Forgot your password?
typodupeerror
IT

Inside NSA's Efforts To Hunt Sysadmins 147

Posted by Soulskill
from the most-sedentary-sport dept.
An anonymous reader writes "The Snowden revelations continue, with The Intercept releasing an NSA document titled 'I hunt sys admins' (PDF on Cryptome). The document details NSA plans to break into systems administrators' computers in order to gain access to the networks they control. The Intercept has a detailed analysis of the leaked document. Quoting: 'The classified posts reveal how the NSA official aspired to create a database that would function as an international hit list of sys admins to potentially target. Yet the document makes clear that the admins are not suspected of any criminal activity – they are targeted only because they control access to networks the agency wants to infiltrate. "Who better to target than the person that already has the ‘keys to the kingdom’?" one of the posts says.'"
This discussion has been archived. No new comments can be posted.

Inside NSA's Efforts To Hunt Sysadmins

Comments Filter:
  • by L4t3r4lu5 (1216702) on Friday March 21, 2014 @08:52AM (#46542267)
    This is why I insist that my official job title is "Soup Dispenser Technician, Second Class" on all official documents.
    • by Anonymous Coward on Friday March 21, 2014 @09:01AM (#46542307)

      If only you could pass those damned astro-navs....

    • Re: (Score:1, Offtopic)

      by jellomizer (103300)

      Sysadmins are also usually the easiest target to get in.
      standard password: 1amgod
      Being that they are required to fix problems 24/7 that means they have a "secret" back door on their network so they can get in.
      Once they are in they have a lot of access to the companies systems.

      We can go, well those guys are just dumb, however I am willing to bet most of you who are sysadmins have some little back door just in case.

      • by ravenlord_hun (2715033) on Friday March 21, 2014 @09:39AM (#46542627)
        Small-time admins maybe. If one works as part of a larger team, automation and documentation is king - any such backdoors would get anyone into trouble, quick.
        • Small-time admins maybe. If one works as part of a larger team, automation and documentation is king - any such backdoors would get anyone into trouble, quick.

          I guess you have a definition of "small time", but I am thinking of alleged Chinese theft of Google source code. The "backdoor" was IE and very clever phishing.

          • by Bigbutt (65939)

            Sysadmins can work in a big company and still be 'Small Time'. We're fairly small but automation and documentation lets 5 admins manage 1,200 systems.

            [John]

            • by Anonymous Coward
              Pfft. Automation and no documentation would allow 5 admins to support thousands more. Documentation doubles or triples workload.
        • by RabidReindeer (2625839) on Friday March 21, 2014 @10:33AM (#46543121)

          Small-time admins maybe. If one works as part of a larger team, automation and documentation is king - any such backdoors would get anyone into trouble, quick.

          R
          O
          T
          F
          L

          Worked in Fortune corporations. If I don't stop laughing soon, I'll pass out.

          • by Midnight_Falcon (2432802) on Friday March 21, 2014 @02:34PM (#46545537)
            As ineloquently as RabidReindeer may have put it, he's 100% spot on here. I've done security audits for big companies with large teams -- admins insert backdoors al over the place, then their buddies figure out they did it, and instead of being reprimanded they start using it too for convenience. Just because they have a big, publically-traded company doesn't mean the CIO/CISO cares about anything more than compliance on paper.
            • As ineloquently as RabidReindeer may have put it, he's 100% spot on here. I've done security audits for big companies with large teams -- admins insert backdoors al over the place, then their buddies figure out they did it, and instead of being reprimanded they start using it too for convenience. Just because they have a big, publically-traded company doesn't mean the CIO/CISO cares about anything more than compliance on paper.

              Actually, in many cases, the backdoors were created on demand from management because doing things securely was too just inconvenient for them. The old "Git 'er Dun!" principle.

              Or because the security administrator was in a bad mood the day something idiotic came in and didn't challenge it. I knew a lowly applications programmer who was keeping his own personal files in the product data set because of that.

        • by Lumpy (12016)

          are you crazy? that's exactly how they hacked the Gibson!

        • A typical NOT ME!! approach.

