum of money ... to help fund efforts by intelligence agencies to install new software designed to spot and track attempts to access or download secret materials without proper authorization.'"

Snowden is a hero!

[For+a+Free+Internet]

Lifting a little corner of the veil over the monstrous crimes of imperialism! Only a workers revolution will put an end to imperialist barbarism!

Re:Snowden is a hero!

I agree comrade! Snowden deserves to be recognized as a Hero of the Soviet Union , but since those are no longer available a Hero of Russia will have to do. Perhaps the FSB nee KGB will someday announce his promotion! Glory to the workers of the Cheka for this achievement! We stand in solidarity with those that would smash capitalism and the bourgeois internet! Long live the dictatorship of the proletariat!

Re:Snowden is a hero!

Clearly, disliking an overreaching government that wants nothing but control over it's slaves makes you a socialist now. Because, you know, socialists are totally against those things. Either that or you've been listening to way too much US government propaganda lately and the irony is lost on you.

Re:Snowden is a hero!

[Camel+Pilot]

Is it just coincidence that there hasn't been any leaks embarrassing to the Chinese or Russians?

Re:Snowden is a hero!

[TrueRecord]

he worked for NSA

Snowden worked for the American people on a first-priority basis. He gave the information to the people and he gave it directly to the people through journalists and the free press. I think he was right and it was very brave to do it. Yes, he violated the rules but you know sometimes you have to break rules to be a decent citizen for your country. The rules are unconstitutional btw. The traitors are the NSA who stole the people's information, abused it and misused it.

Re:Snowden is a hero!

[ZigiSamblak]

Why must americans keep confusing socialism and communism? Most western countries including the United States have been moderately socialist for almost a century now and it has made us happier and more prosperous but it still is a scary word to many. Don't they teach any form of politics at school there?

Fire them

[sunderland56]

Anyone working in the security field who gives up their password is an idiot, and should be fired.

Re:Fire them

[varmfskii]

I totally agree. What kind of an idiot gives their passowrd to an administrator?

Re:Fire them

[Qzukk]

What kind of an idiot gives their passowrd to an administrator?

Not Terry Childs!

Re:Fire them

[Presto+Vivace]

We have not heard Snowden's version of events.

Re:Fire them

[TheCarp]

What org was it that wrote the SELinux extentions? Oh right the NSA.

I took an SELinux class a while back, it is not necessarily the case that this is true. Its true in all my environments, but, I have never seen any environment where SELinux was actually used.

The default policy on most distros the "Targeted" policy is pretty light weight. Its the horror movie equivalent of scream. Fully locked down SELinux is more like....faces of death.

It is entirely possible to have a system administrator who does NOT have that kind of access under the NSAs mandatory access control model. That doesn't mean they have it implemented that way, but, it is possible that they could, the tools exist; and they wrote them.

Re:Fire them

[g01d4]

An admin requesting your password raises flags, but it's possible many provided it because they didn't want to argue. That being said, you'd think at least one of the 20+ would have gone to their local security person as a follow up.

Re:Fire them

[somersault]

Yep. There is literally no other way of stopping this kind of secret government behaviour than kicking up a massive shitstorm before it gets too out of hand. Boohoo, the guy did something illegal while outing you for all your illegal and immoral bullshit. Everyone else in the world would give him a medal, but the government (apparently) think that pointing out that he stole some passwords will make us hate him?

Re:Fire them

[eric_herm]

You can fully divide the admin task with selinux like having 1 admin who can disable selinux ( or rather "update the policy" ), and having another doing operational stuff ( like logging as root ). So technically, the first one can disable protection for the 2nd one, but cannot do much by itself. And with protected physical access, you can pretty much have a rather locked down system. Not protected against 2 rogue admins, of course, but being protected against 1 is already better than most systems.

And regarding environment where SELinux is used ( besides targeted ), you can take a look at the openshift service from RH, they do use it a lot to separate users. But you are right that for most people, using more than targeted policy is a bit overkill, since people do not care that much about security ( and when they do care enough to not disable selinux, firewall and everything that make stuff so hard ).

Re:Fire them

[s.petry]

I have never seen any environment where SELinux was actually used.

I worked in DOD for more than a decade, we used SE Linux from the time it was available. Before that, we used LAUS. If you don't use it or know people that do, why are you going to make false claims like "Fully locked down SELinux is more like....faces of death."? If you never used it, you obviously should not be making bogus claims. Fully locked down and properly configured SELinux is a nightmare for auditors, not admins.

