back to article NSA had NFI about opsec: 2016 audit found laughably bad security

Second-rate opsec remained pervasive at the United States' National Security Agency, according to an August 2016 review now released under Freedom of Information laws. It's almost surprising that the agency was able to cuff Reality Winner, let alone prevent a wholesale Snowden-style leak. The Department of Defense Inspector …

  1. Anonymous Coward
    Anonymous Coward

    Surely this can't be right? I was only watching one of those moving picture thingys the other day and you had to be a top hacker to gain access and once you did you had five minutes before agents knocked down your door and arrested you.

    1. Palpy

      RE: moving picture thingies.

      Oh, I think the Bourne Documentary series showed conclusively how a single operative, with suitable skills and hidden memories, can eat a spy service's lunch without breaking a sweat. (I am working on developing such skills, and currently I am able to (usually) open a jam jar. I must sometimes resort to my wife to determine which direction to twist, however.)

      Security aside, it seems a recent study estimated how long any conspiracy could remain secret, given the number of people involved in the conspiracy. It appears that if more than about 2500 people are in on the plot, then it will probably be revealed in 5 years or less. While it seems logical that better selection and indoctrination of those to be privy to the conspiracy would help, that may be a fallacy: no selection process can delve deeply enough to predict changes of heart, evolving ethical awareness, and so forth. So given enough participants, a Chelsea Manning, an Edward Snowden, or a Reality Winner might be inevitable.

  2. Anonymous Coward
    Anonymous Coward

    Can't wait till ISIS recruits infiltrate the NSA....

    Would have thought it unthinkable.. But this comedy of errors, its the stuff of 'Burn After Reading' etc. So many holes, so many outside contractors..

    1. Doctor Syntax Silver badge

      Re: Can't wait till ISIS recruits infiltrate the NSA....

      They haven't?

      1. John Jennings

        Re: Can't wait till ISIS recruits infiltrate the NSA....

        Probably outsourced the support desk to Afghanistan.

        1. Anonymous Coward
          Anonymous Coward

          Re: Can't wait till ISIS recruits infiltrate the NSA....

          Probably got a few sympathisers in there already. Plus a few bribeables.

          1. Anonymous Coward
            Anonymous Coward

            Re: Can't wait till ISIS recruits infiltrate the NSA....

            Probably got a few sympathisers in there already. Plus a few bribeables.

            Nah. All you need is a couple of misguided activists. Cheaper too.

            To be honest, I do NOT like leaks (no, really, secrecy has its place IMHO) but given that agencies behave like they have something to hide it appears that is the only way by which they will maybe forced to become a tad more accountable. I assume that won't happen in my lifetime, though.

          2. Tom Paine

            Re: Can't wait till ISIS recruits infiltrate the NSA....

            what about the rest of the M.I.C.E.?

  3. frank ly

    2 sweet FA

    "... the rollout of 2FA to “all high-risk users” was ..."

    Is that because the users were at risk due to where they worked or were themselves a risk and so the 2FA could be centrally killed if needed?

    1. Amos1

      Re: 2 sweet FA

      Neither. The use of 2FA would reveal them to be NSA operatives because real companies and real people don't use it. Therefore the use of 2FA would be what put them in a high-risk position because it would "out" them.

    2. Anonymous Coward
      Anonymous Coward

      Re: 2 sweet FA

      Everyone already has a second factor - the CAC card - so rolling this out shouldn't be that difficult. I'm shocked it wasn't already in place at the NSA, to be honest. It has been pretty standard in the corporate world - first for VPN access and lately for everything - for some time now.

      While 2FA is a necessity to implement here, how is this going to resolve issues like Snowden or Winner? It wouldn't have prevented either instance. Snowden could have been prevented by requiring "two in a box" for admin access, but that would increase cost a lot. Manning's dump could have been prevented by limiting the amount of classified data someone can download without special approval.

      Not sure there's any way to prevent leaking a small amount of information like Winner. You can ban printing of classified information by most people (making it harder for regular work to get done) but determined leakers could take photos of the screen. Well, unless they require you to surrender all phones at the door when entering, and make you walk through a metal detector to insure you don't have one concealed on you.

