NSA whistleblower likely had easy access to classified data

Even low-level systems admins like Snowden often get very high-level privileges for normal IT tasks, security experts say

A defiant Edward Snowden resurfaced in Hong Kong today vowing to fight any U.S. efforts to extradite him on charges that he leaked classified documents describing two secret government data collection programs.

In comments to the South China Morning Post published on Wednesday, Snowden maintained that he did not flee to Hong Kong to avoid facing the consequences for his actions.

Instead, he wants to use Hong Kong as a refuge to expose the "criminality" of U.S. government domestic spying programs, Snowden said.

"I have had many opportunities to flee Hong Kong, but I would rather stay and fight the US government in the courts, because I have faith in HK's rule of law," Snowden told the Hong Kong newspaper.

According to the Post, Snowden leaked documents purporting to show that the NSA has been hacking into computers in Hong Kong and mainland China since at least 2009. He contended that the attacks targeted Chinese officials, businesses and students in in China and Hong Kong, the paper noted.

Snowden's comments came as questions continue to swirl about how he managed to get his hands on top secret National Security Agency documents while employed as a relatively low-level IT contract worker for the spy agency.

Snowden's actions, hailed as heroic by some and traitorous by others, have sparked an intense national debate on privacy and domestic surveillance.

Snowden was employed by government contractor Booz Allen Hamilton until earlier this week when he was fired. During his three months at the company, he worked with a team in Hawaii as a $122,000 a year IT administrator contracted to the NSA.

In that brief time, Snowden says he accessed top-secret NSA documents that he later leaked to reporters in the U.K. and the U.S. While it remains unclear how he accessed the data, several security experts say it's not surprising that he could.

The odds are high that Snowden had access to classified documents as part of his job, said Sid Probstein, chief technology officer at security vendor Attivio. "It may seem shocking that someone with only a few months tenure could gain access to sensitive information, but that is exactly what happens in the enterprise, all the time," Probstein said.

Newly hired system administrators in major corporations often receive passwords and other information that provides access to very sensitive data, such as CEO emails, customer data and merger and acquisition documents.

"In fact, this might happen long before they reach the three month mark. Most admins likely have this information within a few days of starting work," Probstein said.

Network and systems administrators often need access to such data to perform their jobs, said Jody Brazil, president and chief technology office at FireMon, a provider of security management projects.

Though systems administrators often rank low on organizational charts, they get extremely elevated privileges from an IT context, Brazil said.

In order to maintain and manage enterprise systems, administrators need a very high level of access, he said. Even mundane tasks like password resets, and system backups require a certain level of privileged access, he said.

Abusing such privileges to gain unauthorized access to systems and data is almost trivial for admins who don't care about leaving a trail behind them, he said.

"This is not just ignorance or poor management' Brazil said. "Systems administrators are given the keys to the kingdom and entrusted not to do harm with it."

There are technologies and processes that allow companies to exercise a degree of control over administrators, he said. For example, enterprises can compartmentalize data and networks to ensure that administrators are restricted to specific silos.

Similarly, there are security tools that allow administrators to back up data files without getting access to the data, Brazil said. Many companies encrypt data in sensitive systems and store the decryption keys separately as a control against administrator abuse, he said.

Even so, adding such measure often can complicate relatively mundane administrative tasks so many companies choose not to implement them, Brazil added.

"The insider is the greatest threat to government and owners of critical infrastructure," said Robert Rodriguez, a former Secret Service special agent and founder of the Security Innovation Network.

"Once you have an employee who is trusted and has access to files and computers, it really depends on how rogue the employee wants to be," he said. "Once you are inside a building or an organization it become a lot easier to perform actions that are outside of policy."

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is jvijayan@computerworld.com.

Read more about privacy in Computerworld's Privacy Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Government ITNational Security Agencysecurityprivacy

More about National Security AgencyNSAStrategy&Topic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place