"The damage, on a scale of 1 to 10, is a 12."
One better than Spinal Tap, innit?
Next on The Reg - Will Nigel Tufnel go for 13?
The US National Security Agency may have some of the most sophisticated cyber-surveillance programs in the world, but it was trivial for former NSA contractor Edward Snowden to walk off with sensitive data, sources say, owing to the agency's antiquated internal security. "The [Defense Department] and especially NSA are known for …
One better than Spinal Tap, innit?
Next on The Reg - Will Nigel Tufnel go for 13?
As Obama inadvertently pointed out, it's all about "our need to maintain the public trust"; which is almost completely unrelated to any immediate or potential danger to the citizens of the US, who these clowns are ostensibly elected to protect and support.
What he spilled the beans on was maybe 2-3 on a scale of 1-10.
The real stuff, the 10 on a scale of 1-10 is never put onto a computer, it's the stuff that is never recorded, never talked about and never minuted in the meetings.
Don't kid yourself that Snowden is that important, he is an embarrassment and and irritation but would never have had access to the real subterfuge that goes on in Government.
However their security (you know, the 'S' in NSA) incompetence on a scale of 1-10 is a 25
"The damage, on a scale of 1 to 10, is a 12."
OMG, THAT'S 120% DAMAGE OMG OMG OMG
Wrong. Just yesterday the Washington Post ran a story about amounts of money in the black budgets. They self-reported that they self-redacted from the raw files because of the damage it would cause to National Security. It pinpoints real weaknesses in intelligence gathering capabilities as well as where money has been spent on successes. All of this is classified for good reason. Now our adversaries have it. And loathe though you may be to admit it, for the most part our adversaries are your adversaries. They're just a little more focused on us because you aren't much of a threat to them at the moment. But if they can ever neutralize us, they'll be happy to go after you next.
Interesting though, that for all the head-banging and wailing from the governments, nobody seems to have fired for creating the mess ... somebody must have been in charge of Snowden, somebody must have been responsible for the system configuration and permissions?
"somebody must have been responsible"
For pissing off the BOFH? Indeed.
Is it too late for a "BOFH of the year" award?
Or too early?
>And loathe though you may be to admit it, for the most part our adversaries are your adversaries.
And loathe as I am to admit it the only country talking about committing an act of war in the next few days is my own (the US). The but they were all bad guys argument may work with the right in the American public but makes the rest of the world not think of us as the good guys. The right also says we don't need the rest of the world only because they don't understand history.
As a fureigner I enjoy the outrage of the American people when they learn that they are not, in fact, Special but are lumped into the same "probably terrorist"-bin as us Untermenschen!
The funniest thing about Snowden is that while everyone are wailing about what he "took", nobody is bothered about what he put in ... and data integrity and stuff.
Maybe that too will come when the NSA personnel file accidentially goes on the "no-fly" or "murder by SWAT"-list.
If Obama could get the Nobel Peace Prize a few minutes after donning the magic cape, then Snowden can surely get BOFH of the millenium right now.
Snowden blew the whistle on the dirty tricks our governments get up to and for that we should be grateful. It goes without saying that the activities of the state are directed at the people. Little do they care if there is a terrorist outrage, rather it gives them the excuse to watch everybody more closely.
We can only hope that more of this dirt on our governments is exposed.
I think the reason us Brits are not backing the US on this one is not that we don’t think we should intervene in theory, but we just don’t want to support either the rebels or the government, we see it as a bit like Afghanistan in the 1980s with hindsight, yeah the regime is bad, but we really don’t want another Taliban type government either, and you just know as soon as the West goes in Israel is going to get even more rockets landing on them, just because its Israel.
they have? I suppose a mix of all kinds..
I remember getting pissed off at NT and other windows versions for blocking access to files when I was an admin. I mean if I have rights to edit the files to give myself access just let me alter the #$@# file. On the same note I have never used ACLs on *nix, and always turn off SELinux. Would you believe it I've never been hacked in nearly 15 years?(other systems that I inherited have been compromised though the fault was never mine -- I suppose one hack I was responsible for I talked a friend into switching his FreeBSD box from telnet to SSH back in 2001 - about 9 months later he was hacked via ssh exploit). Shocking I know.. it's not that hard though. It helps a lot to not be a high value target to begin with!!
One of my friends a long time ago told me how Netware was even more strict, files could be locked down so admins could not read them(or edit acls etc), and there was a special backup user for the tape backups that had access to the files, then I suppose the tapes were encrypted or something so they couldn't be restored to another system and read that way.. I dunno.