          The funny part is how many sys-admins think they are so good, until there is an independent security audit done.

          Now you shouldn't get insulted. There are a lot of good sysadmins... However many have gaps, and their ego gets in the way of making things more secure.

        • by doccus (2020662)

          Small-time admins maybe. If one works as part of a larger team, automation and documentation is king - any such backdoors would get anyone into trouble, quick.

          No.. The backdoors are simply more sophisticated, that's all..

        • by gbjbaanb (229885)

          true, all the admins I know are super-hot on locking down what you want to do, but always expect themselves to have full, uncontrolled, access to everything - including all the stuff that is 'not permitted' under some 'security' policy.

          I think of the last place no-one had youtube or facebook (fair enough TBH) except.. guess who did.

      • by Anonymous Coward

        In previous jobs, the closest thing to a "back door" is a SSH key. In fact, it has been also the front door too, because some machines have any remote access blocked unless it is via SSH public key authentication. This makes the auditors happy, and it also gets rid of having to change passwords every 15-30 days. It also gets around the fact that three wrong passwords would mean a permanent lockout until an admin reset the account by hand (and documented the reset in JIRA.)

        In times past, a "secret" back d

    • Mine is Magical Mystical Overlord of Tubes
    • by Minwee (522556) <dcr@neverwhen.org> on Friday March 21, 2014 @10:35AM (#46543129) Homepage
      I'm sure you would have made it further than "Technician Second Class" if it hadn't been for that unfortunate incident with the gazpacho soup at Captain Hollister's table.
  • by Anonymous Coward

    Do not as I do, do as I say: I am the NSA!
    It's alright for me to bust into others' systems all day.
    What's that you say? I can do that too then, it's ok?
    The NSA says nay!
    Do not as I do, but as I say!

    • A limerick (Score:5, Funny)

      by Anonymous Coward on Friday March 21, 2014 @08:59AM (#46542297)
      There once was an NSA operative from Nantuckett
      Whose ________ was so _______ he could ________.
      He said with a _________ as he wiped off his __________,
      "If my __________ was a _________ I would __________ it."
  • by MrDoh! (71235) on Friday March 21, 2014 @08:58AM (#46542293) Homepage Journal
    People need to be arrested for this. The people who ordered it done, wrote the reports, signed off on it, and anyone who did it. Ship some of them to various other countries for trials too, let everyone get into the action and let it be known to governments that this is not to be accepted.
    • by rmdingler (1955220) on Friday March 21, 2014 @09:10AM (#46542383)
      Agreed. I think the law enforcement officers that are charged with this task will arrive at the NSA when they finish arresting the bankers and brokers from the housing bubble derivatives scandal.
      • by Anonymous Coward

        They're arresting Barney Frank finally? About fucking time!

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      This is kinda their jobs. It's what they do. They're a SPY agency. They do spyish things.

    • by fuzzyfuzzyfungus (1223518) on Friday March 21, 2014 @09:16AM (#46542427) Journal
      Your mention of shipping people 'to various countries' gives me an idea...

      Since all the 'extraordinary rendition' bag, drag, and torture kids at the CIA are still running around in arrogant impunity, going so far as to just yoink inconvenient documents from the Senate Intelligence Committee(seriously, most of the members of that are appeasnik fuckwits who basically worship the clandestine services, so it must be really, really bad if the CIA is embarrassed in front of them. Also, if there are things the clandestine services do that even that part of the senate isn't allowed to know about, can we really maintain the pretense that civilian government is actually in anything resembling control?) how about pitting two problems against one another?

      It'll be an exciting contest, like a reality TV show; but with higher stakes, rules as follows:

      The NSA will be the intelligence-spooks team: their job is to dig up as much dirt on the CIA as possible, by whatever l33t haxx0ring necessary, and try to have the CIA neutralized by political and/or public outrage, at least to the point of organizational collapse, to the point of wholesale hangings-from-the-lampposts for bonus points.

      The CIA will be the wet-ops creeps team: they will have to 'disappear' key NSA personnel to our worldwide network of extralegal torture dungeons fast enough to keep the lid on their dirty laundry, and try to drive the NSA to the point of institutional paralysis or collapse, with extra points awarded for any actually-true facts obtained during the 'enhanced interrogation' sessions.

