Friday, February 14, 2014

For better access, Edward Snowden snagged his supervisor's password: Memo

Wikimedia Commons photo EdwardSnowden.jpg
Former NSA contractor and whistleblower Edward Snowden used one of the oldest and easiest to circumvent vulnerabilities known when accessing NSA documents: a human being. NBC reported that Snowden managed to convince a civilian NSA employee -- who recently resigned after being stripped of his security clearance -- to allow him to use the latter's log-in credentials to access classified information.

NBC said it obtained an agency memo on the issue. The memo, dated Feb. 10, was sent to congressional intelligence and judiciary committees earlier this week. While the memo is unclassified, it is labeled “for official use only.” The memo is the first official report on the investigation into exactly how Snowden managed to make off with a cache of classified documents that were then leaked to a number of media sources.

In addition to the above employee, an active duty member of the U.S. military and a contractor were “implicated” in actions that may have aided Snowden, the memo said. The pair has have been barred from accessing NSA facilities while their status is being reviewed.

Don't think that the civilian employee did not simply wrote his password on a piece of paper and hand it to Snowden. Instead, the memo said that at Snowden's request, the employee, who is not identified by name but was reportedly Snowden's supervisor, entered his password onto Snowden’s computer terminal. What the employee did not know is that:
Unbeknownst to the civilian, Mr. Snowden was able to capture the password, allowing him even greater access to classified information.

Despite the fact that Snowden used technological trickery to capture the password, by sharing his personal “public key infrastructure” certificate with Snowden, the employee “failed to comply with security obligations,” the memo said. As a consequence, the employee’s security clearance was revoked in November and the NSA notified the Justice Department that he recently resigned.

The memo does not detail the actions of the U.S. military member and the other contractor.

The memo conflicts with an earlier statement by Snowden which said that he did not steal passwords or trick any co-workers into revealing theirs.

In response to a request for comment, Jesselyn Radack, who is a U.S.-based legal adviser to Snowden, said,
Edward Snowden stands by his denial on Jan. 23. NSA has a documented history of scapegoating innocent employees for its own failures, ... manufacturing evidence against them and misleading Congress.
The memo can be viewed here, in PDF form.

No comments: