How Did Snowden Do It?

Experts piece together clues to paint possible scenarios for how the NSA contractor accessed, downloaded, and leaked secret agency documents on its spying operations

The full story of just how Edward Snowden, the now-infamous systems administrator, was able to grab highly classified documents from the secretive spy agency and expose its controversial spying practices might never become public, but some clues have emerged that provide a clearer picture of how the most epic insider leak in history could have transpired.

Snowden, a former Booz Allen contractor who was working as a low-level systems admin for the NSA at its Hawaii post, reportedly coerced several of his colleagues to provide him with their credentials, according to a report by Reuters late last week. He may have convinced up to 25 staffers at the NSA regional operations center there to hand over their usernames and passwords under the pretext that he needed them for his job, according to the report.

Meanwhile, Gen. Keith Alexander, director of the NSA, in June told the House Permanent Select Committee on Intelligence that Snowden had "fabricated digital keys" to gain access to information to which he wasn't authorized. U.S. government officials reportedly told NPR that Snowden's responsibilities included moving highly sensitive documents off of NSA's intranet site, and that the documents he leaked, including memos, PowerPoint presentations, reports, court orders, and opinions, had been stored in a file-sharing sector of the intranet. That provided Snowden the cover he needed to siphon the files, according to the report.

Now security firm Venafi says it has figured out how it all went down: Snowden fabricated SSH keys and self-signed digital certificates to access and ultimately steal the NSA documents. And the company -- which provides security for crypto keys and digital certs -- is challenging the NSA and Snowden to prove its conclusion wrong. Snowden succeeded in stealing the documents, according to Venafi, because the NSA was unable to detect Snowden's unauthorized access to, and ultimate exfiltration of, the information.

"He took his credentials with his CAC [Common Access Card] to get onto systems, and as a systems admin, he had certain levels of privilege. From that basic platform, he was able to fabricate SSH [Secure Shell] keys that allowed him to jump to another system," says Jeff Hudson, CEO of Venafi. "He got to other systems, got elevated privileges, targeted the data, and used self-signed certificates in combination with SSH keys he fabricated to exfiltrate the data out of the NSA."

Hudson says Venafi studied and analyzed all of the public revelations about the case, including Alexander's mention of fabricated keys, connected the dots based on its own insight into attacks exploiting digital keys at global corporations, and gathered peer review from outside industry experts before publishing its conclusion today.

"We cross-referenced this with all we know about fabricating keys in organizations, and it points to only one thing: fabricating SSH keys to jump to other systems. Then how did he exfiltrate the data? He used encryption. In his own interview, he said encryption is the best system when it's well-managed, and it's not breakable," Hudson says. "And because he had elevated privileges, he could actually cover his tracks."

SSH, a cryptographic protocol for remote access and connection using an encrypted communications channel, is a key tool for systems admins.

What about the revelation that Snowden got his co-workers' credentials? "That absolutely ties in with [our conclusion]," says Kevin Bocek, vice president of product marketing and threat intelligence for Venafi. "Insiders don't want to be discovered, and it does take some time to go ahead and research your target, find data, and vulnerabilities you want to leverage."

Bocek says when you log into someone else's account, you can also get his SSH key and can potentially access his certificates. "Many enterprises and the NSA have systems to changes passwords, but they don't change keys," he says.

So far, none of the Snowden leaks has offered any additional details on how he accessed the sensitive NSA documents, but using others' credentials, indeed, was a big jump he needed, experts say.

"I don't think just having access would be enough to get in everything he ended up getting into or that we know he got into. It's hard to speculate on that," or on what exactly Alexander meant by "fabricating" keys, says Jared Thorkelson, president of DLP Experts. "But any way you slice this, it's a failure to follow widely accepted best practices across the board. It's just a total breakdown."

Sharing among privileged and admin account holders is fairly commonplace. More than half of organizations surveyed earlier this year by CyberArk said their "approved" users share their admin and privileged account passwords.

Snowden's social-engineering of his colleagues to get their credentials played off of an environment of trust. "Employees want to please their co-workers, so if he said, 'Hey, I need your help because I've gotta get something done' ... there a trust that can be taken advantage of," says John Worrall, chief marketing officer at CyberArk. "What's troubling is there are a couple of basic tenets of security that you never want to screw around with, [including] you never share your credentials. The whole access control model is based on identity, and then the access model is useless and it blows up."

Worrall says between Snowden's own credentials and that of his co-workers, he may well have had plenty of power to get the documents he pilfered. "Just that alone is a big enough problem that may have allowed him to do what he did," he says.

Whether Snowden fabricated credentials isn't clear, Worrall says. "It depends on what access those other users had," he says. "You would also have the ability to manage the key vault encryption keys and things like that that would be a whole other level of access."

Next: Getting the NSA to come clean

Venafi, meanwhile, outlined in its report what we know about Snowden's work responsibilities and role: As a contractor, he would have a CAC card with its own crypto keys and digital certificates that authenticated him and provided him access to information he was allowed to reach. And as a systems admin, he would use SSH keys to authenticate to and manage systems he oversaw.

"Prior to working for the NSA, Snowden is known to have tested the limits of his administrator privileges to gain unauthorized access to classified information while at his CIA post in Geneva, Switzerland," Venafi said in its report. And Snowden was known to have thin-client, not full client, access to NSA's network.

Snowden likely used his own access to see what was out there and got into areas he wasn't authorized via other admin SSH keys, Venafi believes. "Using usernames and passwords from colleagues could afford him more opportunities to take keys or insert his own as trusted. Having 'root' or equivalent administrative status gave Snowden total access to all data," the report says. He downloaded the files via encrypted sessions that were authenticated with self-signed certificates, Venafi surmises.

"We know he had privileges because he was able to hide his tracks and edit the activity logs," Hudson says.

[The NSA leaks by a systems administrator have forced enterprises to rethink their risks of an insider leak and their privileged users' access. See 5 Steps To Stop A Snowden Scenario.]

"As a leading organization responsible for contributing to U.S. national and global cyberdefense, the NSA has a responsibility to disclose the truth behind the breach," Hudson says.

But it's unlikely the NSA will ever pony up publicly with the details on how Snowden was able to execute the embarrassing and massive insider attack.

"I don't think we'll ever get the truth out of the NSA, or an accurate portrayal from Snowden, either," DLP Experts' Thorkelson says. "I have to believe he has publishers just pounding on his door ... He's going to [eventually] have a financial motive."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights