Feeds

back to article NSA chief leaks info on data sharing tech: It's SharePoint

The NSA has admitted that the organization's use of Microsoft SharePoint allowed an unnamed sysadmin to leak information. In what can be perceived as either a ringing endorsement of SharePoint's "collaborative power", or a depressing admission that, yes, spooks use the same infuriating software as we do, NSA chief General Keith …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

Americans can be counted on to do the right thing - after exhausting every other possiblity.

Sadly I'm not there yet.

Keith Alexander.

9
0
Bronze badge
Facepalm

Geek anthropology 101: geek's interfere constructively...

"...measures the NSA is introducing to make sure that sysadmins cannot leak information to the public, such as working in pairs a..."

I think that might backfire. Most lone sysadmins wouldn't have the gumption to pull a "Snowden". But a pair might egg each other on. You can imagine the conversation: "This is really heinous stuff these spooks are up to." "Yeah, man, totally heinous." "Do you think maybe we should tell some one?" "What, leak it?" "Yeah, leak it." "Totally, let's leak it." *high fives*

Trusting one dumbass sysadmin is bad; trusting your sharepoint server to Bill & Ted is a whole afterlife more trouble.

9
0
Silver badge

"on the SharePoint servers that NSA Hawaii needed,""

They really deserve their hardship pay !

0
0
Silver badge
Coat

I thought they weren't supposed to use Hawaii ?

2
0
Anonymous Coward

Sharepoint isn't the only thing they use

There's also an information sharing system called A-Space which the analysts and some collectors use to collaborate, its compartmented of course and all distribution is limited based on cryptonym and distribution caveats (NOFORN, SI, etc) but it is rated to handle up to TOP SECRET information and is located on the JWICS as well as the NIPRnet and SIPRnet. NSAnet (also on JWICS) gets used occasionally for the same purposes too, but other agencies (even some parts of the Service Cryptological Elements and CSS) have no access to NSAnet whereas they do have access to A-Space.

Given that nothing Snowden (who I'm assuming is the "unnamed systems administrator" General Alexander was speaking of) has released carries a Top Secret* classification, when a great deal of the meat of the program undoubtedly is, he probably grabbed it from the Sharepoint network location at NSA Hawaii and Ive never heard of a Network Security Officer being able to connect Sharepoint or Lotus to JWICS

*-Snowden claimed that he has it but refuses to release it. Given his distinct lack of scruples and willingness to break the law to suit his ideals, I don't think that's what stopped him. He probably just didn't possess a TS-SCI/SAP clearance which he'd need for JWICS access. I might possess one, and in theory its a real bitch to initially get and very difficult to maintain. The Single Scope Background Investigation is the easy part, the excruciatingly hard credit check (they know if you've ever been late on a bill, anywhere at anytime, if you've ever bounced a check, even if you've ever replaced a debit card, all kinds of crazy shit), plus the Lifestyle and Counterintelligence Scope Polygraph examinations are the harder parts and they tend to keep the numbers working in Strategic (or Level Above Corps in Army parlance) Intelligence collection and analysis pretty small and the number of people working at a lower level generally much higher.

1
14
Anonymous Coward

Re: Sharepoint isn't the only thing they use

A NSA apologist whining about 'lack of scruples' and 'willingness to break the law'. Hilarous

14
1
Bronze badge

Re: Sharepoint isn't the only thing they use

Is not the question of whether NSA broke laws more a matter for the US Court system to decide than Anonymous Coward commentators on a tech news website?

Downvoted for arrogance and tone.

3
17
Silver badge

Re: Sharepoint isn't the only thing they use

"Is not the question of whether NSA broke laws more a matter for the US Court system to decide than Anonymous Coward commentators on a tech news website?"

Yes it bloody well is. So tell me Mr Smartarse, why isn't this happening?

14
0
Silver badge
FAIL

Re: Sharepoint isn't the only thing they use

"Downvoted for arrogance and tone."

What a coincidence. Have a downvote.

8
0
Silver badge
Facepalm

Re: Sharepoint isn't the only thing they use

> There's also an information sharing system called A-Space etc. etc.

