Edward Snowden has not publicly stated how he leveraged his privileged access to certain servers and top-secret information at the National Security Agency into a wider fishing expedition, netting classified secrets that he had no clearance to access. The NSA hasn’t provided much insight either.
This week, however, security researchers at certificate-management firm Venafi threw their collective hat into the ring, posting an analysis stating that Snowden likely used authentication keys to give his account privileged access to other servers in the network. Secure shell (SSH) keys are frequently used by system administrators to log into remote computers without a password, and Snowden likely gained access to others’ keys or to privileged accounts and inserted his own keys, the company said.
The most significant clue is General Keith Alexander’s testimony in which the NSA chief reportedly stated that Snowden “fabricated digital keys” to gain access to classified systems, Jeff Hudson, CEO of Venafi, told eWEEK.
“It all comes back to one thing: ‘He fabricated the SSH keys,'” he said. “What he did was he allowed himself access to other systems and in the process he elevated his privilege.”
A number of accounts have tried to piece together how Snowden managed to break out of the systems he was authorized to access and move onto other sensitive systems and data. The theories have ranged from weaknesses in the thin-client architecture used by the NSA to the insecure collection of troves of data as part of the agency’s sharing of information with other intelligence arms of the government.
Snowden had also convinced more than two dozen NSA employees to allow him to use their passwords, officials told Reuters.
Yet, along those security missteps, the ability to create SSH keys on servers to which he should not have had access, allowed Snowden to keep a persistent and stealthy presence on the servers, Hudson said.
“The NSA had no awareness of the keys and certificates in use, no ability to detect anomalies, and no ability to respond to an attack,” Hudson stated in the company’s analysis. “Because of these deficiencies, General Alexander believes strongly that the NSA must use automated machine intelligence to improve its ability to detect and respond to threats.”
Because many other companies and organizations may face similar threats from insider attacks, the NSA should offer some details of Snowden’s attack, Hudson said. While the analysis represented the company’s best hypothesis, he argued that the intelligence agency should come forward.
“If we’re wrong, we invite the NSA and Edward Snowden to correct us,” he said in the analysis. “NSA Director General Keith Alexander wants to promote information sharing, and now is the perfect opportunity.”