Figuring out how Edward Snowden breached National Security Agency computers is sort of like solving a puzzle. Take public information, such as the congressional testimony of the NSA director and Snowden's own words, and match it with an understanding how organizations get hacked, and the pieces seem to fall into place.
See Also: Ransomware: The Look at Future Trends
Security software maker Venafi says it used that approach to conclude that Snowden fabricated secure shell keys and digital certificates to gain access to documents on NSA computers he had no right to access. Secure shell, or SSH, is a cryptographic network protocol used to secure a channel linking two computers over an insecure network.
If he had not used encryption, he absolutely would have been caught in his tracks right way.
Jeff Hudson, Venafi's CEO, challenges the NSA and Snowden to prove him wrong. An NSA spokeswoman declined to comment on Venafi's analysis, referring comments to the Department of Justice, which is conducting the investigation into the Snowden leaks. DoJ also declined to comment.
Venafi isn't the first organization to offer its take on how Snowden breached NSA computers, leaking stolen data to reveal secrets about NSA surveillance programs (see NSA E-Spying: Bad Governance). The news service Reuters reports that Snowden used login credentials and passwords provided unwittingly by colleagues at a spy base in Hawaii to access some of the classified material he leaked to the media. Reuters, citing a source, says Snowden may have persuaded about two dozen fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator.
Exploiting Systems Administrator's Privileges
But Venafi went further. Employing Lockheed Martin's Kill Chain model - which identifies patterns that link individual intrusions into broader campaigns - Venafi in its analysis surmises that Snowden employed existing systems administrator's security privileges to determine what information was available and where it was stored. Then, he gained unauthorized access to other administrative SSH keys and made it look as if he could be trusted and gain access to files and systems he wasn't authorized to see. "This is relatively easy to do if the organization has not protected and secured these technologies, the capabilities," Hudson says. "The NSA hadn't, and most global 2000 companies haven't."
NSA Director Gen. Keith Alexander told Congress that Snowden was able to fabricate digital keys because of the agency's failure to detect anomalies, according to Venafi's report. "Venafi's analysis of statements from Gen. Alexander in congressional testimony gives credence to the theory that Snowden generated credentials," says Richard Stiennon, a security analyst and author of the book Surviving Cyberwar.
Hudson, in an interview with Information Security Media Group, says Snowden exploited security technologies to move from one computer to another. "These systems gave him greater and greater privilege, and greater and greater access," Hudson says. "What he did was use the classic attack method: he surveilled the situation, he targeted the data he wanted; he got onto those systems; he exfiltrated the data."
With massive amounts of data, Snowden needed to transfer information among systems undetected, and he apparently did that by encrypting the data he pilfered, according to the analysis. The Venafi analysis quotes Snowden as saying: "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on."
By encrypting the data, Hudson says, Snowden was able to keep the transfer of top-secret data hidden from the NSA. "If he had not used encryption," he contends, "he absolutely would have been caught in his tracks right way."
Hudson says Snowden also altered systems' log files to camouflage his malicious actions.
Of course, being in the business of selling software and services to secure cryptographic keys and digital certificates provides Venafi with a financial incentive to warn other organizations about the insider threat posed by the likes of Snowden. Still, cybersecurity concerns Venafi presents are worthy of consideration. Is Venafi objective in its analysis? You can be the judge of that. Let us know what you think by commenting in the space below.