Feeds

REVEALED: The gizmo leaker Snowden used to smuggle out NSA files

You probably have one in your pocket

High performance access to file storage

Whistleblower Edward Snowden apparently used a USB thumb-drive to smuggle out hundreds of top-secret documents before he blew the lid off the NSA's web-spying project PRISM. This is despite the Pentagon's clampdown on the gadgets.

Unnamed officials told the Los Angeles Times that they were well on the way to figuring out which sensitive files the ex-CIA technician obtained, and which servers he swiped them from. Snowden left Hawaii, where he was working for a defence contractor, with four laptops that “enabled him to gain access to some of the US government’s most highly-classified secrets”, The Guardian added.

Only a small proportion of this confidential information has made its way into the public domain: the tiny cache includes four slides of a 41-page top-secret presentation about PRISM, and the low down on another classified programme called Boundless Informant, which produces a worldwide "heat map" of data gathered by the NSA.

Computer usage at the National Security Agency is tightly controlled. But Snowden was a systems administrator employed by contractor Booz Allan Hamilton to maintain the spooks' network, and thus had sufficient privileges to use flash drives as part of his job.

The chairman of the US House of Representative's select intelligence committee Mike Rogers (R-Michigan) said Snowden “attempted to go places that he was not authorised to go” on the NSA’s network and that a damage assessment was underway to determine whether any other data was lifted, The New York Times reported.

The Pentagon banned thumb drives after one was infected by the SillyFDC worm and plugged into a Windows-powered military computer, allowing the malware to spread across sensitive government networks in 2008. The ban was later rescinded.

However, the rules were once again tightened in December 2010 after American army intelligence analyst Bradley Manning used removable media to smuggle out confidential diplomatic and military reports: it is alleged he copied hundreds of thousands of files from SIPRNet, the US Department of Defense’s classified intranet, onto a writeable CD disguised as a disc of Lady Gaga music. Manning is on trial after denying his subsequent leaking of the data "aided the enemy", but pleaded guilty to ten charges of misusing and transmitting the information.

Restrictions were placed on portable storage technology across all the arms of the US military and intelligence community: Major General Richard Webber, commander of the US Air Force Network Operations, put out a memo ordering personnel to “immediately cease use of removable media on all systems, servers, and standalone machines residing on SIPRNET”.

But such blanket bans have been hard to maintain in practice. The NSA uses auditing software that records every keystroke and other computer activities, but Snowden evidently found a way around these watchdogs.

Staff wandering off with critical data is not just a problem for US military chiefs and spymasters: just a few months ago another sysadmin, this time working for a Swiss intelligence service, was implicated in a similar though far less high-profile database breach.

Chief exec of security tools firm Cyber-Ark Udi Mokady commented: “There is an important lesson to be learnt here on the vast power entrusted to employees and the potential damage that can ensue if these internal privileges are misused. Regardless of whether or not you agree with Snowden’s actions and his political motivations, organisations should not lose sight of the fundamental truth that he was exposed to this highly sensitive information via the internal privileged credentials that he was privy to.

"There’s almost an unfortunate sense of déjà vu here as well, as just six months previously, intelligence agencies in the US and UK were warned that secret information on counter-terrorism shared by foreign governments may have been compromised and stolen by a senior IT technician for Switzerland's intelligence service."

Eric Chiu, president of cloud control firm HyTrust, added: “Systems administrators in particular, although low level, typically have the highest access to systems and data, given they manage those systems. Without implementing adequate role-based access controls based on least-privileged access, companies and organisations are granting god-like access to their systems administrators. And cloud and virtual infrastructure make the insider problem worse since administrators can access any virtual machine to potentially copy and steal sensitive data or potentially destroy the virtual data centre in the push of a button.” ®

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Big Content goes after Kim Dotcom
Six studios sling sueballs at dead download destination
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
Singapore decides 'three strikes' laws are too intrusive
When even a prurient island nation thinks an idea is dodgy it has problems
Banks slap Olympus with £160 MEEELLION lawsuit
Scandal hit camera maker just can't shake off its past
France bans managers from contacting workers outside business hours
«Email? Mais non ... il est plus tard que six heures du soir!»
Reprieve for Weev: Court disowns AT&T hacker's conviction
Appeals court strikes down landmark sentence
US taxman blows Win XP deadline, must now spend millions on custom support
Gov't IT likened to 'a Model T with a lot of things on top of it'
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.