More acronyms and kewl buzz than Calvin can come up in an afternoon of dwelling in the house of club GROSS ("Get Rid of Slimy Girls").

You guys really need to have the keys taken away.

0
0
Anonymous Coward

Re: Sharepoint isn't the only thing they use

"Given his distinct lack of scruples and willingness to break the law to suit his ideals, "

The same sort of thing was said about:

The suffragettes

Those against the slave trade

Black civil rights protesters

Anti-Apartheid protesters

The French Revoloution

Ghandi

Forest Dwellers of Borneo

Syrians

Egyptians

Irainians

Jordanians

and on and on and on and on and on.......

8
0
Silver badge

Re: Sharepoint isn't the only thing they use

Forest Dwellers of Borneo

Probably the best band I ever heard.

0
0
Silver badge

Doesn't Matter

It doesn't matter what system they're using, not securing the system is a serious failure. This guy is just a failure all the way around.

1
1
Silver badge
Black Helicopters

With all due respect..

"The NSA has admitted that the organization's use of Microsoft SharePoint allowed an unnamed sysadmin to leak information."

Bullshit.

It's not the use of SharePoint which allowed this sysadmin access; it's the idiot administrator who gave him access in the first place.

What is this anyway; an attack on Microsoft to try and restore their reputation a bit? ("You see; even the NSA doesn't like Microsoft. Surely the NSA would like Microsoft if they had just rolled over?").

Obviously the black helicopter.

12
5

Re: With all due respect..

Absolutely. It's not the use of SharePoint, it's the fact that he had access to the data. He could've been using a snow shovel to move the data - that's irrelevant.

Always assume that a sysadmin can - legitimately or otherwise - bypass any technical security in the system. Then assess and manage the risks accordingly.

9
1
Anonymous Coward

Re: With all due respect..

It's the fact that he had access to the data.

Perhaps it's that the data showed illegal activity and he let *that* be known.

6
0

Re: With all due respect..

Actually sharepoint seems to distribute permissions much like a Santa in a Xmas parade. The hardest/best SA efforts to secure it are brought low when inexplicable hidden sticky permissions suddenly - and without logging - grant temporary admin permissions to clueless content contributors.

I bet foreign intelligence operations had admin permissions to that host before the NSA senior managers could even smugly browse their first report.

Forget Snowden...the idiots who bought Sharepoint for the NSA and the Microsoft sales weasels who lied through their teeth about the actual auditable security level of their product should be charged for aiding and abetting the enemy. Snowden at least was on the side of the public at large, while those weasels were operating purely for the sake of their greed or laziness.

12
2
Anonymous Coward

Re: With all due respect..

"Actually sharepoint seems to distribute permissions much like a Santa in a Xmas parade. The hardest/best SA efforts to secure it are brought low when inexplicable hidden sticky permissions suddenly - and without logging - grant temporary admin permissions to clueless content contributors."

SharePoint permissions are straight forward and easily managed. It would never 'grant temporary admin permissions' - either you gave them admin or you didn't. Logging is also up to you to enable / disable.

i.e. this is purely a lack of basic competency on your behalf...

2
2
Bronze badge

"As you may know, sysadmins need removable media to do their job," Alexander said

That is utter bullshit, over 10 years of managing a datacenter and I've never needed removable media. I have a network boot server that is just loaded with the DaRT toolkit, WinPE and a bootable OpenBSD install. Anything that can be done with removable media can easily be done with network-based utilities.

9
3
Anonymous Coward

Re: "As you may know, sysadmins need removable media to do their job," Alexander said

Yes, because I'd plug my Top Secret server into the internet too! Maybe they could use Dropbox...?

2
3
Boffin

Re: "As you may know, sysadmins need removable media to do their job," Alexander said

@AC: You need ability to insert usb drives into machines before you setup the whole infrastructure. Once you have basic infrastructure in place, then you put Secret or Top Secret data in the network.

Then you'd need to do it again only in the case of total network meltdown.

2
1
Bronze badge
Mushroom

Re: "As you may know, sysadmins need removable media to do their job," Alexander said

Presumably NSA servers would have BitLocker enabled anyway, so removable media / physical access wouldn't make any difference without the correct security privileges....

