Another Snowden Lesson: People Are the Weak Security Link

There's a story that Edward Snowden successfully socially engineered other NSA employees into giving him their passwords.

Posted on November 8, 2013 at 1:06 PM • 46 Comments

Comments

NobodySpecialNovember 8, 2013 1:34 PM

The response of the standard Mk1 government bureaucrat to this problem will be:
1, passwords will now be a minimum of 100characters and change weekly
2, users will be restricted to only a single document they are authorized to see. Any access to other documents will take 7levels of management approval
3, Users will not be allowed to talk to an other user about anything without written approval, minutes, 7levels of approval and a lawyer present

The result will be a screeching halt of any actual spying by these agencies, while at the same time a massive increase in perceived 'work'.

Victory all around!

FigureitoutNovember 8, 2013 1:39 PM

Unbelievable. Can't even defend from SE attacks...

Now they have a "trusted administrator" w/ more "outside contractors" saying to click here, put this disk in and click run.

Tim BradshawNovember 8, 2013 1:40 PM

I think this is more evidence for what is probably the NSA's biggest problem: competence.

We already know that they were not competent to prevent a fairly junior person having access to an enormous amount of sensitive data, and walking off with it, which does not say anything good about their internal security practices. Now we know that this person successfully used a really obvious social-engineering attack on other people in the organisation: you don't have to be very security-conscious to realise that letting someone have your password is a really bad idea.

And this isn't very surprising in fact. If you were a smart CS / maths person interested in working with large-scale computing and applications of maths then you probaby have three serious career options: you could work for the NSA, an enormous governmenrt organisation full of crippling bureaucracy where you'll never be able to talk about you do, and possibly run a not-insignificant risk of something nasty happening to you if you decide you don't like your job; you could work in finance where you stand a chance of getting very rich; or you could work for googlebook where you also have a chance of getting rich and can also work on lots of seriously cool stuff and snoop on people if you like that sort of thing. I know which of these options I would not take.

So it's probably safe to assume that the NSA is staffed by people who googlebook and the financial people didn't want. Some of them might be brilliant-but-fractious (the maths people in particular: I can say this because I'm a maths person some of the time), but most of them are probably just not that good, unfortunately: the kind of people who give other people their passwords.

And the whole NSA thing remains a huge distraction therefore: now we all think that they're the bad guys, when they're probably merely bad-guy wannabes: we should spend a lot more time worrying about the data and power that people who sell us advertising are accumulating.

jacksonNovember 8, 2013 1:49 PM

Why do you see this only as a human failure and not a fundamental problem with the "something you know" or "something you have" paradigm?

Man in BlackNovember 8, 2013 1:57 PM

Jackson is half right. The fact that the NSA never thought to pair these with a smart card, biometrics, or token is mind boggling. But, there was a very serious human failure on a cultural level. Snowden got several other people's passwords. Where I sit, we wouldn't give each other our passwords. What plausible reason could he have given for the need of those passwords, and why didn't anyone notice?

/Facepalm.

BemusedNovember 8, 2013 2:04 PM

While it's undeniably the case that such SE should never work, the fact of that matter that such SE does work and probably will always work. This is Bruce's point

The commenters above should remember that they are technical people who know better; and are probably incorrect in assuming that the people snowden attempted SE against were technical personnel (if i were him, i would have steered clear of technical targets). So instead of being so smug it would be more constructive (and in line with the point of the post) to beware that in your OWN organizations there are probably people with similar level of accesses to information who would make similar mistakes.

Brian M.November 8, 2013 2:07 PM

Snowden may have persuaded between 20 and 25 fellow workers...

"I'll give you a chocolate bar for your password."
"OK, that sounds great!"

The NSA audit crew must have done a diagram of who had access to the documents, and realized that Snowden wasn't actually on the list. Then they started asking...

Clue for the clueless: never give out your password, not even to your coworkers. It's just one of those very simple things. And I'm also shocked that there wasn't two-factor authentication in place. One place I worked at used that, and another had an obsessive certificate management program.

NobodySpecialNovember 8, 2013 2:24 PM

@Man in Black - he was a sysadmin.
Your PC doesn't work, the sysadmin needs to fix it, he is standing next to you and asks you for your password.

A bunch of subcontractors are trying to make Server A work with database B and SAN C - they each need to be able to reset one of the other components.

If you work at the sort of place where you wouldn't give the admin the passwd in this circumstance - you probably work somewhere where nothing gets done.

