Monday, August 26, 2013

NSA: The Not Secure Agency

An EPJ reader, who is a " professional penetration tester," emails on the bungling NSA:
The U.S. government's efforts to determine which highly classified materials leaker Edward Snowden took from the National Security Agency have been frustrated by Snowden's sophisticated efforts to cover his digital trail by deleting or bypassing electronic logs, government officials told The Associated Press. Such logs would have showed what information Snowden viewed or downloaded...."

(http://www.cbsnews.com/8301-201_162-57600000/edward-snowdens-digital-maneuvers-still-stumping-u.s-government/)

It's not a "sophisticated" bypass, the NSA didn't protect databases from Database and Systems Administrators.
Here's a blog article by a database security product vendor's research group about this widely known problem from January of last year. Even then, the information in the blog article was long in the tooth.

http://www.teamshatter.com/topics/general/team-shatter-exclusive/database-logging-basics-for-the-secure-dba/
This implies that everything the NSA has said about the careful auditing they do to prevent unauthorized access by employees and contractors is a joke - it's not possible when you don't take these basic precautions.