0
1
Anonymous Coward

Re: "As you may know, sysadmins need removable media to do their job," Alexander said

"Anything that can be done with removable media can easily be done with network-based utilities."

Except when the network card is broken. Or disconnected. Or misconfigured. Or Boot from LAN is disabled, etc. etc.

3
3
Anonymous Coward

Re: "As you may know, sysadmins need removable media to do their job," Alexander said

Why would ANY of those situations require that you carry confidential information of the sort Snowden released about on a USB stick? At MOST it'd be a boot image or maybe some drivers. Once the network connection is up the confidential data can be put back onto the server over EITHER a locked-tighter-than-a-gnat's-ass network connection or, if time is a factor due and your internet connection's just not quick enough (or you suspect your LAN is compromised), by a trained and trusted team of specialists carrying a spare HDD or two in a magnesium-and-flashpaper case- drives that can be copied onto the computer locally and then dumped in the 'to be thermited' bin for immediate secure disposal.

3
0

Re: "As you may know, sysadmins need removable media to do their job," Alexander said

Obviously you don't do very much.

Removable media is the only way to secure MS from network attacks.

Removable media is use whenever there is more data than what will fit on disk...

2
1
Anonymous Coward

Re: "As you may know, sysadmins need removable media to do their job," Alexander said

"Removable media is the only way to secure MS from network attacks"

Erm - so what would something that has far more vulnerabilities - like Linux for instance - need then?

0
4
Bronze badge

Re: "As you may know, sysadmins need removable media to do their job," Alexander said

"Except when the network card is broken. Or disconnected. Or misconfigured. Or Boot from LAN is disabled, etc. etc."

In any of those situations, all you;d need is a screw driver, the keyboard or a network cable.

0
0

"given the BuckShot Yankee penetration in 2008"

Well played indeed Sir. Hip! Hip!

1
0
Gold badge
Joke

Shareoint gets lots of new free penetration testing.

Now it's known at least one servers has some goodies worth stealing.

But seriously.

Removable media support on NSA servers as standard?

What does this organization do again?

4
1
eLD

Unpopular opinion

I feel like I'm bucking the general trend here of the comments and about to be shot down. However, I actually agree with the NSA chap that the decision to use SharePoint was an extremely large reason for administrators being able to leak information.

I know nothing about SharePoint administration so I am expecting to be shot down in flames, but to have just a few basic thoughts on how I might design a security focused collaboration tool. I'd probably ensure that all the content was stored and served up encrypted. There would obviously be no need for someone with root on the machines serving content to be able to see the unencrypted content for backup or permission related issues. I'd probably delegate the actual job of decrypting the content that was being served up for particular user tokens to separate servers with more restricted access that only managed decryption and re-encryption of "resource {token} stored on source {token} being requested by {token}" to separate out and simplify the authentication job and limit the attack surface of what actually matters if it is compromised. I'd also probably split up keys storage into a number of different and disjoint fiefdoms under different control and use the academic research on byzantine generals problems to ensure that it required a majority of systems (and people) to be compromised before information was leaked beyond the intended targets.

The point I'm trying to make is that the design of a secure system for the NSA would seem to be very different to (my imagination of) a simple microsoft collaboration tool. It seems they were remiss in going for the easy option and not putting the possibility of spies at the heart of their IT policy. And thank god for that, now we know what we always suspected. :)

5
2
Anonymous Coward

Re: Unpopular opinion

Windows / SharePoint supports full delegation of access rights (unlike with Linux). So you can indeed give 'root' access without being the user able to access confidential data.

0
3
Anonymous Coward

Epic fail NSA!

The problem isn't really come from any technology people use. That's all about awareness and security management applied to the system. I've recently done a penetration testing on an internal SharePoint environment for an international airport and seen there are lots of issues and threats the SharePoint administration team were making themselves. For example, the password is easily predictable. There is no policy of password complexity ever on that environment. Another example is the use of All-in-one account for all things (services, server, whatever). They didn't apply the latest security updates for the SharePoint system. Well bum! they absolutely failed in SharePoint security.