Man in BlackNovember 8, 2013 3:05 PM

@NobodySpecial

When needed, I log in for the admin. I've worked at places where passwords were shared in such a manner, and got to help clean up the issues that ensued, especially the lack of accountability and the he said she said of shared passwords.

When I have dealt with a sysadmin, there's been no reason they've had to use my password. On the one occasion when it was easier for them to use it, policy was in place for me to change it as soon as the sysadmin was done using it, to explicitly prevent this kind of activity.

The big issue is the NSA is supposed to be the smartest, the best of the best in security in our government, and they got beat by efforts that could have been done by a script kiddie with a cell phone(pardon the hyperbole). Unbelievable.

KeithNovember 8, 2013 3:06 PM

This is not a new lesson. If anyone didn't know it after Kevin Mitnick's infamous days, then it isn't a lesson that's going to ever sink in.

jacksonNovember 8, 2013 3:12 PM

@Bemused - no one is being smug. The remarks pertained an assumption on which the post itself was predicated, not to anyone at the NSA. You're way off.

CallMeLateForSupperNovember 8, 2013 4:40 PM

"The bill also requires that the Director of National Intelligence set up a system requiring intelligence contractors to quickly report to spy agencies on incidents in which data networks have been penetrated by unauthorized persons."

Seriously? What the *&@#! caliber of people are these contractors that they must be told to report unauthorized access?!

GiftHorseNovember 8, 2013 4:46 PM

To quote Thomas Drake on this story: "Story pockmarked with attributes of disinformation as free form allegations - similar to what I experienced at hands of gov't."

AnonNovember 8, 2013 4:59 PM

@Man in black

Does it really matter if you give your password to the sysadmin if the sysadmin can reset your password at any time to whatever he wants it to be?

Brandioch ConnerNovember 8, 2013 5:16 PM

Firstly, if this is true then he planned it for a long time.

Secondly, collecting passwords is very simple for a sysadmin. From a hardware-keystroke-logger-attached-to-the-keyboard to shoulder-surfing to resetting-the-password-a-day-before-it-expires.

Two-factor-authentication does not prevent all the attacks possible for a sysadmin. He can always include scripts on your computer that will run when you login.

The interesting thing, for me, is that the NSA has got to know about all these possibilities and know how to exploit them to get data off of "enemy" computers.

So, if this is true, why didn't the NSA have some means of detecting such attacks on its own systems?

Nick PNovember 8, 2013 5:35 PM

@ Anon

"Does it really matter if you give your password to the sysadmin if the sysadmin can reset your password at any time to whatever he wants it to be?"

It does if he wants (a) the actual accesses to go unnoticed and (b) to gather info other than passwords that might be useful. Classic industrial espionage trick is just giving sincere interest, food and drink to a person with sensitive information to get them to talk. He supposedly got 20-25 people to hand over that information. I suspect he might have gotten more data about the systems they use on top of that.

Regardless, reason (a) is enough to want the password rather than a reset. There's also the angle of audit logs showing someone other than him did the access.

AndyNovember 8, 2013 6:18 PM

To me this smells like a FUDdy smokescreen.

1. It changes him in public opinion. From a conscientious guy who took a chance to do was right when he had the opportunity to a somewhat more sinister, plotting person with an agenda, thoughtlessly cheating and ruining other employees careers to achieve it.

2. It changes the alleged negligence of NSA procedures or rather lack thereof (oitside contractor can grab the family jewels and no one notices right away) towards human error, suggesting sufficient safety procedures were in place but circumvented by social engineering on the weakest, the human, link. Both make the NSA look less than stellar but some spin doctor may have concluded that one is not quite as bad as another.

I may be missing some crucial info, but the fact that it took them so long to come up with this info smells more light blameshifting to me.

NobodySpecialNovember 8, 2013 7:55 PM

@Man in Black - but remember this wasn't the NSA or any organisation with any sort of command structure.

It was an outsourced contract outfit who got the job because they had the lowest bid, whose employees know that to get the next contract they need to be cheaper next time and who frequently have to work with an ad-hoc arrangement of other contractors.

It's much harder to enforce high levels of security and accountability in these circumstances.

FigureitoutNovember 8, 2013 10:17 PM

the fact of that matter that such SE does work and probably will always work.
Bemused
--No, it only works on idiots. Anyone asking me for critical info is wasting their time; in fact you may catch my eye and that doesn't bode well for you. This is below script kiddy-level attacks. Or it could simply be info before pw's, leading to compromises of agents, methods, locations, material sourcing; in which case their capabilities are reduced.