It is entirely possible to have a system administrator who does NOT have that kind of access under the NSAs mandatory access control model. That doesn't mean they have it implemented that way, but, it is possible that they could, the tools exist; and they wrote them.

No offense, but your second sentence contradicts your first claim. Is it not more likely that where he was working they were not using a properly configured access control system? System being architecture, implementation, and auditing to ensure people don't break things.

Probably because I have lived the life, I can speak first hand to knowing that not all DOD places were the same. I happened to build and design the first classified networked systems off of a military base (yeah yeah, big whoop wanna fight about it?). My primary responsibility was building and designing these systems, writing tools for the auditors, and writing tools to ensure everything worked all the time. At the same time, I spoke often with agents that had other customers that did nothing, or, used good old fashioned someone watching a person at a single terminal and writing things down manually. (no SELinux, no tools, no automation).

By Snowden's own claims he had access to things he should not. That to me indicates that the contractor he was working for had no real security in place. Anything I can bypass by killing syslogd or removing history is not "real", sorry. SELinux is the answer, but it's time consuming to get right and takes a dedicated regular staff of good auditors and admins to maintain. If you cut corners to save money and lack the proper staff, of course people can do things you don't know about. If you are doing illegal things that your staff questions, you just fucked yourself no matter how much staff you have.

Re:Fire them

[DougOtto]

I do our new hire IT Security training and those are exactly the instructions I give.

Do not give anyone your password, for any reason.

If you feel your job is in jeopardy because of the person asking, comply with the request but immediately contact myself or HR

Re:Fire them

[marcello_dl]

> ... he stole some passwords ...

and he didn't even do that, he merely copied them. This intellectual property debate is going out of hand!

Re:Fire them

[cffrost]

We have not heard Snowden's version of events.

We haven't really heard anyone's version of any alleged events; RTFA — the sources for this piece are literally referred to as "sources."

If this is a propagandist's attempt at a smear-piece, it's bad one. If the claims in this article are true, it's a greater indictment against NSA's security policies than it is against anything Snowden has done. What I see is NSA's propaganda/media relations contractor grasping at straws here.

Re:Fire them

[Dunbal]

No, it's a failed character assassination attempt. It backfires, and proves just how stupid 20 odd NSA employees can be. The goal was obviously to try to taint Snowden to show that he "broke the law" to get the data he later released. What it ends up showing is how readily alleged "security officials" are willing to hand anyone the keys to the operation.

I'm sure Snowden is no saint, however his agenda was to either confirm what he suspected and/or let the "cat out of the bag" about flagrant abuse of power by government. Even if his method was wrong, it does not make governments' behavior any less wrong. And the fact that government is trying to use its power and influence to minimize, trivialize, ignore or otherwise deflect attention from the revelations (with NO intention to change their behavior) is far, far worse than Snowden asking someone for their password who should have known better than to give it to him in the first place.

Re:Fire them

[Uberbah]

Yep, but many of the ignorant Snowden supporters see anything that mentions his crimes as an attack.

Because it invariably is? Same with the blatant concern trolling over Manning, where authoritarian hacks spend all day bitching about the rules broken by Manning, but never make a peep over the lawbreaking revealed by Manning. So they had a great deal of Concern over the UCMJ, etc, but would never mention the contractors that traded child sex slaves to warlords to be raped, or infants shot in the head during home invasions in Iraq.

If you're not an authoritarian hack AND you have a functioning sense of proportion, you'd never get to Snowden because you'd be too busy talking about the mountains from the NSA (warrantless wiretapping, fusion centers, perjury before Congress, etc etc) to ever get to the whisteblower.

Re:Fire them

[AHuxley]

Yes thanks to Snowden the unconstitutional spying was exposed in the press.
The telco firms, OS developers, hardware designers, software coders, crypto experts, gov standards, trusted academics, computing press, internal legal teams, political oversight groups have all been exposed as tame, incompetent, junk, a joke or as willing collaborators.
Very few wanted to understand or talk about what was been done in terms of on going unconstitutional domestic spying.
Thanks to many whistleblowers and now Snowden the world can fix the junk US/UK crypto and software.

Sucks to Have Worked with Snowden...