I have to agree about what someone above said: "Not securing the system is a serious failure". Do have plan for hardening SharePoint using industry-accepted standard such as PCI DSS, penetration testing monthly or so on. Don't rely much on the technology, looking into the human factors is worth spending some time on.

-T.s

3
0
Silver badge

Re: Epic fail NSA!

"The problem isn't really come from any technology people use. That's all about awareness and security management applied to the system."

The (flawed) assumption is that people with access to the systems have authorisation to do so.

This same flawed assumption is seen in BGP4 - which has been locked down a lot in the last 20 years - and in the world's phone number routing system (which has not and is subject to repeated hijackings even today - if you think bank coverups of security botchups are common you haven't seen anything.

2
0

"A huge break in trust and confidence"

Indeed. Fortunately there was this chap with enviable intergrity to blow the whistle on it.

32
0

Re: "A huge break in trust and confidence"

Secret laws, secret courts, and secret budgets equal tyranny. We need to charge and lock up the people that have taken our freedoms.

12
0
Anonymous Coward

Complete crap.

So are they saying that NSA Hawaii isn't linked the rest of the NSA? That's the only reason you'd need to have bill and ted copy content to a USB stick. I can't copy any content to a USB stick in my workplace, which isn't the NSA that's for sure. Don't want your content copied then wrap some IRM round it, turn off the USB ports and any USB sticks given out are taken back and scanned for suspect content. Oh if it is on your network you can move content between farms by publishing or even migrating content plenty of tools to do that.

And bill and ted still can't copy it to a USB stick.

Don't blame the software cos you don't secure your content properly. Don't blame apps cos you never read security for dummies.

Finally clue is in the name it's called sharepoint for a reason.

9
0
Gold badge

Seems there are several problems...

Seems to me there are several problems...

Well, problem 0) Good thing the NSA is so lax with security so people got definitive evidence of their illegal and unconstitutional spying programs, instead of hints of their existence with people saying those who believed these hints needed a tin foil hat. Of course, most people still do not have the proper level of outrage here in the US, which is damned unfortunate.

1) Yes, Sharepoint itself is a problem. It is extraordinarily hard to secure, and make sure it stays secure, compared to, well, any sane system. It's easy for Microsoft apologists to just say the admins hadn't set it up and admin'ed it right (which is true) but see AlgoRythm's post for insights into the kind of pain an orginization brings itself by introducing Sharepoint in a high security environment. Don't get me wrong, any system could have been set up too laxly and permitted leaks like this.

2) No, admins don't need removeable devices to do their work. These systems should have had USB stick support disabled as far as I can tell. If there's some exceptional case, then the stick should be issued on site, and the admin shadowed until they relinquish the stick (which would then be erased and ready for next temporary use.)

3) Of course, this lax of security makes a good case for NSA's illegal and unconstitutional spying programs to be shut down... even if you're one of these weirdos who thinks NSA should be trusted to do whatever they want with no oversite whatsoever, to me this demonstrates that even if they have the best of intentions they are still not trustworthy enough to hold onto my private information.

6
1
Anonymous Coward

Re: Seems there are several problems...

"It is extraordinarily hard to secure, and make sure it stays secure, compared to, well, any sane system"

It's actually very easy, flexible and powerful to set permissions in Sharepoint. Just because you walked up to it without any training and expected to be able to do everything without RTFM doesn't make the product the failure here...

2
2
Thumb Down

Re: Seems there are several problems...

Please, AC. It has nothing to do with following the instructions in the manual. Also "very easy, flexible and powerful" has nothing to do with "secure".

If you were so confident in what you say, you would not be a Coward, too.

1
1
Anonymous Coward

Re: Seems there are several problems...

@Henry: Your post would have a lot more credibility if you didn't use expressions such as "Microsoft Apologist". It detracts from any message you are trying to get over with everyone except the most anti-microsoft, who were already there before you in any case.

I use FOSS every day at home and work, I also use COTS from pretty much all major manufacturers. I saw the expression "Microsoft Apologist" and skipped to the reply button.

1
1
Anonymous Coward

Another Ballmer ballsup!

Imagine if NSA gave their whole data center to M$soft! Xi Jinping sends his thanks and will stop by in seattle with the cash.