I never want to work for such an institution. It just makes the job more frustrating. Myself I don't care about the data, I have no interest in stealing it, there's no value there for me personally. I've never had an interest to open "salaries.xls" or whatever, I don't care what is in there. I don't know why I just don't. It's not that I am secretly trying to be honest and not take it - I really don't care. I'll store it on the storage, back it up, whatever. The only time I may open it is if someone asks or if it's causing a problem for some reason.
Fortunately I haven't dealt with internal IT in more than a decade so that hasn't been my problem for a long time. Now the data I have dealt with since generally is more valuable(customer data), but again I really have no interest in stealing it. The only data I have interest in is the stuff I make myself (scripts etc). Some companies like to try to lay claim to such things (none I have worked for have ever tried/cared - they benefit greatly as not having to start from scratch each time dramatically accelerates results).
I am surprised that the NSA stuff was not more locked down, the means Snowden used to access it seems pretty basic (not "brilliant" like one commenter from another article on slashdot).
If I were in Snowden's position(at the time he took the data) I'm not sure what I would do.. hard to imagine ever being in that situation to begin with I can't ever imagine ever ever working for a big institution of any kind for any price. I suspect I wouldn't take the data, because I wouldn't care enough to look to see what is there to begin with.
Though I do commend him for doing what he did I think it was wonderful.
You'd think that the NSA would have a system of compartmentalization, but I guess not.
Oh well, the citizens of the world are better off as a result. At least now we are getting a decent idea of what the NSA is technologically and ethically capable of....
I agree with you on that. I don't care what's in the users data. For me it's data that just needs to be maintained there and that's that.
I did once find "Executive Salaries.xls", left on the Xerox machine at a former company. I made a few copies and left them on peoples' desks.
It was fun watching the ensuing sh*tstorm. They never traced it back to me.
When I worked at Martlesam Heath there was a whole floor dedicated to .... well who knows?
Actually it was easy to find out when they used our line printer for their top secret security manual.
Security is easy to implement - you just shoot all the managers who want everything done now rather than securely. Fortunately that's all of them.
I remember getting pissed off at NT and other windows versions for blocking access to files when I was an admin.
That's why one of the first principles of information security is "don't grant elevated privileges to people who don't care about security".
Of course, another one is "don't give employees of contractors elevated privileges on your sensitive systems". And even before that, "don't use discretionary access controls for compartmentalized data".
The NSA has compartmentalized data. Using any sort of DAC mechanism - rather than MACs or other formal enforcement approach - is irreparably broken from the start. Storing compartmentalized data on systems that rely on DACs is irreparably broken. Storing it on systems that have the concept of "unlimited privilege" sysadmins is irreparably broken.
It's the same old story. For economic reasons (procurement costs and user acceptance) the NSA is using completely unsuitable systems for its data. Snowden is a symptom, not a cause. Closing this barn door won't help regardless of where the horse is, because the barn is only notional - just an agreement among the sysadmins to play nice.
...positive vetting over there.
I have to agree with you. The rubbish vetting of contractors and staff along with allowing a near 'open door' policy to data security appears 'unwise'.
We have seen some of what what one Snowden has done, how many other odd ball things have happened and are still happening? Can any of the data be trusted? The released or unreleased data are all now suspect
How much of the data collection activity has been screwed up and tainted by those who have not yet been found or perhaps more importantly ensure they are not found out doing what they are doing?.
It is fine for all those 'we should have no secrets' types to wave their flags, though perhaps not so wonderful when you or yours get blown up or gunned down because no one could look.
How many fully legitimate investigations been blown off course because a rogue employee with the key to the magic kingdom, decided to protect a 'friend' or even worse implicate an innocent party? That innocent party could be anyone anywhere.
Data abuse is a multi-way highway, travelled by many dirty feet.
The NSA is removing the 'A' key from keyboards to prevent people logging in as administrator.
Couldn't one who is quite skilled, without even being brilliant, just enter control codes or such to replace the missing "A" key from the keyboard? Or, add to the system, a file containing the necessary executable/binary, and with escalated privileges, traverse, hop, skip, and jump along and do login?
You're probably right. Someone with the right skill set probably could overcome the lack of an 'A' key. The only way to prevent this would be for government to hire drooling thickwits for most roles.
Although it kind of looks like they're well on their way to implementing such a policy if Snowden's boss really granted him unlimited access. Maybe all those 'A' keys will be safe after all.