      Gentlemen, to the starting line, and may you both lose!
    • by LookIntoTheFuture (3480731) on Friday March 21, 2014 @09:17AM (#46542441)

      People need to be arrested for this.

      Absolutely. It's astonishing that it hasn't happened already. Where's the line? What will it take to cross it? That is the scary part.

      • by Ben4jammin (1233084) on Friday March 21, 2014 @09:24AM (#46542481)

        Where's the line? What will it take to cross it?

        I think the issue is that there was a line, and it got crossed. Once you cross it once, it becomes easier to cross, because hey it wasn't so bad last time.

        Then, if you are put in relative isolation (enough for "group think" to take over) then it becomes easier still because you are validated for crossing it (dude we just saved lives by crossing the line...besides the "bad" guys are crossing it)

        And this continues until you really can't even remember why you crossed it the first time, but there is so much danger out there you don't have time to really contemplate it, either. Until one day you realize that you are looking in the mirror each morning at someone who has become a stranger.

        But by then it is too late...to challenge it now would precipitate an identity crises that isn't nearly as much fun as seeing yourself as the hero of the world.

        • Re: (Score:3, Insightful)

          by drinkypoo (153816)

          But by then it is too late...to challenge it now would precipitate an identity crises that isn't nearly as much fun as seeing yourself as the hero of the world.

          Congratulations, you just described the mode in which basically everyone operates. We all just tell ourselves we're being pragmatic as we sell out our futures. We don't live for today or tomorrow, but for an outcome that will never exist as long as we don't alter our behavior.

        • by ubrgeek (679399)
          More likely to challenge it now would precipitate a cut to the agency's annual budget.
      • by Zumbs (1241138)

        I love lines. I like the whooshing sound they make as they fly by.

        - NSA operative

    • This is more of a matter for the UN Security Council. The government of the USA has just declared war on all the sysadmins of the world. Note, I said the government of the US, and not the citizens.

      . . . oh, I forgot . . . the US government has a veto vote on the UN Security Council, so good luck with that . . .

      I wonder how that will affect business, like in, "I can't do business with you . . . we are in a state of war with you . . ."

      • by L4t3r4lu5 (1216702) on Friday March 21, 2014 @09:55AM (#46542801)
        How would the veto work if the UN voted out the USA?

        "I veto your voting us out!" "You can't do that, you've been voted out so you therefore have no veto." "But the vote is vetoed, so we weren't voted out!" "..." "..."
        • The vote has to pass before the US is out, and the vote doesn't pass if the US vetos it. So the US isn't voted out.

          • by BobMcD (601576)

            It turns out there may be a way...

            http://en.wikipedia.org/wiki/U... [wikipedia.org]

            • A deadlocked security council can't block the general assembly's ability to issue "recommendations". The GA can't vote to do anything real under this provision.

              • by BobMcD (601576)

                Maybe you didn't click the link. Here's the salient part:

                It has been argued that with the adoption of the 'Uniting for Peace' resolution by the General Assembly, and given the interpretations of the Assembly's powers that became customary international law as a result, that the Security Council 'power of veto' problem could be surmounted.[34] By adopting A/RES/377 A, on 3 November 1950, over two-thirds of UN Member states declared that, according to the UN Charter, the permanent members of the UNSC cannot and should not prevent the UNGA from taking any and all action necessary to restore international peace and security, in cases where the UNSC has failed to exercise its 'primary responsibility' for maintaining peace. Such an interpretation sees the UNGA as being awarded 'final responsibility' - rather than 'secondary responsibility' - for matters of international peace and security, by the UN Charter. Various official and semi-official UN reports make explicit reference to the Uniting for Peace resolution as providing a mechanism for the UNGA to overrule any UNSC vetoes;

                So this is the approximate procedure:

                1) Introduce to the Security Council a resolution to restore "security" to the internet by barring the United States from hacking everybody.
                2) US vetoes.
                3) Introduce to the Security Council a resolution removing the US from the Security Council and barring the United States from hacking everybody, in order to restore "security" to the internet.
                4) US vetoes.
                5) Bring resolution from '3' to the General Assembly.
                6) Re

    • We are dealing with an extremely well funded, well staffed, and well equipped professional criminal organisation. Whatever it's actual mandate is, the NSA has taken it upon itself to be the worlds premiere cyber-crime hacking group, accountable to no state, code, man, or law, and who regard the Internet and all computers on it-- foreign or domestic-- as fair game for fraud, intrusion and seizure. The organisation is out of control; without moral compass, budgetary restraint, or regulatory oversight.

