Whistleblower Edward Snowden apparently used a USB thumb-drive to smuggle out hundreds of top-secret documents before he blew the lid off the NSA's web-spying project PRISM. This is despite the Pentagon's clampdown on the gadgets.
Unnamed officials told the Los Angeles Times that they were well on the way to figuring out which sensitive files the ex-CIA technician obtained, and which servers he swiped them from. Snowden left Hawaii, where he was working for a defence contractor, with four laptops that “enabled him to gain access to some of the US government’s most highly-classified secrets”, The Guardian added.
Only a small proportion of this confidential information has made its way into the public domain: the tiny cache includes four slides of a 41-page top-secret presentation about PRISM, and the low down on another classified programme called Boundless Informant, which produces a worldwide "heat map" of data gathered by the NSA.
Computer usage at the National Security Agency is tightly controlled. But Snowden was a systems administrator employed by contractor Booz Allan Hamilton to maintain the spooks' network, and thus had sufficient privileges to use flash drives as part of his job.
The chairman of the US House of Representative's select intelligence committee Mike Rogers (R-Michigan) said Snowden “attempted to go places that he was not authorised to go” on the NSA’s network and that a damage assessment was underway to determine whether any other data was lifted, The New York Times reported.
The Pentagon banned thumb drives after one was infected by the SillyFDC worm and plugged into a Windows-powered military computer, allowing the malware to spread across sensitive government networks in 2008. The ban was later rescinded.
However, the rules were once again tightened in December 2010 after American army intelligence analyst Bradley Manning used removable media to smuggle out confidential diplomatic and military reports: it is alleged he copied hundreds of thousands of files from SIPRNet, the US Department of Defense’s classified intranet, onto a writeable CD disguised as a disc of Lady Gaga music. Manning is on trial after denying his subsequent leaking of the data "aided the enemy", but pleaded guilty to ten charges of misusing and transmitting the information.
Restrictions were placed on portable storage technology across all the arms of the US military and intelligence community: Major General Richard Webber, commander of the US Air Force Network Operations, put out a memo ordering personnel to “immediately cease use of removable media on all systems, servers, and standalone machines residing on SIPRNET”.
But such blanket bans have been hard to maintain in practice. The NSA uses auditing software that records every keystroke and other computer activities, but Snowden evidently found a way around these watchdogs.
Staff wandering off with critical data is not just a problem for US military chiefs and spymasters: just a few months ago another sysadmin, this time working for a Swiss intelligence service, was implicated in a similar though far less high-profile database breach.
Chief exec of security tools firm Cyber-Ark Udi Mokady commented: “There is an important lesson to be learnt here on the vast power entrusted to employees and the potential damage that can ensue if these internal privileges are misused. Regardless of whether or not you agree with Snowden’s actions and his political motivations, organisations should not lose sight of the fundamental truth that he was exposed to this highly sensitive information via the internal privileged credentials that he was privy to.
"There’s almost an unfortunate sense of déjà vu here as well, as just six months previously, intelligence agencies in the US and UK were warned that secret information on counter-terrorism shared by foreign governments may have been compromised and stolen by a senior IT technician for Switzerland's intelligence service."
Eric Chiu, president of cloud control firm HyTrust, added: “Systems administrators in particular, although low level, typically have the highest access to systems and data, given they manage those systems. Without implementing adequate role-based access controls based on least-privileged access, companies and organisations are granting god-like access to their systems administrators. And cloud and virtual infrastructure make the insider problem worse since administrators can access any virtual machine to potentially copy and steal sensitive data or potentially destroy the virtual data centre in the push of a button.” ®