Surely this can't be right? I was only watching one of those moving picture thingys the other day and you had to be a top hacker to gain access and once you did you had five minutes before agents knocked down your door and arrested you.
NSA had NFI about opsec: 2016 audit found laughably bad security
Second-rate opsec remained pervasive at the United States' National Security Agency, according to an August 2016 review now released under Freedom of Information laws. It's almost surprising that the agency was able to cuff Reality Winner, let alone prevent a wholesale Snowden-style leak. The Department of Defense Inspector …
COMMENTS
-
-
Tuesday 20th June 2017 17:14 GMT Palpy
RE: moving picture thingies.
Oh, I think the Bourne Documentary series showed conclusively how a single operative, with suitable skills and hidden memories, can eat a spy service's lunch without breaking a sweat. (I am working on developing such skills, and currently I am able to (usually) open a jam jar. I must sometimes resort to my wife to determine which direction to twist, however.)
Security aside, it seems a recent study estimated how long any conspiracy could remain secret, given the number of people involved in the conspiracy. It appears that if more than about 2500 people are in on the plot, then it will probably be revealed in 5 years or less. While it seems logical that better selection and indoctrination of those to be privy to the conspiracy would help, that may be a fallacy: no selection process can delve deeply enough to predict changes of heart, evolving ethical awareness, and so forth. So given enough participants, a Chelsea Manning, an Edward Snowden, or a Reality Winner might be inevitable.
-
-
-
-
-
-
Tuesday 20th June 2017 13:48 GMT Anonymous Coward
Re: Can't wait till ISIS recruits infiltrate the NSA....
Probably got a few sympathisers in there already. Plus a few bribeables.
Nah. All you need is a couple of misguided activists. Cheaper too.
To be honest, I do NOT like leaks (no, really, secrecy has its place IMHO) but given that agencies behave like they have something to hide it appears that is the only way by which they will maybe forced to become a tad more accountable. I assume that won't happen in my lifetime, though.
-
-
-
-
-
-
-
Tuesday 20th June 2017 16:25 GMT Anonymous Coward
Re: 2 sweet FA
Everyone already has a second factor - the CAC card - so rolling this out shouldn't be that difficult. I'm shocked it wasn't already in place at the NSA, to be honest. It has been pretty standard in the corporate world - first for VPN access and lately for everything - for some time now.
While 2FA is a necessity to implement here, how is this going to resolve issues like Snowden or Winner? It wouldn't have prevented either instance. Snowden could have been prevented by requiring "two in a box" for admin access, but that would increase cost a lot. Manning's dump could have been prevented by limiting the amount of classified data someone can download without special approval.
Not sure there's any way to prevent leaking a small amount of information like Winner. You can ban printing of classified information by most people (making it harder for regular work to get done) but determined leakers could take photos of the screen. Well, unless they require you to surrender all phones at the door when entering, and make you walk through a metal detector to insure you don't have one concealed on you.
-
Wednesday 21st June 2017 00:08 GMT tom dial
Re: 2 sweet FA
The CAC, as far as I know, was universally used in DoD by 2009 or earlier. For PCs. My agency had a number of non-PC machines in locked or otherwise access controlled rooms that were not equipped for 2FA either with smartcard readers or the requisite software. I suspect that in the major DISA data centers that also was true, especially for the likes of zSeries and Unisys mainframes. I certainly wouldn't argue that it was a good thing, but it would have taken more than a minor effort to implement across the number and variety of machines I suspect are present on NSA premises.
One more comment on the finding about reduction in the number of administrators with privileged access: one of the actions taken reportedly was to do administration in pairs. That would have run seriously against an absolute reduction in privileged access personnel since it would increase the labor required for administration by a factor of at least two.
-
Tuesday 4th July 2017 15:12 GMT Tom Paine
Re: 2 sweet FA
It has been pretty standard in the corporate world - first for VPN access and lately for everything - for some time now.
O RLY?
In the last five years I've worked for a US-based multinational (c.50k employees), a London fintech startup (c.120), a huge US bank (250k users), and now a large trading firm (5000 users.) None have used 2fa for anything but VPN access, and two of them didn't even use it for that. I've literally never seen or heard of 2fa for desktop auth, though I gather it exists in verticals like the NHS and maybe some banking functions.
-
-
-
-
Tuesday 4th July 2017 15:14 GMT Tom Paine
Cobblers
...cobbler's children go barefoot, that is. I've worked for a couple of well-known "security" companies where internal opsec was /atrocious/.
GCHQ are evidently a bit better at keeping their inner doings out of the pubilc prints, but my understanding (FWIW - no I've never worked for them) is that things are, well, nothing like as bad as this NSA report.
