Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:42 PM
Connect Directly

How Did Snowden Do It?

Experts piece together clues to paint possible scenarios for how the NSA contractor accessed, downloaded, and leaked secret agency documents on its spying operations

The full story of just how Edward Snowden, the now-infamous systems administrator, was able to grab highly classified documents from the secretive spy agency and expose its controversial spying practices might never become public, but some clues have emerged that provide a clearer picture of how the most epic insider leak in history could have transpired.

Snowden, a former Booz Allen contractor who was working as a low-level systems admin for the NSA at its Hawaii post, reportedly coerced several of his colleagues to provide him with their credentials, according to a report by Reuters late last week. He may have convinced up to 25 staffers at the NSA regional operations center there to hand over their usernames and passwords under the pretext that he needed them for his job, according to the report.

Meanwhile, Gen. Keith Alexander, director of the NSA, in June told the House Permanent Select Committee on Intelligence that Snowden had "fabricated digital keys" to gain access to information to which he wasn't authorized. U.S. government officials reportedly told NPR that Snowden's responsibilities included moving highly sensitive documents off of NSA's intranet site, and that the documents he leaked, including memos, PowerPoint presentations, reports, court orders, and opinions, had been stored in a file-sharing sector of the intranet. That provided Snowden the cover he needed to siphon the files, according to the report.

Now security firm Venafi says it has figured out how it all went down: Snowden fabricated SSH keys and self-signed digital certificates to access and ultimately steal the NSA documents. And the company -- which provides security for crypto keys and digital certs -- is challenging the NSA and Snowden to prove its conclusion wrong. Snowden succeeded in stealing the documents, according to Venafi, because the NSA was unable to detect Snowden's unauthorized access to, and ultimate exfiltration of, the information.

"He took his credentials with his CAC [Common Access Card] to get onto systems, and as a systems admin, he had certain levels of privilege. From that basic platform, he was able to fabricate SSH [Secure Shell] keys that allowed him to jump to another system," says Jeff Hudson, CEO of Venafi. "He got to other systems, got elevated privileges, targeted the data, and used self-signed certificates in combination with SSH keys he fabricated to exfiltrate the data out of the NSA."

Hudson says Venafi studied and analyzed all of the public revelations about the case, including Alexander's mention of fabricated keys, connected the dots based on its own insight into attacks exploiting digital keys at global corporations, and gathered peer review from outside industry experts before publishing its conclusion today.

"We cross-referenced this with all we know about fabricating keys in organizations, and it points to only one thing: fabricating SSH keys to jump to other systems. Then how did he exfiltrate the data? He used encryption. In his own interview, he said encryption is the best system when it's well-managed, and it's not breakable," Hudson says. "And because he had elevated privileges, he could actually cover his tracks."

SSH, a cryptographic protocol for remote access and connection using an encrypted communications channel, is a key tool for systems admins.

What about the revelation that Snowden got his co-workers' credentials? "That absolutely ties in with [our conclusion]," says Kevin Bocek, vice president of product marketing and threat intelligence for Venafi. "Insiders don't want to be discovered, and it does take some time to go ahead and research your target, find data, and vulnerabilities you want to leverage."

Bocek says when you log into someone else's account, you can also get his SSH key and can potentially access his certificates. "Many enterprises and the NSA have systems to changes passwords, but they don't change keys," he says.

So far, none of the Snowden leaks has offered any additional details on how he accessed the sensitive NSA documents, but using others' credentials, indeed, was a big jump he needed, experts say.

"I don't think just having access would be enough to get in everything he ended up getting into or that we know he got into. It's hard to speculate on that," or on what exactly Alexander meant by "fabricating" keys, says Jared Thorkelson, president of DLP Experts. "But any way you slice this, it's a failure to follow widely accepted best practices across the board. It's just a total breakdown."

Sharing among privileged and admin account holders is fairly commonplace. More than half of organizations surveyed earlier this year by CyberArk said their "approved" users share their admin and privileged account passwords.

Snowden's social-engineering of his colleagues to get their credentials played off of an environment of trust. "Employees want to please their co-workers, so if he said, 'Hey, I need your help because I've gotta get something done' ... there a trust that can be taken advantage of," says John Worrall, chief marketing officer at CyberArk. "What's troubling is there are a couple of basic tenets of security that you never want to screw around with, [including] you never share your credentials. The whole access control model is based on identity, and then the access model is useless and it blows up."

