Inside NSA's Efforts To Hunt Sysadmins

← Back to Stories (view on slashdot.org)

Inside NSA's Efforts To Hunt Sysadmins

Posted by Soulskill on Friday March 21, 2014 @12:47AM from the most-sedentary-sport dept.

An anonymous reader writes "The Snowden revelations continue, with The Intercept releasing an NSA document titled 'I hunt sys admins' (PDF on Cryptome). The document details NSA plans to break into systems administrators' computers in order to gain access to the networks they control. The Intercept has a detailed analysis of the leaked document. Quoting: 'The classified posts reveal how the NSA official aspired to create a database that would function as an international hit list of sys admins to potentially target. Yet the document makes clear that the admins are not suspected of any criminal activity – they are targeted only because they control access to networks the agency wants to infiltrate. "Who better to target than the person that already has the ‘keys to the kingdom’?" one of the posts says.'"

40 of 147 comments (clear)

Min score:

Reason:

Sort:

Hide in plain sight by L4t3r4lu5 · 2014-03-21 00:52 · Score: 5, Funny

This is why I insist that my official job title is "Soup Dispenser Technician, Second Class" on all official documents.

--
Finally had enough. Come see us over at https://soylentnews.org/
1. Re:Hide in plain sight by Anonymous Coward · 2014-03-21 01:01 · Score: 5, Funny
  
  If only you could pass those damned astro-navs....
2. Re:Hide in plain sight by ravenlord_hun · 2014-03-21 01:39 · Score: 4, Insightful
  
  Small-time admins maybe. If one works as part of a larger team, automation and documentation is king - any such backdoors would get anyone into trouble, quick.
3. Re:Hide in plain sight by RabidReindeer · 2014-03-21 02:33 · Score: 4, Informative
  
  Small-time admins maybe. If one works as part of a larger team, automation and documentation is king - any such backdoors would get anyone into trouble, quick.
  R
  O
  T
  F
  L
  Worked in Fortune corporations. If I don't stop laughing soon, I'll pass out.
4. Re:Hide in plain sight by Minwee · 2014-03-21 02:35 · Score: 4, Funny
  
  I'm sure you would have made it further than "Technician Second Class" if it hadn't been for that unfortunate incident with the gazpacho soup at Captain Hollister's table.
5. Re:Hide in plain sight by Anonymous Coward · 2014-03-21 03:13 · Score: 2
  
  In previous jobs, the closest thing to a "back door" is a SSH key. In fact, it has been also the front door too, because some machines have any remote access blocked unless it is via SSH public key authentication. This makes the auditors happy, and it also gets rid of having to change passwords every 15-30 days. It also gets around the fact that three wrong passwords would mean a permanent lockout until an admin reset the account by hand (and documented the reset in JIRA.)
  In times past, a "secret" back door has been usable. However, with audits, political infighting, separate departments of IT, and the pressure of a sysadmin to constantly justify their existence or be replaced by a H-1B who will work for 1/10 the salary, there might be a known account, but that's it. In fact, most admins document the case of -no- backdoors for CYA reasons.
  Most audit tools will easily find backdoors. Part of basic Windows admin training is to search AD for user accounts with rights they shouldn't have. Similar on the UNIX side with Solaris role auditing. A back door likely will be found eventually and there will be Hell to pay for it.
  Finally, a smaller company, this might be doable. A larger company has so many people that a sysadmin might have a backdoor, but the network guys with the IDS/IPS will pick up its use when a SSH tunnel gets formed to a machine on the outside.
6. Re:Hide in plain sight by Midnight_Falcon · 2014-03-21 06:34 · Score: 3, Informative
  
  As ineloquently as RabidReindeer may have put it, he's 100% spot on here. I've done security audits for big companies with large teams -- admins insert backdoors al over the place, then their buddies figure out they did it, and instead of being reprimanded they start using it too for convenience. Just because they have a big, publically-traded company doesn't mean the CIO/CISO cares about anything more than compliance on paper.
7. Re:Hide in plain sight by RabidReindeer · 2014-03-21 07:04 · Score: 2
  
