Second-rate opsec remained pervasive at the United States' National Security Agency, according to an August 2016 review now released under Freedom of Information laws.
It's almost surprising that the agency was able to cuff Reality Winner, let alone prevent a wholesale Snowden-style leak. The Department of Defense Inspector General report, first obtained by the New York Times, finds everything from unsecured servers to a lack of two-factor authentication.
The formerly-classified review (PDF) was instigated after Snowden exfiltrated his million-and-a-half files from August 2012 to May 2013.
"NSA did not have guidance concerning key management and did not consistently secure server racks and other sensitive equipment in the data centers and machine rooms" under its "Secure-the-net" initiative, the report says.
Data centre access is supposed to be governed by two-person access controls, the report notes, and the rollout of 2FA to "all high-risk users" was incomplete at the time of writing.
The agency had too many users with admin privileges, the report continues, they're insufficiently monitored, and the NSA had not cut the number of agents authorised to carry out data transfers.
Giving the NSA more funding could probably fix it.
Related Stories
A former National Security Agency employee who worked at Tailored Access Operations has pleaded guilty to willful retention of national defense information, the same charge Harold T. Martin III faces:
A former National Security Agency employee admitted on Friday that he had illegally taken from the agency classified documents believed to have subsequently been stolen from his home computer by hackers working for Russian intelligence.
Nghia H. Pho, 67, of Ellicott City, Md., pleaded guilty to one count of willful retention of national defense information, an offense that carries a possible 10-year sentence. Prosecutors agreed not to seek more than eight years, however, and Mr. Pho's attorney, Robert C. Bonsib, will be free to ask for a more lenient sentence. He remains free while awaiting sentencing on April 6.
Mr. Pho had been charged in secret, though some news reports had given a limited description of the case. Officials unsealed the charges on Friday, resolving the long-running mystery of the defendant's identity.
Mr. Pho, who worked as a software developer for the N.S.A., was born in Vietnam but is a naturalized United States citizen. Prosecutors withheld from the public many details of his government work and of the criminal case against him, which is linked to a continuing investigation of Russian hacking.
Related: "The Shadow Brokers" Claim to Have Hacked NSA
The Shadow Brokers Identify Hundreds of Targets Allegedly Hacked by the NSA
Former NSA Contractor May Have Stolen 75% of TAO's Elite Hacking Tools
NSA Had NFI About Opsec: 2016 Audit Found Laughably Bad Security
Reality Winner NSA Leak Details Revealed by Court Transcript
(Score: 2) by JoeMerchant on Tuesday June 20 2017, @07:07PM (1 child)
Presumably, these NSA types do stuff with the data on their servers, so keeping that information accessible is also important to enabling them to perform their job functions.
Of course, it can be made incrementally more secure by making the data incrementally less accessible... 2FA shouldn't be an onerous thing, but really reducing the number of admins and enforcing 2 person access controls will make more work for the existing (presumably not expanding) headcount...
🌻🌻 [google.com]
(Score: 0) by Anonymous Coward on Wednesday June 21 2017, @06:03AM
They have SELinux, and supposedly a Windows equivalent available for all their M$ systems....
So why wasn't this in use on servers across their network?
How much of this is NSA personnel's fault and how much of it is subcontractors? There should be documentation to make it clear who was doing what to all these systems, and this should have a *LOT* of scrutiny placed on it. If it was contractors responsible for these insecure servers, then it might be time to permanently expel the current contractor companies and all their executive level staff, with any lower level personnel who might subcontract under a new company put on probation with their work verified, audited, and documented by ACTUAL NSA personnel until such time as they can be considered trustworthy again (If not for some possible institutional knowledge I would just say ban *ALL* subcontractors, and bring everything back in-house. Subcontracting your intelligence activities at *ANY* level of government is a HORRIBLE HORRIBLE idea. The sole reason to do so is plausible deniability by using intelligence assets which cannot be directly tied to your government.)
(Score: -1, Troll) by Anonymous Coward on Tuesday June 20 2017, @07:15PM (9 children)
When a business does poorly, it goes bankrupt.
When a government does poorly, it demands more money.
Then again, what did you expect from a monopoly, especially one that is violently imposed?
(Score: 2) by arslan on Tuesday June 20 2017, @10:43PM (1 child)
It demands more money and more of your liberty and privacy. The latter bit is worse I think.
(Score: 0) by Anonymous Coward on Tuesday June 20 2017, @11:10PM
In many ways, taking your money is taking your liberty.
(Score: 0) by Anonymous Coward on Wednesday June 21 2017, @12:42AM (6 children)
Right. If I were the ruler of a country at war, and it was losing battles to an aggressor, obviously my generals are going to demand more money to be able to recruit more soldiers, get better weaponry, and do all the other things necessary to wage the war to victory. If I denied that money to the army, I'd soon lose the war, and my country would be conquered. The main difference between a government and a business is that a government is instituted to provide services for its citizens, like you know, providing military defence from aggressors. Removing money from government means less such services, and setting them up to fail. Not that I'd mind for the NSA itself to fail, because I don't believe the service they provide is useful or even necessary to the citizenry.