-
-
Tuesday 20th June 2017 09:26 GMT Kane
Hmmm
Something about this smells...off. If the report had been written by an independent third party (highly unlikely), I might have bought into it. If you (the gubmint) were forced into writing a report about NSA's opsec, wouldn't you throw in some misinformation to make it a) look like you're incapable of locking down your own systems securely and b) provide an opportunity for would-be foreign actors/"rogue" contractors to attempt to access those systems? You would then be able to build a "profile" of possible attack vectors.
Yes, I know Snowden mentioned before that he was not alone in having escalated privileges in being able to access the information that he did, and that this seemed to be the norm for the sub-contractors that worked for the NSA. Or it was the norm for the NSA to have the type of documentation that was leaked, stored in systems that could be accessed so easily. But still, something doesn't sit right, and I find it hard to believe that adequately securing their own systems was entirely outside their area of competence.
After all, if you were running a super-duper-secret spy agency, wouldn't you want to spread as much misinformation as possible? Even if it was through legitimate channels, like the Department of Defense?
I know I would.
Alternatively, (and the slightly less suspicious bastard/paranoid idea) it could simply have been an appeasement report for the superiors that have been shouting behind the scenes about "how could this happen", and never got released due to the incoming change of government at the time. Only due to the FOI request does it come into the light.
But I prefer my paranoid version.
-
-
Tuesday 4th July 2017 15:16 GMT Tom Paine
Re: Hmmm
You can tell that, all; things being equal, in general cock-up beats conspiracy as an explanation from the fact that every so often someone(s) DOES try to conspite -- and they cock it up. Cf events unfolding over the Atlantic. (The Brexit angle hasn't really started to unravel yet, but it's in the post I assure you.)
-
-
Tuesday 20th June 2017 12:02 GMT Mephistro
Re: Hmmm (@ Kane)
Or it could be just a case of -perceived- costs reduction. Keeping good security is very expensive* in terms of time needed to fix or prevent issues. My guess it that several PHBs at the NSA decided that it was more important to spy on more "potential terrorists"** than to keep good internal security.
*: until you factor in the costs of NOT keeping good security.
**: Translation ==> "human beings"
-
-
Tuesday 20th June 2017 16:15 GMT Anonymous Coward
yet once again
we hear more concern and more coverage of the "how" and "why" to drown out the "what"s.
Who cares about the "boring" details, when we can play partisan political games and point fingers, while totally ignoring the CONTENT.
If government has to fail at security so the PEOPLE can learn what is REALLY going on, then perhaps less rants about bad security and more about BAD GOVERNMENT are needed.
Or perhaps, maybe revisiting the idea that Government "needs" to keep and gather all this info about the People who its supposed to SERVE?
The leaks themselves, and their content, are the SYMPTOM. the "smoke where there's fire". But arguing about the content of the smoke, and then ignoring that for discussing better and more efficient wind patterns and giant forest covering chimneys, instead of working to put out the fire, benefit the arsonists, not the forest.
-
Tuesday 20th June 2017 16:40 GMT jason.bourne
This can't be real
This can't be the same NSA that created SELinux. It has taken me years to get even parts of my org to use SELinux due to the complexity. I won't even contemplate suggesting MLS policies and removing the unconfined users, because I know it will be too hard. Only the NSA can manage such complicated security controls, right?
-
Wednesday 21st June 2017 00:22 GMT tom dial
Re: This can't be real
DoD data centers have been dealing with mandatory access control on mainframes (RACF, Top Secret, ACF-2) for at least thirty years. It was not easy to implement, and in the large data centers its maintenance supports a security administration staff of a dozen or two. An administrator once told me he had looked into a MAC system for the 3B2 system he managed and decided that since it was being used only for unclassified batch jobs and accessed by only a small number of people, it was far more effort to implement than it was worth and would take up far too much of his time to administer.
-
Friday 23rd June 2017 01:52 GMT Private Citizen.AU
Photocopy security caught Reality Winner
My reading of the Reality Winner case was that she was traced because she printed the report on a photocopier with microdot security identification, and that allowed them to trace back from the printer logs.
Computer security on that case was well and truly after the fact.
-
Tuesday 4th July 2017 15:20 GMT Tom Paine
Re: Photocopy security caught Reality Winner
She was caught because The
CanaryIntercept -- Glenn Gereenwald's new front org -- gave up their source with mindblowing incompetence, by forwarding a scan of the /original leaked document/ to the spooks for comment. Complete with sub-visible DLP markings. Morons, or evil? Your call.
-