  As ineloquently as RabidReindeer may have put it, he's 100% spot on here. I've done security audits for big companies with large teams -- admins insert backdoors al over the place, then their buddies figure out they did it, and instead of being reprimanded they start using it too for convenience. Just because they have a big, publically-traded company doesn't mean the CIO/CISO cares about anything more than compliance on paper.
  Actually, in many cases, the backdoors were created on demand from management because doing things securely was too just inconvenient for them. The old "Git 'er Dun!" principle.
  Or because the security administrator was in a bad mood the day something idiotic came in and didn't challenge it. I knew a lowly applications programmer who was keeping his own personal files in the product data set because of that.
8. Re:Hide in plain sight by jellomizer · 2014-03-21 07:19 · Score: 2
  
  A typical NOT ME!! approach.
  The funny part is how many sys-admins think they are so good, until there is an independent security audit done.
  Now you shouldn't get insulted. There are a lot of good sysadmins... However many have gaps, and their ego gets in the way of making things more secure.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
This has gone beyond madness by MrDoh! · 2014-03-21 00:58 · Score: 5, Insightful

People need to be arrested for this. The people who ordered it done, wrote the reports, signed off on it, and anyone who did it. Ship some of them to various other countries for trials too, let everyone get into the action and let it be known to governments that this is not to be accepted.

--
Waiting for an amusing sig.
1. Re:This has gone beyond madness by rmdingler · 2014-03-21 01:10 · Score: 5, Insightful
  
  Agreed. I think the law enforcement officers that are charged with this task will arrive at the NSA when they finish arresting the bankers and brokers from the housing bubble derivatives scandal.
  
  --
  Happiness in intelligent people is the rarest thing I know.
  Ernest Hemingway
2. Re:This has gone beyond madness by Anonymous Coward · 2014-03-21 01:11 · Score: 2, Interesting
  
  This is kinda their jobs. It's what they do. They're a SPY agency. They do spyish things.
3. Re:This has gone beyond madness by fuzzyfuzzyfungus · 2014-03-21 01:16 · Score: 5, Funny
  
  Your mention of shipping people 'to various countries' gives me an idea...
  
  Since all the 'extraordinary rendition' bag, drag, and torture kids at the CIA are still running around in arrogant impunity, going so far as to just yoink inconvenient documents from the Senate Intelligence Committee(seriously, most of the members of that are appeasnik fuckwits who basically worship the clandestine services, so it must be really, really bad if the CIA is embarrassed in front of them. Also, if there are things the clandestine services do that even that part of the senate isn't allowed to know about, can we really maintain the pretense that civilian government is actually in anything resembling control?) how about pitting two problems against one another?
  
  It'll be an exciting contest, like a reality TV show; but with higher stakes, rules as follows:
  
  The NSA will be the intelligence-spooks team: their job is to dig up as much dirt on the CIA as possible, by whatever l33t haxx0ring necessary, and try to have the CIA neutralized by political and/or public outrage, at least to the point of organizational collapse, to the point of wholesale hangings-from-the-lampposts for bonus points.
  
  The CIA will be the wet-ops creeps team: they will have to 'disappear' key NSA personnel to our worldwide network of extralegal torture dungeons fast enough to keep the lid on their dirty laundry, and try to drive the NSA to the point of institutional paralysis or collapse, with extra points awarded for any actually-true facts obtained during the 'enhanced interrogation' sessions.
  
  Gentlemen, to the starting line, and may you both lose!
4. Re:This has gone beyond madness by LookIntoTheFuture · 2014-03-21 01:17 · Score: 3, Insightful
  
  People need to be arrested for this.
  Absolutely. It's astonishing that it hasn't happened already. Where's the line? What will it take to cross it? That is the scary part.
  
  --
  Brave Sir Robin ran away. ("No!") Bravely ran away away. ("I didn't!")
5. Re:This has gone beyond madness by Ben4jammin · 2014-03-21 01:24 · Score: 4, Insightful
  
  Where's the line? What will it take to cross it?
  I think the issue is that there was a line, and it got crossed. Once you cross it once, it becomes easier to cross, because hey it wasn't so bad last time.
  
