Snowden Likely Used SSH Keys to Access Classified NSA Data: Venafi | eWeek

Snowden Likely Used SSH Keys to Access Classified NSA Data: Venafi

Snowden Likely Used SSH Keys to Access Classified NSA Data: Venafi
Écrit par
Robert Lemos
Robert Lemos
Nov 20, 2013
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Edward Snowden has not publicly stated how he leveraged his privileged access to certain servers and top-secret information at the National Security Agency into a wider fishing expedition, netting classified secrets that he had no clearance to access. The NSA hasn’t provided much insight either.

This week, however, security researchers at certificate-management firm Venafi threw their collective hat into the ring, posting an analysis stating that Snowden likely used authentication keys to give his account privileged access to other servers in the network. Secure shell (SSH) keys are frequently used by system administrators to log into remote computers without a password, and Snowden likely gained access to others’ keys or to privileged accounts and inserted his own keys, the company said.

The most significant clue is General Keith Alexander’s testimony in which the NSA chief reportedly stated that Snowden “fabricated digital keys” to gain access to classified systems, Jeff Hudson, CEO of Venafi, told eWEEK.

“It all comes back to one thing: ‘He fabricated the SSH keys,'” he said. “What he did was he allowed himself access to other systems and in the process he elevated his privilege.”

A number of accounts have tried to piece together how Snowden managed to break out of the systems he was authorized to access and move onto other sensitive systems and data. The theories have ranged from weaknesses in the thin-client architecture used by the NSA to the insecure collection of troves of data as part of the agency’s sharing of information with other intelligence arms of the government.

Snowden had also convinced more than two dozen NSA employees to allow him to use their passwords, officials told Reuters.

Yet, along those security missteps, the ability to create SSH keys on servers to which he should not have had access, allowed Snowden to keep a persistent and stealthy presence on the servers, Hudson said.

“The NSA had no awareness of the keys and certificates in use, no ability to detect anomalies, and no ability to respond to an attack,” Hudson stated in the company’s analysis. “Because of these deficiencies, General Alexander believes strongly that the NSA must use automated machine intelligence to improve its ability to detect and respond to threats.”

Because many other companies and organizations may face similar threats from insider attacks, the NSA should offer some details of Snowden’s attack, Hudson said. While the analysis represented the company’s best hypothesis, he argued that the intelligence agency should come forward.

“If we’re wrong, we invite the NSA and Edward Snowden to correct us,” he said in the analysis. “NSA Director General Keith Alexander wants to promote information sharing, and now is the perfect opportunity.”

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.