If the NSA saw someone overcoming the lack of the 'a" key problem then they would probably take the next step up and remove the mouse so that the user could not click on the "Ok" button.
No need for big skills - I found myself on a PC whose keyboard was lacking a letter once, then I simply copied it from another text (Ctrl-C) and pasted it (Ctrl-V) every time it was needed...
Start-> Run->OSK->Ok (or just go through the start menu if you haven't a keyboard at all)
Press "A" on the Virtual Keyboard.
Right bloody skillset indeed!
This "drooling thickwit for most government roles" policy was started several years back and is being rolled out in a top-down fashion. I'm afraid I can't say anything else at this time.
Or hold down Alt and type '65' or '97' on the numerical keypad (assuming you're running MS-Windows form NT onwards).
The NS did it lre dy to my workst tion
De ry me, time for me co t
I know someone at university in the late 90's who managed to get a cursor left ASCII code into thier password this way on the basis that if anyone key logged him it would overwrite the previous character and he'd still be secure.
Almost as nice as the guy who wrote a postcript fractal generator which locked a printer for about 8 hours when sent.
But then how could they enter their Password1 ?
On direct orders from President Obm.
And in tomorrow's news, following new leaks, they are also removing the Alt key and numeric keypad.
Start-> Run->OSK->Ok (or just go through the start menu if you haven't a keyboard at all)
But where is the Start button on the login screen? It's still easy enough to work around - it was clearly intended as tongue in cheek after all. However, suggesting one method that doesn't work is plain retarded.
I'm sorry, I have to call b*llsh*t on this.
Any database system worth its salt relies on db specific credentials, simply being root (or any user for that matter) should be absolutely insufficient to access anything in a secured database. One would hope that such a place as the three letter agencies would require authentication against the database application before providing anything classified.
I find it beyond belief that such agencies would work in any other way. In which case, Snowdon actually *had* the appropriate levels of access to the data and we're trying to be sold something to cover that up.
I don't know, they can't even search their own emails:
"Any database system worth its salt relies on db specific credentials"
You mean, like sharepoint?
I think that's your answer right there.
I don't get the credentials, or lack thereof. If the data's encrypted on the system/server, a sysadmin can fiddle to their hearts content. They could move stuff with a memory stick, but unless they could decrypt it, they couldn't leak it. It's harder to manage, but surely a lot more secure?
With root access it is possible to totally bypass the security on any database by using disk block access to the underlying data files. (Or an easier method - make the backup procedure make a copy of the database somewhere else on the disk - set that up as an instance and give yourself full access to the copy.)
In older Oracle databases (I only worked on versions 5,6,7), it was easy as a system administrator to get access to the Oracle SYS and SYSTEM accounts or to set up an OPS$ account. Once you have access then adding an account (or modifying an existing one) with the READ ALL TABLES privilege (and any specific extra tokens needed to access a specific table) is trivial. Again with Oracle, one of the standard procedures that would be done from time to time is a full database export. The export file is ASCII text with no internal protection - if data is stored unencrypted in a database then it is unencrypted text in the export file. Note also that as a system administrator it is usually easy to define or modify where exception reports are sent so if accessing a table raises a flag then the flag can be made ineffective.
Remember - all databases have a backdoor built in to recover from the case where the admin password has been lost - with Oracle it was SQLDBA (at least in versions 5,6,7). With SQLDBA it was possible to change the password for any user or to add a new user with any desired privilege.
It would have been ironic if Snowden had used the supposed NSA backdoor into WIndows to break into the NSA's own computers to steal NSA documents. Since he was a sysadmin, it wasn't necessary, but it would have been a bit of sweet justice and lots of LOLs if he had...
The way I read the article that is how it was separated. He had complete access to copy the data files. To access the data he was using other people's database IDs. What isn't clear to me is whether or not he was granted permission to create/reset database IDs. Frankly, it wouldn't surprise me if they had.
Government IT security is a sad state of affairs. They seem mostly concerned about whether or not the check marks are in the correct boxes on the forms, not the extent to which good practices are being followed. Or even if the alleged good practices truly are good practices. They'll force you to change each of your ten passwords once every 30 days (different rule sets for each) but won't lock down USB ports for stick drives or forget to buy cable locks for laptops. One place I was at wouldn't let you email the fully dotted quad of a non-routable ip address but were fine with you emailing a MAC address.
My personal experience as both a Unix admin and a DBA tells me that you are wrong. Here's the thing. That database as to run as a system user, generally one with reduced privileges.
For example, let's say the Unix username the database runs under is "oracle".