  Then, if you are put in relative isolation (enough for "group think" to take over) then it becomes easier still because you are validated for crossing it (dude we just saved lives by crossing the line...besides the "bad" guys are crossing it)
  
  And this continues until you really can't even remember why you crossed it the first time, but there is so much danger out there you don't have time to really contemplate it, either. Until one day you realize that you are looking in the mirror each morning at someone who has become a stranger.
  
  But by then it is too late...to challenge it now would precipitate an identity crises that isn't nearly as much fun as seeing yourself as the hero of the world.
6. Re:This has gone beyond madness by ObsessiveMathsFreak · 2014-03-21 01:39 · Score: 5, Interesting
  
  We are dealing with an extremely well funded, well staffed, and well equipped professional criminal organisation. Whatever it's actual mandate is, the NSA has taken it upon itself to be the worlds premiere cyber-crime hacking group, accountable to no state, code, man, or law, and who regard the Internet and all computers on it-- foreign or domestic-- as fair game for fraud, intrusion and seizure. The organisation is out of control; without moral compass, budgetary restraint, or regulatory oversight.
  It is only a matter of time before individuals and managers within the NSA create actual links with the criminal fraternity and begin to engage in for-profit cyber-crime. Indeed, this has probably occured already.
  And should the cyber-crime divisions inside the NSA ever make common cause with their criminal counterparts in the financial sector -- God help Western Civilisation. The closest parallel I can think of is the rise of the nobility-church-state alliance in the ancien regiem and the subsequent ruination of France prior to the revolution.
  
  --
  May the Maths Be with you!
7. Re:This has gone beyond madness by NatasRevol · 2014-03-21 01:43 · Score: 3, Interesting
  
  Actually, they're a security agency. It's even in their name.
  Not that hacking into every sysadmins computer would give anyone security, but that's another matter.
  
  --
  There are two types of people in the world: Those who crave closure
8. Re:This has gone beyond madness by NatasRevol · 2014-03-21 01:45 · Score: 2
  
  Intelligence agents trying to collect intelligence illegally ?
  FTFY
  
  --
  There are two types of people in the world: Those who crave closure
9. Re:This has gone beyond madness by king+neckbeard · 2014-03-21 01:50 · Score: 2
  
  That's like saying it's a cop's job to shoot people.
  
  --
  This is my signature. There are many like it, but this one is mine.
10. Re:This has gone beyond madness by L4t3r4lu5 · 2014-03-21 01:55 · Score: 3, Funny
  
  How would the veto work if the UN voted out the USA?
  
  "I veto your voting us out!" "You can't do that, you've been voted out so you therefore have no veto." "But the vote is vetoed, so we weren't voted out!" "..." "..."
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
11. Re:This has gone beyond madness by Minwee · 2014-03-21 02:39 · Score: 3, Funny
  
  "OK, Private, you know the enemy uses US civilians as human shields, and that's when we use the .50 caliber to make sure the bullet goes through the US civilian in order to get the terrist hiding behind him!"
  "But I don't see anyone hiding behind any of those civilians!"
  "They can be tricky. Start shootin' anyway."
12. Re:This has gone beyond madness by drinkypoo · 2014-03-21 02:58 · Score: 2, Insightful
  
  But by then it is too late...to challenge it now would precipitate an identity crises that isn't nearly as much fun as seeing yourself as the hero of the world.
  Congratulations, you just described the mode in which basically everyone operates. We all just tell ourselves we're being pragmatic as we sell out our futures. We don't live for today or tomorrow, but for an outcome that will never exist as long as we don't alter our behavior.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
13. Re:This has gone beyond madness by BobMcD · 2014-03-21 09:07 · Score: 2
  
  Maybe you didn't click the link. Here's the salient part:
  