Bottom line, I hope the NSA enjoys dealing w/ their trust issues. Welcome to the real world, bitches.

Nick PNovember 9, 2013 12:10 AM

@ Wael

Oh man it's been so long since I seen those I forgot about them entirely. Awesome. I particularly like the "bastard gives advice." Reminds me of several good ideas for job security back when IT was a mysterious thing rather than a large field. ;)

BemusedNovember 9, 2013 7:33 AM

@figureitout: dismissing people who are vulnerable to a threat as "idiots" does not magically make the threat go away or any less real going into the future. Spearphishing attacks, only a slightly more sophisticated form of social engineering than what snowden did, continue to be a major vector for malicious actors to establish an initial foothold into network. there has to be some amount of trust in any system of individuals for that system to function; and i would argue that social engineering attacks, whether you consider them to be "below script kiddie" or not, will always work some of the time.

HermanNovember 9, 2013 8:14 AM

You can have any of my old passwords and I can give you as many new ones as you want too, but then I don't work for the NSA.

BemusedNovember 9, 2013 9:58 AM

This post and the comments it has generated illustrate a further interesting problem: the dangerous tendency of techies to view everything as a problem of tech, a trait that recalls steven weinberg's trenchant comparison of wolfram's approach to "new science" as a "cheese farmer who thinks the moon is made of cheese."

One could argue that nsa's main problem is that it has focused too much on Big Tech as a remediation for general and specific cyber threats; whereas a more holistic approach that acknowledges the non-technical nature of certain problems would probably be more effective. there is also the tendency of government, motivated by the requirement to be perceived as doing "something, anything," to throw bodies and dollars at problem without any real examination of whether a more surgical approach is warranted: certainly one can observe this tendency in many areas just not nsa. many dollars and bodies look great on paper and reports to congress but dont always pay off in the long term. while bureaucratic self interest plays a part in this tendency one must also recognize that as members of a democratic government agencies have to be accountable for results: in some ways, this accountability perversely encourages the throw-all-the-stuff-at-things approach.

one thought to resolve this problem would be to allow nsa and other agencies to experiment with smaller scale solutions with some allowance made for failure along the say. freedom to experiment and fail en route to a final, efficient solution would benefit everyone on the inside and outside, from the lowliest lackey to the mightiest manager.


AnonyNovember 9, 2013 12:48 PM

If one has "root" level access, one can just SU to whomever they wish...

Last I heard, these folks were not smart enough to use encrypted containers for documents.

In the current Cover Your Ass world of national security, where witchhunts are commonplace, and anyone can turn anyone else in for questioning at the drop of a hat, blaming Snowden seems a likely course of events.

So how many of these "Snowden had my password" folks were, like Snowden, simply acquiring their own external pile of documents?

I'm not buying this until Snowden admits it.

StephenNovember 9, 2013 3:18 PM

Just seems to be to me as someone who has ran a large LAN with over 35k users. They did not much have security at the admin level. Still he was a LAN admin, unless they are supervised, they OWN the network. So is the NSA to busy spying on everyone else and figured they did not need to practice their own security rules internally? Plus this was as a contractor site, who had no oversight. Trust me its the way they want it. its the revolving door to make more cash and no one asks many question until the shot hits the fan...IMHO

PatGNovember 9, 2013 5:24 PM

@Figureitout
Social engineering is not just about asking someone for their userid and password. There are more subtle ways of getting someone's password without them realising. I've worked with people who, like you, would not give out their credentials under any circumstances. Yet I have still been able to get their passwords. These were people who were well paid and well qualified to be advising organisations on IT security. The same type of people who would be reading this blog actually. Not because I wanted to actually use their credentials, but because it was a challenge.

FigureitoutNovember 9, 2013 7:30 PM

PatG
--I know, I've done it too. Get the little rush w/ access to places. Straight up lying and exploiting the psychology of the brain; it's wrong. Wasn't enough of a fun challenge for me anymore. Graduated to baiting and outing agents; too much cloak and dagger and they keep breaking into my home when everyone's gone. Besides, so many vulnerabilities just present themselves, too easy. I just like to see how things work too. But now I know not to talk to you lol.

Dirk PraetNovember 9, 2013 7:30 PM

@ CallMeLateForSupper

What the *&@#! caliber of people are these contractors that they must be told to report unauthorized access?!

When you're working with people who assume that the person first signaling a silent fart is also the one who broke it, then the smart move would be to say nothing and look the other way.