[DexterIsADog]

...though his revelations of the intelligence gathering practices of the NSA are a gift that just keeps on giving.

Funny that the people he duped to obtain some of the information are being relieved of their jobs (though not their lives, presumably), but the people participating in the overreach won't suffer any consequences.

Re:Sucks to Have Worked with Snowden...

[MrEricSir]

Funny that the people he duped to obtain some of the information are being relieved of their jobs (though not their lives, presumably), but the people participating in the overreach won't suffer any consequences.

The real question is how many other times these same NSA morons were duped by our country's actual enemies. Only a fool would believe Snowden was the first to come across all of this information.

Re:Sucks to Have Worked with Snowden...

[gstoddart]

Funny that the people he duped to obtain some of the information are being relieved of their jobs

Not funny, but arguably well deserved.

If your job is to work with sensitive data which has extremely limited access, providing someone with your password is an epic lapse in judgement, or a downright lack of understanding of basic security protocol.

If the NSA doesn't have a training course which loudly tells you to never give your passwords to anyone, they're idiots. If you didn't listen to that training and do give your password, then you have no business safeguarding sensitive data.

but the people participating in the overreach won't suffer any consequences.

Two different things, really. In their minds, the surveillance was legal and authorized (which, from their perspective is probably technically true). But completely failing to adhere to security policy means that you can't really be trusted.

I should think if you fall for social engineering at the NSA, you've completed a huge faux pas and demonstrated you might be the weakest link.

Hell, most companies routinely do phishing tests and the like, and failing that will get you onto the remedial information security policy -- and repeated lapses might lose you your job. I get fake phishing emails from our security department all the time -- and everyone I report right back to them and get told "congratulations, you did what we hoped you would".

I work in the private sector, and I take security very seriously. I'm often the one making the most noise about security, to the point that I preface many things with "look, I know I say this a lot, but ...". How someone in the NSA could be so stupid as to do this boggles the mind.

More reason to oppose their data collection

[compro01]

Not only does the NSA have your data, probably any other organization interested in it is able to obtain it from them.

They will never learn

[WillRobinson]

There are no secrets.. They eventually get out.

What I am curious about, is with all this data they are sifting how come there is nobody from Washington in Jail? You know they are
mostly self serving scumbags.

What bothers me more about all this data, and is never mentioned, is that it is possible now for people who have access to all this
big data, to profit from it on the stock market very easily.

This is a training problem.

[Remus+Shepherd]

In other news, there are a lot of stupid employees at the NSA regional operations center in Hawaii.

If the NSA had trained its employees competently, they wouldn't be so naive as to give their login passwords to anyone, even an admin.

Not shocked

[TheCarp]

As someone who has been a sysadmin for years, I can say, unequivocally, I never ask people for their passwords. If I need access to your account, I can have it. If I really need to do an end to end test, I can probably do it by swapping out your password hash and then restoring it so I never need your password. If that can't be done, i will change it and then reset it so you have to change it again.

Yet... despite this... from time to time people just.... send me their passwords.

"Account X on machine Y with password Z can't login, can you check it?"

So no shock at all here.

Re:Not shocked

[timeOday]

What surprises me is that he felt safer asking than using some technical means (a logger) to achieve the same ends. They must have things somewhat buttoned down.

Re:Not shocked

This is the NSA we're talking about - the elite security professionals. They know better than to stick a post-it with their password onto their monitor.

They stick the post-it under their keyboard.

Perchance to dream

[Nov8tr]

Ahh Power is fleeting. It is but a illusion. And secrets are but a dream. Maybe if the NSA spent more time worrying about what they do than about what other people do they wouldn't be in the mess they are. They are so concerned about the toothpick in someone else's eye that they can't see the beam stuck in theirs.

Who would have suspected?

[nbauman]

Why shouldn't they trust him? He was polygraphed.

FTA:

"In the classified world, there is a sharp distinction between insiders and outsiders. If you've been cleared and especially if you've been polygraphed, you're an insider and you are presumed to be trustworthy," said Steven Aftergood, a secrecy expert with the Federation of American Scientists.

http://www.reuters.com/article/2013/11/08/net-us-usa-security-snowden-idUSBRE9A703020131108

Can you say slush fund

[DarkOx]

One provision of the bill would earmark a classified sum of money

Nothing like unaccountable monies in unknown quantity; that'll show'em. The NSA will never make such mistakes again after getting such harsh treatment.