  It has been argued that with the adoption of the 'Uniting for Peace' resolution by the General Assembly, and given the interpretations of the Assembly's powers that became customary international law as a result, that the Security Council 'power of veto' problem could be surmounted.[34] By adopting A/RES/377 A, on 3 November 1950, over two-thirds of UN Member states declared that, according to the UN Charter, the permanent members of the UNSC cannot and should not prevent the UNGA from taking any and all action necessary to restore international peace and security, in cases where the UNSC has failed to exercise its 'primary responsibility' for maintaining peace. Such an interpretation sees the UNGA as being awarded 'final responsibility' - rather than 'secondary responsibility' - for matters of international peace and security, by the UN Charter. Various official and semi-official UN reports make explicit reference to the Uniting for Peace resolution as providing a mechanism for the UNGA to overrule any UNSC vetoes;
  So this is the approximate procedure:
  1) Introduce to the Security Council a resolution to restore "security" to the internet by barring the United States from hacking everybody.
  2) US vetoes.
  3) Introduce to the Security Council a resolution removing the US from the Security Council and barring the United States from hacking everybody, in order to restore "security" to the internet.
  4) US vetoes.
  5) Bring resolution from '3' to the General Assembly.
  6) Resolution passes, because the GA is empowered to prevent war.
A limerick by Anonymous Coward · 2014-03-21 00:59 · Score: 5, Funny

There once was an NSA operative from Nantuckett
Whose ________ was so _______ he could ________.
He said with a _________ as he wiped off his __________,
"If my __________ was a _________ I would __________ it."
Once compromised, it's a two way street.. by FirstOne · 2014-03-21 01:23 · Score: 5, Interesting

Once you break into a admin's computer, with his credentials, it's a two way street.. One can plant evidence just as well as detect it..
Now that this info is public knowledge, any accused should levy a defense that the NSA planted the evidence, since they have the ability and the court has no way of identifying planted information verses unapproved activity.
Advice to NSA admins, I know it is a cushy job, but find another job NOT in the government, the NSA is on a witch-hunt it's only a matter of time before they turn innocent bystanders into criminals.
1. Re:Once compromised, it's a two way street.. by boristdog · 2014-03-21 01:31 · Score: 2
  
  I had to point this out to our security dept several years back. They were scanning everyone's computer and user drive and building cases to fire people for anything they considered inappropriate. I told them that just because something is on someone's computer doesn't mean they put it there.
  They finally listened when I secretly buried an empty directory called "kiddie porn" on one of the security managers user profile. Root access is awesome. The witch hunts stopped soon after.
2. Re:Once compromised, it's a two way street.. by drinkypoo · 2014-03-21 03:00 · Score: 3, Insightful
  
  Advice to NSA admins, I know it is a cushy job, but find another job NOT in the government, the NSA is on a witch-hunt it's only a matter of time before they turn innocent bystanders into criminals.
  Why would that help? A "former NSA admin" makes a convenient scapegoat. Come up with some employees who will strongly suggest that he was pushed out the door due to possible illegal activity and it's goat stew time
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Re:Perhaps it is rather time..... by interkin3tic · 2014-03-21 01:23 · Score: 4, Funny

Good idea, I'll post a message to the facebook group for assassins for hire, and we'll... hmm... who could be at the door THIS early?
yawn. by nblender · 2014-03-21 01:25 · Score: 2, Insightful

I read through it. What I got was some full of himself mid-level network aware weenie who managed to get a job at NSA and get access to a vast trove of captured packet data trying to impress people with his vast knowledge of intarwebs protocols... I bet the smart people at NSA who are reading his lunatic ravings are wondering "who hired this asshole?"
Smert Shpionam! by davecb · 2014-03-21 01:34 · Score: 2

The traditional fate of spies is death, so arrange to catch one and rendition him to Russia.

--
davecb@spamcop.net
1. Re:Smert Shpionam! by davecb · 2014-03-21 04:15 · Score: 4, Insightful
  
  Only slightly tongue-in-cheek, I fear the US is in the middle of a civil war they haven't noticed yet...
  
