Just
when I thought I couldn’t think less of the NSA’s security, more news has come
out regarding Edward Snowden’s leaks. This time it isn’t news about what
Snowden took from their servers, but rather how he did so. One of the wonders
of the security world is a technique called social engineering. Social
engineering is a process where you either impersonate someone or otherwise
convince someone to give up privileged information. Rather than hack into
servers using unknown vulnerabilities, Snowden instead convinced people that he
needed their passwords in order to do his job as a systems administrator. Once
he had the passwords, it was probably easy for him to get ahold of classified
information. If that wasn’t bad enough, even worse news is that the NSA
facility was not running the newest version of anti-leak software, software that
might have been able to catch Snowden in the act.
Part of
the NSA’s justification for having tons of information is that they can put it
to good use for defensive purposes. They went on and on about how they
safeguard the data and that only a few people have access to it. Unfortunately,
it seems that such defensive measures are not all that effective. Who cares if
only a few people are allowed to have access to the data if one of those few
either hands over the information I want or in Snowden’s case hands over access
to their account? What makes this worse is that Snowden was previously suspected
of trying to get ahold of classified information in the past. ArsTechnica
reports that in 2009 his CIA superiors sent him home from Geneva when they thought
he was trying to break into classified computer files. So not only did the NSA
screw up now, but they also ignored very important metaphorical red flags in
the past.
It is
these kinds of mistakes that worry me. If this can happen at the NSA of all
places then where else in the world is this occurring? The world is a pretty small
place when the Internet comes into play, and my data could be stored almost
anywhere. Do I have to start worrying about every single web service I use now
and just hope that no one is crazy enough to just expose my information? I can
not imagine being able to go about my daily life without encountering the
Internet in some fashion. There is no way to just cut myself off and trust no
one with any of the data. It is simply not possible. In the end, I am going to
have to expose myself in some form and let a company like Google handle things,
like email, for me. By doing so, I am going to have to trust that their
security is up to date and that no single person both has access to my data and
will fall for the same trick people at the NSA did. Thankfully I tend to keep
most of my information on hand and keep my bank statements and other such files
separate from everything else on my computer.
I think I am more surprised about
how many people fell for it as opposed to the fact that someone gave up their
password in the first place. Different reports account for as many as 20
different people handing over their account credentials. It is unknown what has
happened to these people, but I have no doubt that they will be on thin ice so
to speak for quite a while. That is, assuming they still have their jobs.
No comments:
Post a Comment