      1. tom dial Silver badge

        Re: 2 sweet FA

        The CAC, as far as I know, was universally used in DoD by 2009 or earlier. For PCs. My agency had a number of non-PC machines in locked or otherwise access controlled rooms that were not equipped for 2FA either with smartcard readers or the requisite software. I suspect that in the major DISA data centers that also was true, especially for the likes of zSeries and Unisys mainframes. I certainly wouldn't argue that it was a good thing, but it would have taken more than a minor effort to implement across the number and variety of machines I suspect are present on NSA premises.

        One more comment on the finding about reduction in the number of administrators with privileged access: one of the actions taken reportedly was to do administration in pairs. That would have run seriously against an absolute reduction in privileged access personnel since it would increase the labor required for administration by a factor of at least two.

        1. Robert Helpmann??
          Childcatcher

          Re: 2 sweet FA

          While 2FA may be non-trivial to implement on all systems, it may be implemented on the systems needed to reach those that don't have it. To my mind, the lack of physical security on servers is more damning than the fact that 2FA had not been fully deployed or implemented.

      2. Tom Paine
        WTF?

        Re: 2 sweet FA

        It has been pretty standard in the corporate world - first for VPN access and lately for everything - for some time now.

        O RLY?

        In the last five years I've worked for a US-based multinational (c.50k employees), a London fintech startup (c.120), a huge US bank (250k users), and now a large trading firm (5000 users.) None have used 2fa for anything but VPN access, and two of them didn't even use it for that. I've literally never seen or heard of 2fa for desktop auth, though I gather it exists in verticals like the NHS and maybe some banking functions.

  4. Doctor Syntax Silver badge

    And yet one of its jobs, as with GCHQ here, is to help secure national IT infrastructure. Is this a case of the cobbler's children or is it equally poor at its assigned task? And if NSA is that bad what of GCHQ?

    I suppose they're both too busy spying on us.

    1. Tom Paine

      Cobblers

      ...cobbler's children go barefoot, that is. I've worked for a couple of well-known "security" companies where internal opsec was /atrocious/.

      GCHQ are evidently a bit better at keeping their inner doings out of the pubilc prints, but my understanding (FWIW - no I've never worked for them) is that things are, well, nothing like as bad as this NSA report.

  5. John Smith 19 Gold badge
    Gimp

    "agency had too many users with admin privileges,"

    TL:DR Several 1000 BOFHs have tools that can break into your network at will but (trust us) "we will not misuse this privilege. "

    Good to know.

  6. Kane
    Black Helicopters

    Hmmm

    Something about this smells...off. If the report had been written by an independent third party (highly unlikely), I might have bought into it. If you (the gubmint) were forced into writing a report about NSA's opsec, wouldn't you throw in some misinformation to make it a) look like you're incapable of locking down your own systems securely and b) provide an opportunity for would-be foreign actors/"rogue" contractors to attempt to access those systems? You would then be able to build a "profile" of possible attack vectors.

    Yes, I know Snowden mentioned before that he was not alone in having escalated privileges in being able to access the information that he did, and that this seemed to be the norm for the sub-contractors that worked for the NSA. Or it was the norm for the NSA to have the type of documentation that was leaked, stored in systems that could be accessed so easily. But still, something doesn't sit right, and I find it hard to believe that adequately securing their own systems was entirely outside their area of competence.

    After all, if you were running a super-duper-secret spy agency, wouldn't you want to spread as much misinformation as possible? Even if it was through legitimate channels, like the Department of Defense?

    I know I would.

    Alternatively, (and the slightly less suspicious bastard/paranoid idea) it could simply have been an appeasement report for the superiors that have been shouting behind the scenes about "how could this happen", and never got released due to the incoming change of government at the time. Only due to the FOI request does it come into the light.

    But I prefer my paranoid version.

    1. Anonymous Coward
      Meh

      Re: Hmmm

      "Many journalists have fallen for the conspiracy theory of government. I do assure you that they would produce more accurate work if they adhered to the cock-up theory."