  --
  davecb@spamcop.net
Turnabout is fair play, isn't it? by king+neckbeard · 2014-03-21 01:46 · Score: 3, Interesting

If they are compromising sysadmins without due process, then a sysadmin like Snowden compromising them is just desserts.

--
This is my signature. There are many like it, but this one is mine.
Smartest guy in the room by Krazy+Kanuck · 2014-03-21 02:06 · Score: 3, Insightful

Sadly the NSA isn't, and creating these back doors is just creating a honey pot for those who are. Stop compromising our networks in the name of "national security".
The apologists will darken the skies by Anonymous Coward · 2014-03-21 02:06 · Score: 5, Insightful

As bad as such revelations are, what drives me nuts is all the apologists who crawl out of the woodwork every time one of these stories breaks. They have no end of justification for whatever the NSA or CIA does, anything from "I have nothing to hide" to "privacy is dead, stop bitching because the Good Guys are working t protect you".
I predict the kind of practice in TFA is going to keep mushrooming until someone uses it as a political weapon and then gets caught. Only then will the jock-sniffing Congress do something substantive about this mess.
If I were advising Hillary Clinton, I'd tell her to never touch another computer until her political career is over.
CFAA by neghvar1 · 2014-03-21 02:12 · Score: 2

It would be nice if we could sick the CFAA on the NSA. Unofrtunately, they are immune from that law.
oh, you think sigint is your ally. by nimbius · 2014-03-21 02:23 · Score: 5, Funny

But you merely adopted the shell. I was born in it, molded by it. I didn't see the GUI until I was already a man, by then it was nothing to me but BLINDING!
The login prompts betray you, because they belong to me.

so give it your best, young man. I and my greybeards are forged in this art. We know that behind your presentation, your boldface scrawlings and your bemused predatory preamble that we have coffee ringed RFC's that have seen more fervent attempts than yours. Save yourself some grief and maybe curry our favour. target our PHB instead.

--
Good people go to bed earlier.
My take on it. by Noryungi · 2014-03-21 02:47 · Score: 3, Informative

If you are a sysadmin, and you have a Facebook page, LinkedIn account, social-media-whatever thingmagajig or Slashdot account, the NSA may well come after you.
Remember: this is written in plain sight and the NSA created fake Slashdot account to get into Belgacom.
I am a sysadmin. I have a Slashdot account. Maybe it is time for me to say so long, and thanks for all the fish. What Beta was not able to do, the NSA did.

--
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
1. Re:My take on it. by Nyder · 2014-03-21 03:36 · Score: 2
  
  If you are a sysadmin, and you have a Facebook page, LinkedIn account, social-media-whatever thingmagajig or Slashdot account, the NSA may well come after you.
  Remember: this is written in plain sight and the NSA created fake Slashdot account to get into Belgacom.
  I am a sysadmin. I have a Slashdot account. Maybe it is time for me to say so long, and thanks for all the fish. What Beta was not able to do, the NSA did.
  Ya, and admitting your a sysadmin probably doesn't help either.
  
  --
  Be seeing you...
I love the irony of this... by bwcbwc · 2014-03-21 03:25 · Score: 3, Insightful

While NSA was hunting sysadmins, they were being pwned by...a sysadmin!
Yet another example of how NSA is too focused on offensive network capabilities (breaking into target systems) and doesn't pay enough attention to defense (strong crypto, open security models, etc.)

--
We are the 198 proof..
Really Stupid NSA... by Lumpy · 2014-03-21 04:23 · Score: 2

Wow they are amateurs now.
Dear NSA, want to do your job right? then start watching top networking companies for job openings and have your Networking expert agents apply for the jobs there. Nothing better than having your agent working on the inside.
a "hit list" is stupid, you waste a LOT of time having to deal with them, but if Agent Davis is a network admin at VERIZON or AT&T then you make a single phone call to own the network.
This tip is free, otherwise I am $4500 an hour minimum of 10 hour charge for any more consulting, als you pay all travel costs and I only fly private or military jet. F16 trainer preferred.

--
Do not look at laser with remaining good eye.