(Score: 0) by Anonymous Coward on Wednesday June 21 2017, @02:23AM (4 children)
You say "a government is instituted to provide services for its citizens" and then note about the NSA "I don't believe the service they provide is useful or even necessary to the citizenry."
You imply that it's good and proper to force people to fund the military, yet you note that you want to fund the military—no force is necessary.
If this government thing is squandering resources on useless or unnecessary services, or failing to protect you from foreign onslaught, then maybe you should be funding a different organization—why would you die to uphold this one particular organization that is so badly failing you?
The only difference between a business and a government is that you, personally, have this strange almost religious devotion to the government; you almost define its actions to be correct. Well, guess what? It's not magical; it's just another organization.
(Score: 0) by Anonymous Coward on Wednesday June 21 2017, @03:26AM (1 child)
Oh good, it sounds like in this ideal world, my ambition to become a charismatic leader who rallies armies to plunder the resources of the "undeserving" would be perfectly fine.
It should especially work to my advantage that all I have to do is conquer contract enforcers one at a time and enslave their clients before it's too late and the rest of the contract enforcers try to form a confederacy of sorts to fight my armies.
(Score: 0) by Anonymous Coward on Wednesday June 21 2017, @03:58AM
I said nothing about contract enforcers!
We have to get past your own delusions before we can even start talking about mine...
(Score: 2) by FatPhil on Wednesday June 21 2017, @12:48PM (1 child)
That's not a contradiction, that's an observation that it's an imperfect implementation. I say a school exists to provide useful lessons to children but some of the teachers are crap. I say a restaurant exists to provide tasty food, but some of the dishes suck. These are not contradictions.
> You imply that it's good and proper to force people to fund the military, yet you note that you want to fund the military—no force is necessary.
That's not a contradiction either. It's good and proper to force rail providers to run their trains on time, yet I note that rail providers want to run their trains on time with no force necessary. Not a contradiction.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Wednesday June 21 2017, @11:50PM
The implication is that a government will do well by its citizens, but then that point is contradicted. In actuality, you cannot be sure, which makes suspect the whole idea of granting this one particular organization such a magical role.
The implication is that it's necessary to force people to fund a particular organization in order to ensure their defense, but the OP says he'd gladly fund an organization that is defending him—there's no reason that a government must be that organization.
(Score: 2) by kaszz on Wednesday June 21 2017, @04:23AM
They are providing military defense from their citizens. They have more rewarding projects than defending the country.
(Score: 3, Insightful) by frojack on Tuesday June 20 2017, @08:26PM
Reality Winner was pretty stupid person. Yellow dots have been a thing for well over 10 years.
The intel she stole wasn't worth the effort, it was all Russian info, and contained nothing that was
not clearly within the Congressionally mandated mission of the NSA. It was only classified because
it revealed sources, not because the content was official US secrets.
I half suspect she was a pawn used by someone else to achieve a short lived political talking point.
Snowden was much smarter.
I doubt he would be hindered by any of the changes recommended in this Review, because, after all, he was authorized to utilize all of those 1.5 million files that he exfiltrated, if not by eyes on each of them, then simply by use of automated search and retrieval tools.
No, you are mistaken. I've always had this sig.
(Score: 2) by linkdude64 on Tuesday June 20 2017, @09:15PM (3 children)
I'm sure a convenient and reliable custom 2FA system could be designed and implemented by them, say with key fobs or something, but they would design it with a backdoor wider than a barn and defeat the purpose.
(Score: 2) by butthurt on Tuesday June 20 2017, @10:53PM (2 children)
I didn't read the article. Why would the NSA tolerate a back-door in its internal systems? Out of mere force of habit?
(Score: 0) by Anonymous Coward on Tuesday June 20 2017, @11:15PM
We all leave the backdoor open (or a spare key under a rock) for when we need it.
(Score: 2) by TheRaven on Wednesday June 21 2017, @08:38AM
sudo mod me up
(Score: 2, Insightful) by redneckmother on Tuesday June 20 2017, @10:33PM (1 child)
"Giving the NSA more funding could probably fix it."
You forgot the <sarcasm> tag.
Mas cerveza por favor.
(Score: 2) by Phoenix666 on Wednesday June 21 2017, @12:56PM
I did. I relied on the strength of my composition to convey that. Most people caught the meaning though.
Washington DC delenda est.
(Score: 0) by Anonymous Coward on Wednesday June 21 2017, @12:03PM
Lets give these people that can't secure there own data or the data of the other government agencies the keys to everyones data, that's the ticket and by that I mean all the open tickets for ransomware that have been caused by them
spys that were meant to spy on the USSR, that are now primarily used to compromise the "free" world have no legitimate purpose