      Bernard Ingham

      1. Tom Paine

        Re: Hmmm

        You can tell that, all; things being equal, in general cock-up beats conspiracy as an explanation from the fact that every so often someone(s) DOES try to conspite -- and they cock it up. Cf events unfolding over the Atlantic. (The Brexit angle hasn't really started to unravel yet, but it's in the post I assure you.)

    2. Mephistro

      Re: Hmmm (@ Kane)

      Or it could be just a case of -perceived- costs reduction. Keeping good security is very expensive* in terms of time needed to fix or prevent issues. My guess it that several PHBs at the NSA decided that it was more important to spy on more "potential terrorists"** than to keep good internal security.

      *: until you factor in the costs of NOT keeping good security.

      **: Translation ==> "human beings"

    3. Alistair
      Windows

      Re: Hmmm

      @Kane:

      Never attribute to malice that which can be sufficiently explained by stupidity.

      I mean, as far as I'm concerned, all that "Dark Energy" in the universe is just the stupidity showing up on the scans.

  7. Anonymous Coward
    Anonymous Coward

    when deep state letter agencies have a million operatives(*)

    then that's not what I call good security/secrecy. A million people keeping a secret!?

    (*) and most of their personal data was slurped by another deep state, in the 21+ million names 2015 OPM heist. . . ..

  8. FlamingDeath Silver badge

    Whats the law on that?

    These are people that treat the law like its something they dont have to obey, and we are surpirsed by this IT security cluster****?

    It's the tip of the iceberg

  9. Anonymous Coward
    Anonymous Coward

    yet once again

    we hear more concern and more coverage of the "how" and "why" to drown out the "what"s.

    Who cares about the "boring" details, when we can play partisan political games and point fingers, while totally ignoring the CONTENT.

    If government has to fail at security so the PEOPLE can learn what is REALLY going on, then perhaps less rants about bad security and more about BAD GOVERNMENT are needed.

    Or perhaps, maybe revisiting the idea that Government "needs" to keep and gather all this info about the People who its supposed to SERVE?

    The leaks themselves, and their content, are the SYMPTOM. the "smoke where there's fire". But arguing about the content of the smoke, and then ignoring that for discussing better and more efficient wind patterns and giant forest covering chimneys, instead of working to put out the fire, benefit the arsonists, not the forest.

    1. Tom Paine

      Re: yet once again

      downvoting because there's really no NEED to SHOUT. We're British; we can detect nuance and emphasis without needing to be hit over the head with a mallet.

  10. jason.bourne
    Linux

    This can't be real

    This can't be the same NSA that created SELinux. It has taken me years to get even parts of my org to use SELinux due to the complexity. I won't even contemplate suggesting MLS policies and removing the unconfined users, because I know it will be too hard. Only the NSA can manage such complicated security controls, right?

    1. Throatwarbler Mangrove Silver badge
      Holmes

      Re: This can't be real

      "This can't be the same NSA that created SELinux. It has taken me years to get even parts of my org to use SELinux due to the complexity."

      Why do you think they created it that way?

    2. tom dial Silver badge

      Re: This can't be real

      DoD data centers have been dealing with mandatory access control on mainframes (RACF, Top Secret, ACF-2) for at least thirty years. It was not easy to implement, and in the large data centers its maintenance supports a security administration staff of a dozen or two. An administrator once told me he had looked into a MAC system for the 3B2 system he managed and decided that since it was being used only for unclassified batch jobs and accessed by only a small number of people, it was far more effort to implement than it was worth and would take up far too much of his time to administer.

  11. Private Citizen.AU

    Photocopy security caught Reality Winner

    My reading of the Reality Winner case was that she was traced because she printed the report on a photocopier with microdot security identification, and that allowed them to trace back from the printer logs.

    Computer security on that case was well and truly after the fact.

    1. Tom Paine
      FAIL

      Re: Photocopy security caught Reality Winner

      She was caught because The Canary Intercept -- Glenn Gereenwald's new front org -- gave up their source with mindblowing incompetence, by forwarding a scan of the /original leaked document/ to the spooks for comment. Complete with sub-visible DLP markings. Morons, or evil? Your call.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like