Inspector General Says NSA Still Hasn't Implemented Its Post-Snowden Internal Security Measures
from the NSA,-where-the-'S'-stands-for-¯\_(ツ)_/¯ dept
In the immediate aftermath of an NSA contractor springing numerous leaks back in 2013, the NSA vowed this would never happen again. It has happened again and it hasn’t just been documents. It’s also been software exploits, which contributed to a worldwide plague of ransomware.
The NSA was going to make sure no one could just walk out of work with thousands of sensitive documents. It laid out a plan to exercise greater control over access and fail safe procedures meant to keep free-spirited Snowdens in check. The NSA is the world’s most powerful surveillance agency. It is also a sizable bureaucracy. Over the past half-decade, the NSA has talked tough about tighter internal controls. But talk is cheap — at least labor-wise. Actual implementation takes dedication and commitment. The NSA just doesn’t have that in it, according to a recent Inspector General’s report.
The nation’s cyber spy agency is suffering from substantial cyber vulnerabilities, according to a first-of-its-kind unclassified audit overview from the agency’s inspector general released Wednesday.
Those vulnerabilities include computer system security plans that are inaccurate or incomplete, removable media that aren’t properly scanned for viruses, and an inadequate process for tracking the job duties of National Security Agency cyber defenders to ensure they’re qualified for the highest-level work they do, according to the overview.
The anti-Snowden efforts are a key failure on the NSA’s part. The NSA stated it would implement two-person access control to limit the amassing of sensitive documents/software. This would insure that, if nothing else, the NSA could try to press conspiracy charges against leakers. That hasn’t happened. Towards the end of the Inspector General’s long list of NSA investigations and recommendations [PDF], the IG notes this key proposal — offered by Keith Alexander when he was still running the agency — has yet to implemented. This damning note lies alongside the jarring fact the NSA does not scan removable media for viruses or malware. Considering its foremost place in the malware buyers market, it’s inexcusable the NSA would act so carelessly with attack vectors it certainly utilizes.
Those two points — closely related to the NSA’s ongoing presence in daily news — are only a small part of the 699 open recommendations from the Inspector General the NSA has yet to fully address. It’s not a good look for any government agency, much less one that’s supposed to be at the forefront of technology and security.
Filed Under: ed snowden, inspector general, nsa, security
Comments on “Inspector General Says NSA Still Hasn't Implemented Its Post-Snowden Internal Security Measures”
Rubix Cube
You want to bet they don’t allow Rubix Cubes or any other toys into the building?
Media scanning
Uhh… scanning for malware is not the solution to this problem. Commercial scanners won’t detect the NSA’s malware unless the NSA gives copies in advance, which would defeat the purpose. A custom scanner would be a total waste of time: the time would be better spent fixing the bugs their malware exploits, even if they’re never going to send those fixes upstream. And they certainly shouldn’t be vulnerable to publically known bugs.
The only vulnerable machines should be those used for testing their malware. Instead of scanning storage media, they need to be scanning their network for vulnerable devices.
Re: Media scanning
Media scanning on most machines is big waste of time effort and CPU cycles. Let scan for PC virus on non-X86 hardware…. because, oh you never know and the vendor wants to scare you into thinking you must scan on everything all the time.
Re: Re: Media scanning
I think the idea there is to stop you from copying the file to a vulnerable system.
The scanning, though, can be worse than a waste of time: it can itself have vulnerabilities. This is particularly bad if the scanner runs with administrative privilege, and some used to (still do?). It’s the same root cause as we saw with a recent exploit on Linux, where some file manager would automatically spawn a Nintendo emulator (!) to create a thumbnail, and it was exploitable…. To scan every obscure file type, you’ve got to have a parser for each, thereby expanding your attack surface.
Replace unhinged, rambling subject lines with random song lyrics.
As I’ve said before, the NSA is only concerned with attack potential of malware and exploits and doesn’t give a single hoot about fixing or defending our interests against them. Heck, I don’t even think they bother to look at the defensive side of the equation at all, other than as an obstacle to overcome.
I wouldn’t mind this if there was another agency specifically devoted to defending against such problems, but the NSA is supposed to be doing both. Perhaps its time to make such an agency.
Re: Re:
Don’t worry, the FBI is protecting us all. They just need our encryption keys.
I’m not willing to read 41 pages that will just make me more sad… the only thing I want to know is how much we have already paid and are contractually bound to keep paying to outside vendors who sold them the tiger repelling rocks & just keep moving them around to get it just right.
“Says”…lol
Who is leading the blind NSA?
What if, just bear with me, the new Snowdens are running part of the show?
Not all of it, but enough to slow up the systems necessary to stop the future Snowden from blowing the doors open, again.
Or it could be that ransomware has infiltrated the one server that has the plans to update the security.
Re: Who is leading the blind NSA?
Well a lot of those measures are a pain in the ass and slow things down, and morale has been in the toilet as everyone thinks of them first and foremost as bad people and even the ‘nothing to hide’ crowd of toadies rightfully think they are incompetent given things like accidentally releasing a bunch of their malware on a completely unsecured server – just having their own servers hacked without several zero-days would be bad enough leaving it unsecured is literally completely inexcusable when even Amazon Cloud calls for crypto-key regulated direct server access.
They appear to be circling the drain as a shitty organization which has likely started to get shittier. Anyone with talent would have likely tried to go elsewhere while the reaction to saying you worked for the NSA reputation was “you must have been good at hacking” instead of “you must be an incompetent pervert without any morals”.