Monday, August 26, 2013

NSA: The Not Secure Agency

An EPJ reader, who is a " professional penetration tester," emails on the bungling NSA:
The U.S. government's efforts to determine which highly classified materials leaker Edward Snowden took from the National Security Agency have been frustrated by Snowden's sophisticated efforts to cover his digital trail by deleting or bypassing electronic logs, government officials told The Associated Press. Such logs would have showed what information Snowden viewed or downloaded...."

(http://www.cbsnews.com/8301-201_162-57600000/edward-snowdens-digital-maneuvers-still-stumping-u.s-government/)

It's not a "sophisticated" bypass, the NSA didn't protect databases from Database and Systems Administrators.
Here's a blog article by a database security product vendor's research group about this widely known problem from January of last year. Even then, the information in the blog article was long in the tooth.

http://www.teamshatter.com/topics/general/team-shatter-exclusive/database-logging-basics-for-the-secure-dba/
This implies that everything the NSA has said about the careful auditing they do to prevent unauthorized access by employees and contractors is a joke - it's not possible when you don't take these basic precautions.

4 comments:

  1. Am I the only one who thinks Snowden sounds a little good to be true? A contractor reading the most sensitive documents in NSA's achive. Why didn't they use encryption like Snowden himself has done? I believe he had help.

    ReplyDelete
  2. So now not only can the state blackmail you, you got employees with any type of motivation to destroy you. Whether they be personal gruges, selling information to the highest bidder, etc.

    ReplyDelete
  3. Do NOT believe the hype in the movies and TV shows; all those slick UIs and feds catching hackers in seconds with flashy graphics and technology that you only touch in your dreams. I'm a highly respected (and well paid) information security consultant, currently working in the Fortune 100 space. I'm also a former Information Security Manager working for a large defense contractor with the DoD as my 'customer' and the NSA as my 'auditor' for 3 very large Top Secret programs. The DoD and virtually every other Federal agency routinely fail (miserably) their yearly security benchmarks/audits with F grades. Their security is much less than you would see in a large tech company, such as Microsoft or Apple, and even far less than a large Wall Street trading house. You will still find decades old Operating Systems that are terribly insecure and only secured by having armed guards at the door. The typical pay for their security staff is FAR lower than true market value (my pay doubled going to work in the Fortune 50 space, not counting stock or bonuses), and their training and skillset are lacking. The PHD geniuses at the NSA are few and far between, and Snowden the dropout outclasses most of the governments best and brightest. Almost daily I would have to explain security 101 basics to NSA analysts that were in over their heads on various topics. I would have been thrilled to have someone as bright as Snowden (moral leanings aside) to manage. You don't have to look far to see evidence of their desperation to come to grips with their skills gap, in that they frequently troll every hacker convention world-wide looking for talent. Think about that for a second; the GOVERNMENT, looks for HACKERS to HIRE to PROTECT us from HACKERS. Most of these folks have a very tenuous grip on morals that prevent them from using their skills criminally for personal gain, and the government is so desperate to know everything, that they will gladly accept the blackhats and techno-crooks of the underworld to do their bidding.

    The true crime is NOT Edward Snowden or Bradely Manning. It is an absurdly huge bureaucratic and inept state that cannot get the very basics of security correct at any given time and they are tasked with our safety and privacy. Everyone knows Chelsea Manning walked out with MILLIONS of pieces of intel, yet virtually NO ONE has bothered to ask WHY a low-level military analyst, who was recently reprimanded was allowed to keep broad access to information he had NO business having access to? Where were all the bells and whistles when one analyst was dumping and copying thousands of documents? Why was a CD/DVD burner even allowed in a TS environment? The same goes with Snowden. This is like leaving the bank vault open with shiny gold bars in plain sight of every burglar in a 100 mile radius and throwing the book at them if the temptation is simply too much to bear. They had a complete lack of security controls that could have prevented such incidents. Now they have no choice but to destroy those that have embarrassed them and put their sheer ineptitude on display on the world stage.

    I'm ashamed of my countries behavior as a citizen... I'm far more embarrassed by them as a professional.

    ReplyDelete
  4. Amazing post, anonymous. Do you have any links to other sources that back up any parts of the story? I completely believe you, but if we were to make this case to non believers could you point us in the right direction? Hope the NSA isn't zeroing in on you now....

    ReplyDelete