Sunday, November 10, 2013

Snowden Leaks - How he got the information in the first place



                Just when I thought I couldn’t think less of the NSA’s security, more news has come out regarding Edward Snowden’s leaks. This time it isn’t news about what Snowden took from their servers, but rather how he did so. One of the wonders of the security world is a technique called social engineering. Social engineering is a process where you either impersonate someone or otherwise convince someone to give up privileged information. Rather than hack into servers using unknown vulnerabilities, Snowden instead convinced people that he needed their passwords in order to do his job as a systems administrator. Once he had the passwords, it was probably easy for him to get ahold of classified information. If that wasn’t bad enough, even worse news is that the NSA facility was not running the newest version of anti-leak software, software that might have been able to catch Snowden in the act.
                Part of the NSA’s justification for having tons of information is that they can put it to good use for defensive purposes. They went on and on about how they safeguard the data and that only a few people have access to it. Unfortunately, it seems that such defensive measures are not all that effective. Who cares if only a few people are allowed to have access to the data if one of those few either hands over the information I want or in Snowden’s case hands over access to their account? What makes this worse is that Snowden was previously suspected of trying to get ahold of classified information in the past. ArsTechnica reports that in 2009 his CIA superiors sent him home from Geneva when they thought he was trying to break into classified computer files. So not only did the NSA screw up now, but they also ignored very important metaphorical red flags in the past.
                It is these kinds of mistakes that worry me. If this can happen at the NSA of all places then where else in the world is this occurring? The world is a pretty small place when the Internet comes into play, and my data could be stored almost anywhere. Do I have to start worrying about every single web service I use now and just hope that no one is crazy enough to just expose my information? I can not imagine being able to go about my daily life without encountering the Internet in some fashion. There is no way to just cut myself off and trust no one with any of the data. It is simply not possible. In the end, I am going to have to expose myself in some form and let a company like Google handle things, like email, for me. By doing so, I am going to have to trust that their security is up to date and that no single person both has access to my data and will fall for the same trick people at the NSA did. Thankfully I tend to keep most of my information on hand and keep my bank statements and other such files separate from everything else on my computer.
I think I am more surprised about how many people fell for it as opposed to the fact that someone gave up their password in the first place. Different reports account for as many as 20 different people handing over their account credentials. It is unknown what has happened to these people, but I have no doubt that they will be on thin ice so to speak for quite a while. That is, assuming they still have their jobs.


No comments:

Post a Comment