Former billionaire crypto mogul Sam Bankman-Fried sentenced to 25 years for stealing $8 billion from customers of bankrupt FTX
Icon through the years Solar eclipse guide 😎 Previous US disasters Play to win 🏀
TECH
Seattle

CyberTruth: Closer look at Snowden's NSA caper

Byron Acohido
USA TODAY

SEATTLE – Edward Snowden wrote himself into history books by pilfering some 50,000 pages of classified intelligence from the National Security Agency.

That was last May, and there has been little public discussion about how he did it. Until now.

Researchers at security firm Venafi are making a bold claim that they've deduced the basic steps Snowden must have taken to abscond with sensitive data protected by state-of-the-art network security systems.

To go undetected while copying and transferring a massive trove of NSA documents, Snowden had to have manipulated a couple of technologies most people have never heard of: Secure Shell (SSH) cryptographic keys and digital certificates, asserts Jeff Hudson, Venafi's CEO.

Venafi's analysis has not been acknowledged by the NSA. However, the strengths — and glaring weaknesses — of SSH technology is well understood in the cybersecurity community.

SSH keys and certificates make up the basic method of establishing secure communications between two computers. Together, they authenticate the users of the two computers about to exchange data. They also prevent a third party from intercepting information as it is being transferred. This technology underpins all sensitive Web transactions, including card payments, e-mailing and file transfers.

However, cybercriminals, particularly nation-state spies, have become adept at stealing and/or counterfeiting SSH keys and certificates. By using stolen or forged keys and certificates, the bad guys are able to impersonate a legitimate user, as well as cloak data as they steal it.

"Keys and certificates help identify and establish trust between systems electronically," says Hudson. "Unfortunately, criminals now understand how fragile our ability to control trust has become."

Venafi researchers scrutinized interviews with Snowden, investigative reports and public statements by the NSA's chief, Gen. Keith Alexander. They concluded that Snowden used tried-and-true cyberspying tactics, including fabricating SSH keys and certificates.

"The fabrication of SSH keys or self-signed digital certificates are well-known cybercriminal methods," Hudson says.

Snowden was working out of Hawaii as a low-level NSA systems administrator when he pulled his escapade. He may have used an even more elementary tactic, obtaining SSH keys and certificates from others.

According to a Reuters report, Snowden persuaded some 25 NSA staffers to hand over their user names and passwords under the ruse that he needed them for his job.

Edward Snowden in exile on the Moscow River in Moscow, Russia. Nov. 1, 2013

A plausible scenario, according to Venafi researcher Gavin Hill, is that Snowden used his co-workers' logons to gain first-level access to certain systems he was not officially authorized to use. It then would have been easy for him to embed forged SSH keys on those systems. By coming back later -- and using the forged SSH keys to gain access -- Snowden automatically elevated his rights to go deeper.

The NSA does not rely solely on SSH keys and certificates to lock down data. Like other large organizations that handle valuable data, the agency makes use of cutting-edge systems designed to prevent data loss, monitor file storage and continually analyze network traffic for anomalous patterns.

At the moment, Wall Street is showering capital on cybersecurity companies such as FireEye, Barracuda Networks, Imperva, Proofpoint and Palo Alto Networks, that supply the latest innovations in defending corporate networks.

But all these latest protections become less effective against an intruder in possession of a forged or stolen SSH key or digital certificate, since all digital keys and certificates are automatically trusted.

"Edward Snowden researched these gaps, understood them and used them to his advantage in breaching the NSA," says Hudson.

Venafi, which provides software to manage and protect SSH keys and digital certificates, is calling for the NSA to disclose more details of how Snowden conducted his attack.

"We need to know what happened so that we can keep it from happening in thousands of the globe's most sensitive and economically significant organizations," Hudson says.

Featured Weekly Ad