As a system administrator, I have access to the Unix "root" account. I actually need it to do my job. This user, by definition, as the right to become other users. This is necessary for the OS and it's security features to work right, so can't be easily disabled. So I just switch user to "oracle" then start the CLI for my database. Voila, access to pretty much everything stored in it.
Same goes for files stored in file servers (you appear to think it's all in one uber application. Word and excel documents probably get used a lot more) because hey, it's his JOB to make sure the files are OK and not going to vanish due to a failing hard drive.
>One place I was at wouldn't let you email the fully dotted quad of a non-routable ip address but were fine with you emailing a MAC address.
I bet you'd blow their mind if you told them you could convert a IP to decimal format.
Crafty people always have a way of getting around dumb policies.
So we know MS took in millions for their dealings with the NSA, but I wonder if that is biting them in the ass now? Even though Snowden's boss appears to have greatly contributed to the problem, itsure doesn't look good for SharePoint.
If I still sold software I'd be dreading every phone call and email from prospective SharePoint clients who wanted to know why the system was so insecure that a low level admin could snag documents from his superiors. Customers don't want to hear technical details; they get fixated on the end result. The end result here is the system allowed a serious (12!) security breach and that's all the customer will hear.
Serves MS right for dealing with the devil, selling their countrymen out and using my tax dollars to do it. I know they probably didn't have a choice but to cooperate, but I can still be pissed that they did.
Except that you're mixing reporting superiors with technical superiors. As a System Admin, Snowden was at the top of the technical chain.
What has happened with government IT work is the technical work has been separated from the management responsibilities and the technical work is contracted out. That way when the manager makes a frelled decision they can fire the contractors without a complicated exit process.
What's really needed is the computer equivalent of the two person rule for banks handling money. And I hear even that is typically expanded to a three person rule with one of the three never touching the cash.
"The NSA is reportedly only now piecing together the exact steps Snowden took to infiltrate its systems, including identifying specific users whose accounts he used to access documents. But there's no clear paper trail – investigators are said to be looking for red-flag discrepancies, such as accounts that were accessed while their owners were on vacation.
Once he began collecting documents, Snowden was surely also emboldened by the fact that, as a contractor working for Booz Allen Hamilton in Hawaii, he never once needed to set foot in NSA headquarters. Instead, he could access the files he wanted from a computer terminal some 5,000 miles away."
How about also looking for multiple and concurrently-used logins? Someone could be on vacation and legitimately be accessing a file under orders (not to work for more than 20 minutes, but to open a file and relate or communicate some critical number or name or term, then log off and resume vacation)?
How about if the Snarget (SnowdenTarget) is in a protracte meeting that surely is likely to involved being logged on to access training, reporting, or other reports? That person might legitimately be granted by IT to have 3 or 4 concurrent logins, crossing various zones, regions, buildings, and so on, either under one login name, or a login name but with different passwords, or different login names (to obscure WHICH employee is accessing files when a security breach cannot be allowed to show how much deep access a director has, say) and diffferent passwords.
Now, if the Snarget is in that meeting, and no alarms/tripwires are in effect, and if Snowden or a Snow-a-Like knows this and exploits it, it might be hard to prove who was doing what -- well, until enough auditors go over all the logins and parse them via a database. The database query might be as simple as (in lay language, not structured query language):
-- Get access info on the files known to be compromised
-- find the intermediate and presumed origin (travel path) of credentials/tokens/logins used to get to the files
-- find the servers that passed on/forwarded these credentials
-- display the time zones, normal working hours, and workstation locations for the user accounts involved
-- display the HR records showing valid work hours of the user accounts involved
-- display the Payroll records of the user accounts involved (to find terms, actuals, and non-hidden "consultants" and informants, etc
-- display the IT credentials/rights/escalated privileges histories
-- find banking and one-time payee records of user accounts for active and termed accounts
-- correlate all and look for anomalies for unions/sets related to NSA and NSA-contractors and NSA-approved "special login entities" (stools, triple agents, and similars)
-- correlate all with IT repair jobs and locate which data scrubs of sensitivce hardware have two or three-person control/integrity/wipe/destruction verification
-- interview/debrief all involved user accounts and nearby workspace colleagues for "intel" not in a database, about James Snond (Snowden/Bond)
My guess on why they are having a hard time tracking Snowden in the audits... All the system admins were doing similar profile sharing/switching just to get the system to work. It's really easy to track an anomaly traverse a system, but when when the anomalous behavior is standard procedure they may never be able to figure out exactly what happened.