Worrall says between Snowden's own credentials and that of his co-workers, he may well have had plenty of power to get the documents he pilfered. "Just that alone is a big enough problem that may have allowed him to do what he did," he says.

Whether Snowden fabricated credentials isn't clear, Worrall says. "It depends on what access those other users had," he says. "You would also have the ability to manage the key vault encryption keys and things like that that would be a whole other level of access."

Next: Getting the NSA to come clean

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
math scandals
math scandals,
User Rank: Apprentice
12/11/2013 | 2:49:40 AM
re: How Did Snowden Do It?
Watching hearings between NSA and congress, saw Director of NSA either lie 3 times or was reciting a script. Reportedly, when first appointed told NSA "I
don't know math, u figure it out". Heard congress parrot stuff i.e. -have been doing
"metadata long time". If u asked "what do u mean by metadata? What is it like ?/
functions vs say 'metadata in a word doc?" Clueless.

If I asked congress or NSA director if agency using DPI, what is that, what info does
it reveal?, doubt either could answer in intelligible fashion. They need to pay competent security consultant for hearings. Consultant would ask right questions,
know if NSA hedging, lying etc. Security could explain program in english.

Those phd 'pure mathematicians' that code crack are so out there. Few know that
math. Totally not math used by engineers, cpas etc.Mad at how math taught in school, some try to write books to make it kool for us.Typically they lose one after symmetry of pine cones and fibinachi numbers. LOL

Those code crackers get blamed for much global mischief. Has led to some strange
"conspiracy notions" among supposed allies. Guess congress needs to know bout
them too.

Get EZ-some in NSA that don't like snooping. Went thru channels. 2 rumors early
1) they loaded drive for him, 2)cia tip or both. Al quada changed phone, email codes before al alaki got droned., not after snowdon as director said. Some reg folks changed behavior tho.
Kevin Bocek
Kevin Bocek,
User Rank: Apprentice
11/18/2013 | 8:43:54 AM
re: How Did Snowden Do It?
Self-signed certs are being used to exfiltrate data even when paper organization policy does not allow it. Security bulletin from Cisco provides example background http://tools.cisco.com/securit...
Kevin Bocek
Kevin Bocek,
User Rank: Apprentice
11/18/2013 | 8:40:08 AM
re: How Did Snowden Do It?
Snowden's root access would have been limited to the systems he had access to. The 10,000+ pages of docs and other reports indicate he gained access to many more systems than he had admin privileges. SSH provides both the means for elevated privileged and also encryption to evade detection. Attackers have been known to take SSH keys or insert their own as trusted and gain access thereafter. Self-signed certs here are about exfiltrating data not accessing. Mandiant, Cisco, and others have reported on increased used of self-signed certs. Admins (or attackers) can generate self-signed certs at will even if paper policy doesn't allow for it.
User Rank: Apprentice
11/14/2013 | 8:51:02 PM
re: How Did Snowden Do It?
Have to agree with Charlie on this one. I was asking myself all the same questions. Why would the NSA of all people allow self signed certs? Why would he need others credentials if he had root? And just because you can sign on as someone else does not mean that you suddenly have in your possesion their cert for later use. If implemented properly, it should only be available for use while logged into that account. But then again, the NSA could have been set up poorly to begin with. I am just assuming that they had better sense than that.
User Rank: Apprentice
11/14/2013 | 7:55:53 PM
re: How Did Snowden Do It?
Whoever fed you this information is full of crap. But I guess if I was to point the finger at someone, I would come up something very technical so everyone would believe it.

So, why would someone with root level access, need other credentials with user level access to get to data? And....since when does govt systems (even at the lowest level) trust self-signed certificates? Ah..they don't because if they did, there would be a major hole in the security of gov't networks.
User Rank: Strategist
11/14/2013 | 7:55:48 PM
re: How Did Snowden Do It?
Hire the man! :)
Don Gray
Don Gray,
User Rank: Apprentice
11/13/2013 | 9:09:52 PM
re: How Did Snowden Do It?
And that boys and girls is why we advocate 24x7 log / alert monitoring using contextual enrichment!

The NSA obviously didn't:

- Perform monitoring on anything approaching a real-time basis
- Didn't have the ability to tie user context into the security policies and controls
- Didn't have Intranet "normal usage" thresholds in place

Detecting technically authorized yet out-of-defined-role access is nearly impossible without these capabilities available and the people and process to execute.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...