Related Links

Top 5 Stories


How Snowden Breached the NSA from the Inside

13 November 2013

There have been many suggestions on how Edward Snowden managed to steal so many top secret documents from the NSA; but the NSA has kept quiet. Now new research claims to know how it was done, and challenges the NSA to deny it.

In fact, suggests Venafi, Snowden used a methodology that is widely used by cybercriminals and effectively used by the NSA itself in its Stuxnet attack on Iran: attacking the keys and certificates that provide trust. Back in July, Forrester Research produced a report (itself commissioned by Venafi) titled Attacks On Trust: The Cybercriminal's New Weapon. It says, "Yet, your average enterprise is unlikely to have an incident response plan for an attack on keys and certificates."

This is the crux of the attack: as an administrator Snowden was able to fabricate digital certificates and cryptographic keys; but the NSA had no ability to detect the forgeries. "The NSA had no awareness of the keys and certificates in use, no ability to detect anomalies, and no ability to respond to an attack," writes Venafi CEO Jeff Hudson.

Snowden, suggests Venafi, followed the classic steps described by Lockheed Martin in the paper titled Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. But Snowden didn't need to employ all of the steps: 'delivery' wasn't necessary because he was already inside the network. What was left was reconnaissance, intrusion and exfiltration.

Using the SSH keys issued to an administrator he was able to locate, although not access, the files he wanted to steal; and determine methods to obtain them. Venafi suggests that this process also gave him access to other SSH keys that he would use later.

The next step was to gain access to the classified servers while simultaneously covering his tracks: the intrusion stage. For this he used stolen SSH credentials, probably obtained during the reconnaissance stage, to both get in and subsequently leave a secure backdoor on those target systems ready for stage 2.

For exfiltration Snowden transferred the data over encrypted channels to his own external file share using self-signed certificates that he created himself. So as far as the NSA was concerned, these signed transmissions were safe and authorized, and merely allowed to pass unquestioned. Since security systems cannot inspect encrypted data without the keys to decrypt it, there was no way to recognize and prevent the exfiltration.

This is the basic problem: key and certificate populations are rarely known and monitored for anomalous behavior by the companies concerned. And this is the weakness Snowden knew and exploited.

Venafi is challenging the NSA to prove its analysis wrong. "If we’re wrong," writes Hudson, "we invite the NSA and Edward Snowden to correct us. NSA Director General Keith Alexander wants to promote information sharing, and now is the perfect opportunity."

But this is more than an academic exercise. The Forrester study shows just how many companies are vulnerable to attacks against their own keys and certificates. "As a leading organization responsible for contributing to US national and global cyber defense, the NSA has a responsibility to disclose the truth behind the breach,” says Hudson. “Until the agency openly admits what happened along with all of the steps it’s taken to correct the problem, all organizations that rely on keys and certificates to ensure trust will remain vulnerable to this attack vector.”

This article is featured in:
Encryption  •  Industry News  •  Internet and Network Security  •  IT Forensics


Comments says:

18 November 2013

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×