Mark Hosenball and Warren Strobel report that Edward Snowden successfully socially engineered employees at the NSA into giving him their login credentials:
Former U.S. National Security Agency contractor Edward Snowden used login credentials and passwords provided unwittingly by colleagues at a spy base in Hawaii to access some of the classified material he leaked to the media, sources said.
A handful of agency employees who gave their login details to Snowden were identified, questioned and removed from their assignments, said a source close to several U.S. government investigations into the damage caused by the leaks.
Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator, a second source said.
Read more on Reuters.
Okay, this gets my vote for both the insider breach of the year and the social engineering breach of the year, if anyone’s polling.
Reuters reports that sources tell them although the “government now believes it has a good idea of all the data to which Snowden could have accessed, investigators are not positive which and how much of that data Snowden actually downloaded.” If he was logged in as others, well yes, that would make this all even more difficult to determine.
There is a lot of (mis)information flying around on this story – and clearly some are aiming to take Snowden down a notch in the public eye. I wouldn’t give a lot of credance to anonymous souces.
Are you saying that Reuter’s sources on this particular story are providing misinformation? If so, what are your sources and what is the accurate info?
Regardless of the source of information on this story, social engineering is very much a concerning issues, especially when dealing with the employees who we work along side day in and day out. A trusting face, and the “position of authority” can be very hard to resist to NOT give up a password. Social engineering is a great deal easier to do than most would think. Bad apple employees are a huge risk to companies who hire them.
I am not saying that Snowden did this or didnt, but in his position of authority it is very probable. Being an IT specialist I have been able to do it, just to test peoples willingness to give up something very private. But, at the time when they needed my help and was vulnerable to suggestion, they will do almost anything.
I found the story credible, too. That doesn’t make it true, of course, but hopefully Reuters has reliable sources. And as you note, it raises important reminders…. employees may be on their guard against external phishing or SE attempts, but have their guard down with colleagues who may be either “going rogue” or planning to use the information for non-approved purposes.
Ok, snowden may have not been an administrator, but IF he was all he would have to do is go into Active Directory and change their passwords, do what he wanted. Once he was done, he simply tries logging in several times with bogus passwords until the accounts lock. Then, contact the people and say hackers have been trying to access their accounts and they need to change their passwords.
These people seem clueless who the Admins were, or understand what an “admin” can do…It would have helped if the story writer had insight to the powers of an admin, or the potentail victims knowledge of who is an admin and who is not.
None of the people questioned his need for thier passwords? Commmmon, this is NSA, it seems unlikely that people with high level access are going to put thier careers on the line to give some hobo their password. The data owners are brain washed on password security and not to release that information to anyone. period. All I can say is, if they did give up their keys to the kingdom so he could do more damage, then relieving them is a good thing, since a clearance and access to highly sensitive data to these people didn’t matter who sees it. They didn’t even know if the individual was cleared for those programs or not… Just the word of the hobo and all is ok ! geesus.
The NSA has been protecting the USA for a long time. through different means, which I am not going to get into, I bet they have thwarted MANY attacks on USA soil. The paranoid need to stay paranouid and find another agency to chew on and let the specialists at NSA do thier job, this time only better. Sweep it under the rug and move on. A news agency is taking advantage of a lull in the hobo snowden’s activity and wants to see how many hits they can get if they revive an otherwise boring subject.