What the Snowden affair taught us…the Super User problem

By Anand Kotti

With use of computer networks and information systems comes security risks. The risks range from unauthorized access, to lost, stolen and cyber-attack on sensitive data. In the recent past, there has been an increase in security breach by insiders, threatening to leak the information confidential to US federal authorities, which caught us completely off guard.

 Edward Snowden

Offense: Theft of government property, unauthorized communication of national defense information and willful communication of classified intelligence to an unauthorized person.

 Bradley Edward Manning

Offense: Violating the espionage Act stealing government property in violation of computer fraud and abuse act.

 How do we stop these insiders from disclosing the sensitive confidential information pertaining to the government?

Before we go into the details on ”how”, let’s go into the background details about who these individuals are and how they did it.

Edward Snowden: Edward Joseph Snowden was born on June 21, 1983 in Elizabeth City, North Carolina and grew up in Wilmington, North Carolina. His father, Lonnie Snowden, a resident of Pennsylvania, was an officer in the United States Coast Guard and his mother, a resident of Baltimore, Maryland, is a clerk in a federal court in Maryland. He attended Anne Arundel Community College, University of Liverpool. He was first recruited to the United States Army reserve May 7, 2004. Everything sounded and looked perfect for the world and for Snowden.

He made his way to the CIA and national security agency NSA, after discharging from the United States Army Reserve. His disagreement with government policies started here in NSA. In the epicenter of the disagreement for Snowden is a program called PRISM.  This is a program run by the United States National Security Agency. The program was designed to gather and analyze the information of both US citizens and foreign nationals at a dramatically larger scale. According to Snowden, the acts of government through the program PRISM were “Dangerous” and “Criminal”, as it targeted the common man who is not suspected of any wrongdoing or terrorist act.

In 2013, Snowden joined Booz Allen Hamilton as System Administrator with a pay cut.  Booz Allen Hamilton is a technology consulting firm, mostly catering its services to the federal government. The background checks on his resume revealed some discrepancies, but considering his work history and skills, Booz Allen Hamilton Ignored the discrepancies and hired him.

Snowden was placed inside the NSA at the Kunia Regional SIGINT operation center in Hawaii in May 2013. According to NBC News, as a system administrator, Snowden is able to assume the electronic identities of top NSA officials in order to gain unauthorized access. Each user profile on NSAnet intranet includes a layer of security clearance that determines what files the user can access. Usually these files are sandboxed on the server and cannot be moved or copied. However, as a system administrator, he was able to download an estimated 20,000 national security documents from NSA’s intranet to his thumb drives.

He then contacted Glenn Greenwald of The Guardian to divulge his information.

What happened?

Clearly there are several security lapses here:

  • A breakdown in the background checks
  • A lapse in managing privileges of system administrators. Granted a system admin often needs elevated system level privileges, but why was he able to easily assume other user identities?
  • In addition, why should a system administrator be allowed to download and move files? Shouldn’t system privilege and data privilege be separate?
  • Why isn’t access to critical data monitored or logged? If Snowden did not divulge his secrets, would his malicious activities be caught?
  • Last, why aren’t files that are copied from NSA systems remain protected outside of the NSA network? Wouldn’t it be nice if we could turn off access to the files that Snowden downloaded after the fact?

If the NSA can be breached by a system admin what does it mean for other organizations?

According to a survey done by the Ponenmon Institute in 2013, 37% of data breaches are caused by malicious attacks (such as Snowden’s) and, perhaps even more worrisome, 35% are caused by human negligence.  If our employees are going to either maliciously or inadvertently divulge or compromise our sensitive data, what can we do about it?

4 thoughts on “What the Snowden affair taught us…the Super User problem

  1. Peternoyg

    Thanks for sharing this great article. In any organization there always has been a weak spot either thru the system or manpower itself. Immediate mitigation is as almost impossible when it happens but the a hole can always be patched before it happens. Nevertheless, there is only 99.99% way to secure systems, that 0.01% is so much to debate about.

  2. […] blog What the Snowden affair taught us questioned, “Why should a system administrator be allowed t... nextlabs.wordpress.com/2013/12/18/would-data-level-controls-have-stopped-snowden
  3. ek.koh

    Peternoyg is right. There is no 100% security. All we can try to do is make it hard for perpetrators. Ideally we try to pro-actively prevent breaches, if not, we should at least try to create enough audit trail to detect breaches when it happens.

  4. […] a login credential that in fact grants him rights to sensitive data? Accounts vary, but in the blog ... nextlabs.wordpress.com/2014/01/23/can-we-turn-off-snowdens-access-after-the-fact

Leave a Reply

Your email address will not be published. Required fields are marked *