New Software?

[rsmith84]

So they plan to waste millions on a project that will "install new software designed to spot and track attempts to access or download secret materials without proper authorization."? If he gets the credentials from users authorized to access the information how will this work? Swing and miss!

Regardless of whether Snowden was right or wrong

[idontgno]

I can safely predict one thing:

If you're a systems type working at any US national security TLA*, your job is going to get a whole lot harder. Maybe your whole life, since you're going to be under massively more suspicion and scrutinly ALL THE TIME. And the tools you need to do your job (not just software tools, but interactions and communications with those you're supporting) will be harder to use, and much more restricted, and viewed with more suspicion.

NSA may just wind up cutting itself off at its technical knees in a rampage of self-inspection and the internal purges I suspect are underway right now.

*TLA: Three-Letter Agency. By odd coincidence, most organs of the U.S. intelligence apparatus seem to name themselves by three-word names, and therefore are colloquially named by three-letter initialisms.

And the rest of them....

[Lumpy]

He just read off of the post it note in their cubicle...

This Thing Reeks

[cffrost]

Excerpts from Reuters "article:"

(Reuters) - Former U.S. National Security Agency contractor Edward Snowden used login credentials and passwords provided unwittingly by colleagues at a spy base in Hawaii to access some of the classified material he leaked to the media, sources said.

Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator, a second source said.

While the U.S. government now believes it has a good idea of all the data to which Snowden could have accessed, investigators are not positive which and how much of that data Snowden actually downloaded, the sources said.

This garbage has the same quality sourcing as the hit-piece published by The New York Times and The New Yorker that spread unsubstantiated rumors claiming that Snowden had given classified documents (i.e., unpublished material) to Chinese and Russian officials.

Re:If the story is true

[ogdenk]

That point was about 6 months ago. On Slashdot, where there's a pretty vocal community who thinks Bluray ISOs of the latest Hollywood releases "want to be free,"

Not really. I just won't buy BluRay releases until the MPAA get their fingers out of my hardware and remove DRM. The pirates have the better product that I can use in ways that I want to use them rather than their "our way or the highway" approach that isn't even backed by law in a lot of ways, just draconian corporate policy. So as far as I'm concerned, studios that sign up with them are complicit idiots that deserve to burn right along with them.

So yeah, as far as I'm concerned I would love to sit and watch that whole industry burn. Through illegal means if necessary. I lost any sympathy I had for them about a decade ago.

any secret data reveal is presumed to be some kind of a public service.

Any secret data that involves the government targeting Americans as if they were criminals with no due process IS ABSO-F**KING-LUTELY a public service. His personal motives don't matter to me much. He's done a good thing by helping to throw a monkey wrench (or at least a small screwdriver) in the gears driving the New World Order.

Any blow against tyranny is a good one regardless of the initial motives. If they were worried about their "national secrets" maybe they should gather these secrets legitimately according to the laws of the United States of America without attempting to redefine the English language to justify their illegal, immoral acts against the people.

Snowden long ago exposed himself as just a guy interested in finding as much as he could find about government secrets, then indiscriminately dumping that information on the press.

If this was true, either way, who gives a shit? I don't care about Snowden the man. I don't care about his personality. I don't care if he's a douche. Regardless, it was something that needed to be done.

He's not whistleblower,

Maybe not intentionally, but he certainly is. And any chaos and instability he creates I view as a positive and necessary thing. Our government needs to be reigned in and taught exactly who they hell they work for and who owns them again.

I'm not mad that both the NSA and CIA dropped the ball. I'm glad they are incompetent. I'm glad they did it. Folks that incompetent that are willing to break the law (and rarely face consequences) shouldn't be in control of the biggest spy machine on the planet if they can't keep simple checks and balances and well...... follow the law. There never should have been so much *scope* to infiltrate to begin with.

I find it hilarious that folks want to crucify Snowden for breaking the law but think the NSA just needs to get better at it and adjust some procedures (which will be ignored anyway).

These people are uncaring, brutal tyrants that care nothing about your freedom or securing your rights. They are there to subvert them and therefore have no legitimate right to exist. Period.

Re:If the story is true

[DarkOx]

We are no where near the point where this does any real harm. At worst its revealed some services and tools are not so safe to some minor criminal enterprises who probably already could have guessed.

