Skip to content
Naked Security Naked Security

NSA hasn’t closed security windows Snowden climbed through

One of three problems found in an audit: two-person access controls haven't been properly implemented at data centers and equipment rooms.

Whether you think he’s a principled patriot or a traitor to his country, you have to give him credit for something: thanks to the former contractor for the US National Security Agency (NSA) Edward Snowden, we learned a lot about secret spying programs.
Aside from the obvious – vast data collection programs that included PRISM, Tempura, Upstream, XKeyscore and the NSA’s powerful facial recognition program – we learned something crucial about the country’s elite spy agency: it had holes in its own data security big enough to let a contractor walk through with massive troves of sensitive data.
According to an audit from the NSA Inspector General’s office, as of March 2018, some of those holes were still open.
Of course, the audit, published for public consumption, contains only declassified information, and it doesn’t give details. Be that as it may, starting on page 29, the audit enumerates significant outstanding inspection recommendations regarding the NSA’s failure to secure the internet and the enterprise, as well as to address insider threats.
In a nutshell:

  1. The NSA’s system security plans are “often inaccurate and/or incomplete.”
  2. Two-person access controls haven’t been properly implemented at data centers and equipment rooms.
  3. Removable media isn’t being properly scanned for viruses.

Snowden didn’t get his trove of documents via malware, so no. 3 – allowing things like random USB drives to be plugged into network computers – isn’t relevant in his particular case. But it’s certainly relevant to all the places that have inflicted themselves with malware by plugging in stray sticks.
Naked Security has been banging away at this nail for years. Seven years ago, Sophos bought a stash of USB keys from a lost property auction as an experiment. 66% of them contained malware, and not a single one was encrypted.
That’s so 2011, you might think. But Sophos’s very own CISO, Ross McKerchar, said removable storage as a threat vector is still as fresh as a dangerous daisy:

Removable storage is a massive concern. While it’s a less common (but still real!) malware infection vector now, the biggest risk these days is data leakage.

So the NSA isn’t scanning removable storage, eh? Perhaps it should follow IBM’s lead: in May, it banned USB drives entirely.
If the idea of banning these convenient pocket storage gizmos is too daunting, the NSA – and any organization, for that matter, be it large or small – should at least be encrypting the devices.
As far as no. 1 goes – inaccurate or incomplete security plans – we know that Snowden worked in an agency outpost in Hawaii that hadn’t been upgraded with modern security measures.
In 2014, the New York Times reported that NSA officials insisted that if Snowden had been working from NSA headquarters, in Maryland, his activity would likely have been flagged by monitors designed to detect when a huge volume of data was being accessed and downloaded.

One senior intelligence official told the Times that investigators had surmised that Snowden used cheap, widely available web crawler software designed to automatically search, index and back up a website in order to scrape data out of NSA systems while he went about his day job.
There were more details available in a damning report that came out last year: the August 2016 DOD Inspector General’s report on the National Security Agency’s (NSA) implementation of the “Secure-the-Net” initiative.
The “Secure-the-Net” (STN) initiative was launched post-Snowden and included 40 specific recommendations “focused on insider threats to NSA systems, data, and infrastructure”. Seven of those recommendations were designed to “secure network access, protect against insider threats and provide increased oversight of the personnel with privileged access”.
The seven STN initiatives were:

  • Develop and document a new system administration model.
  • Assess the number of system administrators across the enterprise.
  • Implement two-person access control over data centers and machine rooms.
  • Implement two-stage authentication control for system administration.
  • Reduce the number of persons with Privileged Access.
  • Reduce the number of authorized data transfer agents (those authorized to use removable media).
  • Oversee privileged user activities.

It’s not that the NSA didn’t attempt to implement all that, the report found: rather, it did a half-assed job at it.
For example:

[The] NSA did not effectively implement the three privileged access related STN initiatives… because it did not develop an STN strategy that detailed a structured framework and methodology to implement the initiatives and measure completeness.

With respect to two-factor authentication (2FA), the NSA implemented it for system admins, but not for those with privileged access. As we well know, Snowden bypassed the then-present privileged access controls and conned his colleagues into giving him their credentials – which he then went on to use to expand his access.
As we noted at the time of the 2016 report – which was acquired by the Times through a Freedom of Information Act (FOIA) – 2FA would have required the owner of the credentials to have been participatory in Snowden’s use of their credentials. In other words, the NSA managed to leave open the very window that Snowden climbed through to harvest the data he stole.
Furthermore, the report chastised the NSA for not having a clue about how many individuals had privileged access in 2014, nor in 2016, and nor could the NSA document how the purge/pruning had been carried out. That meant the inspection team couldn’t find out exactly how many people had privileged access.
Edward Snowden isn’t the only fury that’s flown through the NSA’s open windows. In November, we learned that a group calling itself the Shadow Brokers has since 2016 been dumping exploits and tools collected, hoarded and used by the NSA hacking group Tailored Access Operations (TAO). The Shadow Brokers put the TAO tools up for auction a mere week before the DOD Inspector General’s damning report.
Preventing insider threats is an ongoing problem, as demonstrated by the arrest of NSA contractor Reality Winner in 2016. Winner managed to take a highly classified document assessing and discussing the Russian military intelligence entity’s (the GRU’s) hand in meddling in the US election and used her privileged access to print it out. Then, she mailed it to a media outlet. Once the NSA saw the document, the agency quickly determined who had access and printed the document, and who’d been in contact with a media outlet.
What they couldn’t figure out: why Winner had privileged access to information about which she had no “need to know”.
There’s definitely been progress made at the NSA. But has there been enough progress to stop another Edward Snowden? The most recent audit suggests the answer is no.
By the sounds of it, the holes Snowden walked through are still big and gaping – somebody else could well walk right through them.


Lets hope those holes continue – at least as long as the group is performing criminal activity at the detriment of society. So that at least once and a while we can have a glimpse of how corrupt and malicious our government is, by those true patriots who sacrifice their own freedom to inform us.


There should never be “removable media” in classified areas. #3 “Removable media isn’t being properly scanned for viruses.” is not the problem. You don’t need malware to copy files onto USB drives. 32GB drives are available.
Back during the Iraq war, out guys bought USB drives at local markets – with operational data.


Agree, he wasn’t some elite hack that coded his way into the system. He just copied a ton of data to a USB that was readily available to most if not all employees internally to perform there jobs and walked out with it. Oh and the IG is not gonna make a agency do anything really, you need to have the GAO come in and audit them. Then, they will move there asses to change things FAST.


the one hack he did (if it counts as a hack) is Social Engineering, he tricked other people into giving up their passwords, which let him access data his credentials didn’t have access to.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!