If this story is true then all folks who gave their passwords to Snowden should be fired, full stop. You never give out your password, and especially in such type of environment, one would assume that there are very clear security policies in place that everyone is or ought to be familiar with.

Ray DillingerNovember 10, 2013 2:45 AM

Okay, the 'sysadmin' angle does it most of the time. It's still pretty stupid for supposed pros though.

I had imagined he'd called people up and asked them to enter their password, then recorded the typing noises on the phone. Most keys on keyboards make noises which, even at the frequencies phones can pick up, are quite distinguishable; with the recording and a rather simple password guesser that takes it as input I bet you could get most passwords in thirty seconds or less.

Hm. I should actually do it, and then write a paper.

Ambrose MnemopolousNovember 10, 2013 6:13 PM

Well this is interesting... the Reuters article says,


"One provision of the bill would earmark a classified sum of money - estimated as less than $100 million - to help fund efforts by intelligence agencies to install new software designed to spot and track attempts to access or download secret materials without proper authorization."

I love how good reporters are at leaving out the proper names of legislative bills. I wonder if Feinstein is a co-sponsor (maybe the Terminator should run for Congress).

StewartNovember 10, 2013 6:25 PM

It's very simple. I work in the commercial area,
SOX, PCI, HIPPA but not 'National Security'.
We NEVER, EVER, give our personal passwords to
ANYONE, not even our BOSS! It's a violation of the
company policy if we do.
If we have to give someone 'temporary admin' access,
a) they need an account to login with so we have an audit trail
b) they need a documented reason, approved by their management and ours
c) it for a temporary period only (1 hour, 1 day, etc - one week would be a problem)
d) they promise, in writing not to use it for anything else
e) the passwords are changed IMMEDIATELY after their use.

There may be some other rules I am forgetting, but this is security 101 where I work and we are not the CIA/FBI/NSA/DOD or anyone with 'important data'
(Yeah I know PCI/HIPPA is important), but you get my drift.

Dirk PraetNovember 10, 2013 7:58 PM

@ Anony

If one has "root" level access, one can just SU to whomever they wish...

Not necessarily. Since Solaris 8, it is possible to make root a role through RBAC (role based access control), meaning you can't even log in as root except in single user mode. Whenever you want to do something requiring certain root privileges, you have to login with an authorised userid. and then assume the root role through su if that user is allowed to do so. My former Sun/Oracle colleague Darren Moffat has some excellent tutorials about restricting root's God powers. Just Google for it.

Guy In A DinerNovember 10, 2013 8:19 PM

There is no reason to accept anything NSA says as truthful. They have absolutely no credibility what so ever. Any evidence they present is tainted because they handled it. They are the criminals.

Clive RobinsonNovember 10, 2013 11:45 PM

@ Nick P,

    Reminds me of several good ideas for job security back when IT was a mysterious thing rather than a large field. ;)

Is that the "large field" at the top of a long forgoton track with vehical access where some dark night a hole was mysteriously dug, had five bags of lime and a rolled up carpet dropped in it, shortly after the BOFH Boss authorised a change for an exception?

http://www.theregister.co.uk/2012/11/09/bofh_2012_episode_11/

Clive RobinsonNovember 11, 2013 12:25 AM

@ Dirk Praet,

    If this story is true then all folks who gave their passwords to Snowden should be fired, full stop. You never give out your password, and especially in such type of environment, one would assume that there are very clear security policies in place that everyone is or ought to be familiar with.

Whilst this should be true... we know from LoveInt that the most senior manager in the NSA turns a blind eye and works on the "don't get caught doing wrong..." paradime that caused Ed Snowden to "blow the gaff" in the first place.

This anonymous revelation of easy SE of NSA staffers show them to be of the mentality required to be a "bit part player" as a "wild west vigilanty hanging party crowd member" from a 1950's B movie. And not of a sufficient caliber to make it into the "more beans" scene of Mel Books "Blazing saddles".

Now somebody has suggested this is a smoke screen to make Ed Snowden look less as a person, whilst that might be true, it sould give rise to the "where's the chickens head?" question that Congress and Co should be asking NSA senior managment.

I just find the whole story unbelivable either way...

geohashNovember 11, 2013 6:40 AM

Completely agree with Andy, it smells like public opinion manipulation.
I don't think only passwords are used to control access no matter how incompetent "no such" appeared to have been, some form of 2 factor must be in place. Besides, I don't think Ed Snowden would take the risk to social engineer other employees, for once the the (social engineering attempt) incident could be reported, the second it is somewhat in muddier ethics terrain. But surely it makes him look evil in the eyes of general public, "look he even cause poor coworkers to be assigned to other tasks or lose jobs".
Sure it looks like some of its employees are easy to social engineer and therefore unfit for working in such environment, but in damage control mode one have no choice but compromise.

Nick PNovember 11, 2013 10:43 AM

@ Clive Robinson

Nice piece. :) Yes, exceptions are the rule in INFOSEC. Perhaps there should be a sub-field of INFOSEC dedicated to cataloging safe ways to handle common exceptions in many different areas of IT. As for software/systems, they should be designed to either make them darn near impossible to do or easy to do safely. The upcoming tagged, provenance-tracking, and/or functional language architectures might help a little with either.

KurzlegNovember 11, 2013 11:50 AM

@Figureitout "No, it only works on idiots."

Consider the possibility that most people at some point in their lives become emotionally vulnerable to one degree or another. Under such circumstances, someone like Snowden exploiting the vulnerability isn't all that surprising, and it has nothing to do with the competence or intelligence of the target. I'm not saying that this is what happened in the case of Snowden, but reducing the analysis to a matter of intelligence isn't particularly helpful.

FigureitoutNovember 11, 2013 10:08 PM

Kurzleg
--If you have emotionally vulnerable agents then that's a highly exploitable weakness. *ahem*, not that I would try to seek out such a thing in my studies...Think I didn't try to gain intel "sleeping around"?

And yeah, it is helpful. Reminds me that when my data gets sucked up, then can be made vulnerable by a frickin' SE attack, that they can't handle that capability anymore. SE attacks are not supposed to happen at the frickin' NSA.

SkepticalNovember 12, 2013 5:55 PM

I'd view the report with some skepticism until there is further confirmation.

To my very amateur eyes, even assuming the report is true, there are two related but different problems here:

(1) Visual access to information he does not need to know;
(2) Ability to download, store, and transport information that need not be downloaded, stored, or transported.

Perhaps one of the experts here could help with my question:

Privileges associated with one need not be associated with the other, right? That is, my profile might allow me to view a file, but could also restrict me from downloading any files or even being able to utilize USB ports on the device on to which I've logged on.

And similarly, an administrator might need the ability to run certain programs from a portable drive (question: how often is that really the case?), but he should never need to download files in certain locations or with certain flags.

Are these common approaches? If so, I'm not sure the SE angle explains what Snowden managed to do. A stolen password would give him visual access, but the privileges associated with the stolen account would not necessarily give him download or portable media privileges.

I may be completely off here. From my very dim perspective, though, seemed like an interesting question.

Dirk PraetNovember 12, 2013 8:55 PM

@ Skeptical

And similarly, an administrator might need the ability to run certain programs from a portable drive (question: how often is that really the case?)

Depends on the kind of administrator he is. Most (smart) desktop technicians I know carry a bootable flash drive containing an entire battery of operating systems and other tools they use for troubleshooting and fixing machines that don't come up. There's also quite some "portable" (Windows) software out these days that one can run from flash drive without having to install them on the target machine and that save their settings on that same drive.

From a physical security point of view, I can tell you from personal experience that trying to sneak in a cell phone or flash drive at certain military facilities - especially as a contractor - could get you into serious trouble, up to termination of your mission and revocation of your security clearance. I once witnessed a guy almost pissing himself being escorted off the premises by two huge black MP's when at the gate he emptied his pockets and a USB stick (which he forgot about) came out.

Practically, the only way to prevent data from leaking to flash drives is not only by OS and other access level controls but by gluing all USB ports. The moment a person - by whatever means - has acquired sufficient access privileges and is able to wipe the audit trail, it's game over. Compartmentalisation and company wide use of MLS for sensitive data and applications can also considerably up the ante. It would be totally cool if Snowden at some point could tell how exactly he did it, but I think it would reflect very badly on internal NSA security controls and practices.

akmenotNovember 13, 2013 7:33 AM

In Re: "The response of the standard Mk1 government bureaucrat to this problem will be:
1, passwords will now be a minimum of 100characters and change weekly
2, users will be restricted to only a single document they are authorized to see. Any access to other documents will take 7levels of management approval
3, Users will not be allowed to talk to an other user about anything without written approval, minutes, 7levels of approval and a lawyer present"

There is a known answer to computer threats: turn 'em down. No Power No Sh*t.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..