2
1
Silver badge

Contracting Core Competencies

I hate buzz words, but in this case 'core competency' is very applicable. By definition the NSA gathers and keeps secrets, that is their job. The management of the systems, and their secrets, should never have been contracted out. That should have been handled by internal staff with proven loyalties, not handed off to what are, in effect, mercenaries.

I'm not knocking contractors as a whole, I did my time too, but when you don't have the internal staff to manage what you've created something has gone terribly wrong.

Something not discussed much in the whole NSA/Snowden mess is the catastrophic management failures inside the agency. If the core service they provide is so out of kilter I can only imagine how bad the unaccountable financial clusterfuck must be.

8
0
Silver badge
WTF?

If Snowden was wrong about NSA operations ...

why is the NSA reviewing it's collection and storage of data and adopting the EU plan of common carriers doing the storage?

Wonder what other Constitution breaches are under review?

Snowden deserves a Nobel award for this, at least he is more deserving than Obama.

6
0
Flame

Amazing amount of BS

Reading the comments, it seems only two commenters have any actual knowledge of what goes on at the NSA program. The remainder speak from their vast store of ignorance and ill will. Then there are the persons of such vastly superior intellect that they are able to interpret "unconstitutional and illegal" behavior better than SCOTUS and the FISA courts. And don't forget those whose response to others with whom they do not agree is always the infamous ad hominem attack.

I seem to remember that the telephone company collects your phone call metadata and uses it to send you a bill. Some ISPs monitor your internet usage and send you a bill. NSA collects phone number, phone called, length of call. Stores it. At this point, it is No-Name data, less than your telephone companies gather. Some other authorized agency decides they need your data so they look in the PUBLIC telephone directory or get the address online, get the FISA court to authorize the release of data from NSA, nd NSA complies with the court order. Linking a name to the metadata is done under court order, as is further processing.

It would be physically impossible to actually listen to and record every telephone call and every internet message of everyone. How many zetabytes of storage would that require? How many people would be required to listen in to all conversations? Try to think logically for a change.

As for Snowden, he has admitted he deliberately wormed his way into NSA in order to find evidence of things he did not like. That is almost the definition of a mole spy. He undoubtedly considers himself to be a righteous crusader. I consider him guilty of Treason.

As Senator Moynihan said, you are entitled to your own opinion but not to your own facts.

1
13

This post has been deleted by its author

Silver badge
FAIL

Re: Amazing amount of BS

You, on the other hand, seem to be entitled to your own facts and your own brand of ad hominem tactics. Congratulations! I guess...

5
0

Re: Amazing amount of BS

I've got two issues with your point of view and one issue with your "facts".

Fact first. Any agency that needs info from NSA or the NSA requesting info from its own servers does not require to go through FISA more than once. This is because FISA has been granting over wide "warrants". In the UK courts you are supposed to make a new request for surveillance type information for each "case" or "person of interest". FISA seems to have accepted "all info pertinent to the search for terrorists" as a valid request. No real limitations to this.

I agree that no one is looking through all the data. I very much doubt that my phone calls/ internet searches/email are being read by anything more than the equivalent to Google's Spiders. However, the fact that they can (and probably are) looking at all of the phonecalls and internet searches and related information that they can get their hands on for some people worries me. This is because I don't want the NSA to be looking for blackmail-able material for UK Judges, Journalists, politicians, company managers etc. Oh and their families (If I can't blackmail the PM, can I blackmail his cousin/nephew etc).

TL:DR Just because my info is not of interest doesn't mean that the info they are looking at isn't actively detrimental to my life/sources of info/access to justice.

1
0

This post has been deleted by its author

Silver badge
Holmes

Well, see, it has the word "share" in it, doesn't it?

You are paid, how much, General Keith?

1
0

The real letdown here...

...is that our Matrix/Minority Report-style tech fantasies are brought down by the crushing realisation that twelve years after 2001 the spooks are using the same annoying point-and-click shite inflicted on the rest of us.

I haven't felt this demoralised since that woeful "THIS IS A UNIX SYSTEM" 3D file explorer in Jurassic Park.

Green screens, 3D gesture recognition or GTFO.

2
0

Page:

This topic is closed for new posts.