Beyond that NOTHING Snowden has revealed has done anything but confirm things people had been hearing murmured rumors about and speculating on for some time. I know people who worked at the telco and were well aware of various people around who were feds, they could guess what they were up to based on which buildings/floors they visited etc, they just did not know the details.

I find it almost impossible to think anyone with an espionage capability even a couple rungs down from ours did not know most of this or did not already assume it was so and take counter measures. If Snoden could get this stuff them certainly someone with similar back ground ( US citizen by blood, good looking home grown corn fed guy/gal ) and a willingness to accept a sack of Russian or Chinese money could too and probably has.

The real surprise is the Germans claim to have not know Merkels phone was monitored, but even that now looks like a false flag, in that they were basically helping us do it. Its more likely it showed up in the Snowden documents and Merkel thought hey this would be a good way to make Obama, who at least was politically popular here and keeps disputing my fiscal policy, look bad.

Re:If the story is true

[xbytor]

***He'll continue to be cheered on by a certain demographic of IT guys who idolize hacker culture because of *scope* of his infiltration, and not the benefit he's provided the country.***

As a former IT guy/hacker/geek I cheer the results of what Snowden has provided and will provide (the scope is incidental). It makes the world a better place. It does not matter to me how he acquired the information that is being revealed. I draw the line at torture, but it is apparent, so far, that he did not water-board anybody while he was living in Hawaii.

Is this story true?

[lasermike026]

Is this story true? I have no reason to believe this at all. Admins don't need users passwords. Admins "own" the systems that they work on and can become any user they want to be without passwords.

The NSA lies. If we are to believe anything that comes out of that agency they better have hard evidence verified by the third source if one exists. This is a claim, nothing else.

C'mon people! Who has been telling the truth?

[Geste]

Who has been telling the truth since June? Snowden.

I am amazed that so many are taking this sniff-test-doubtful story at face value and debating whether the engineered sysadmins should be fired or shot.

Ain't it funny how these "sources" might layer on a bit of devious sociopathy, to try to make Snowden fit the role of criminal wrecker?

Among the principals (NSA, GHCQ, executive branch, most politicians, Snowden) it is pretty much only Snowden's testimony and participation that hasn't been full to the gills with half-truths, contradictions, lies and attempts at character assassination.

Oh and how devious:

"People familiar with efforts to assess the damage to U.S. intelligence caused by Snowden's leaks have said assessments are proceeding slowly because Snowden succeeded in obscuring some electronic traces of how he accessed NSA records."

Read: "You ought to believe that Snowden did more than totally embarrass us, but he is so devious that you'll ave to take that on faith!"

"Sources said". Blech

NO CLEMENCY FOR FEINSTEIN

Re:What else do you expect from cold fjord?

[AHuxley]

Yes its all out in NSA speaking points http://www.zerohedge.com/news/2013-10-31/document-reveals-official-nsa-talking-points-use-911-attacks-sound-bite
From been pro USA, bringing up 911, lawful acts, a count of the number of issues 'detected', the media makes it all so hard, the US gov needs the telco/OS/crypto/academic community...

Edward Snowden versus totalitarianism

[Taco+Cowboy]

The question regarding whether Edward Snowden is a hero, or not, requires more time for the world to judge.

However one thing is clear - Edward Snowden, and what he has done so far, with his expose of the dirty secrets of the so-called "democratic countries", shows that the guy does believe in the ideal of democracy.

Contrast this to those untold millions of power-craving freaks who have helped NSA/GCHQ (amongst others) putting up massive surveillance systems to spy on their own people in supposedly democratic countries, Edward Snowden shines.

When compared to the enormous spook complex , Edward Snowden stands out like a tiny, lonely beacon.

However tiny that beacon is, what Edward Snowden has accomplished, for the freedom of the world, should not be forgotten.

The submitter of TFA, Mr. Cold Fjord, has been very actively astroturfing Slashdot by launching all kinds of accusations towards Edward Snowden, from all angles.

We must be awared that, had it not because of Edward Snowden, we wouldn't have known so much of the despotic schemes perpetrated by those democratic governments .

In conclusion, even if Edward Snowden is not (yet declared) a hero, I still owe my sincerest thank to him !

Re:Edward Snowden versus totalitarianism

[cold+fjord]

Fjord seems rather fond of denouncing totalitarianism so it's to be expected.

FTFY