      It is only a matter of time before individuals and managers within the NSA create actual links with the criminal fraternity and begin to engage in for-profit cyber-crime. Indeed, this has probably occured already.

      And should the cyber-crime divisions inside the NSA ever make common cause with their criminal counterparts in the financial sector -- God help Western Civilisation. The closest parallel I can think of is the rise of the nobility-church-state alliance in the ancien regiem and the subsequent ruination of France prior to the revolution.

  • by Anonymous Coward

    (police show up at house)

    "Wait...what are you doing! I was just making a joke online...I didn't mean it...please!"

    (shot in face, staged as suicide)

  • by FirstOne (193462) on Friday March 21, 2014 @09:23AM (#46542471) Homepage

    Once you break into a admin's computer, with his credentials, it's a two way street.. One can plant evidence just as well as detect it..

    Now that this info is public knowledge, any accused should levy a defense that the NSA planted the evidence, since they have the ability and the court has no way of identifying planted information verses unapproved activity.

    Advice to NSA admins, I know it is a cushy job, but find another job NOT in the government, the NSA is on a witch-hunt it's only a matter of time before they turn innocent bystanders into criminals.

    • by boristdog (133725)

      I had to point this out to our security dept several years back. They were scanning everyone's computer and user drive and building cases to fire people for anything they considered inappropriate. I told them that just because something is on someone's computer doesn't mean they put it there.

      They finally listened when I secretly buried an empty directory called "kiddie porn" on one of the security managers user profile. Root access is awesome. The witch hunts stopped soon after.

      • by 228e2 (934443)
        Cool Story Bro.

        So where do you work now???
      • by Minwee (522556)

        They finally listened when I secretly buried an empty directory called "kiddie porn" on one of the security managers user profile. Root access is awesome. The witch hunts stopped soon after.

        Which reminds me, how has your job hunt been going?

    • Advice to NSA admins, I know it is a cushy job, but find another job NOT in the government, the NSA is on a witch-hunt it's only a matter of time before they turn innocent bystanders into criminals.

      Why would that help? A "former NSA admin" makes a convenient scapegoat. Come up with some employees who will strongly suggest that he was pushed out the door due to possible illegal activity and it's goat stew time

    • by Khashishi (775369)

      ...the court...

      Who said anything about a court being involved?

  • yawn. (Score:3, Insightful)

    by nblender (741424) on Friday March 21, 2014 @09:25AM (#46542493)

    I read through it. What I got was some full of himself mid-level network aware weenie who managed to get a job at NSA and get access to a vast trove of captured packet data trying to impress people with his vast knowledge of intarwebs protocols... I bet the smart people at NSA who are reading his lunatic ravings are wondering "who hired this asshole?"

  • When a spy agency have to spy its own spy, it's not a spy agency anymore but a paranoiac employer.
    And it's also the end of any mccarthyism in the USA

  • by king neckbeard (1801738) on Friday March 21, 2014 @09:46AM (#46542707)
    If they are compromising sysadmins without due process, then a sysadmin like Snowden compromising them is just desserts.
  • by Krazy Kanuck (1612777) on Friday March 21, 2014 @10:06AM (#46542877)
    Sadly the NSA isn't, and creating these back doors is just creating a honey pot for those who are. Stop compromising our networks in the name of "national security".
  • by Anonymous Coward on Friday March 21, 2014 @10:06AM (#46542879)

    As bad as such revelations are, what drives me nuts is all the apologists who crawl out of the woodwork every time one of these stories breaks. They have no end of justification for whatever the NSA or CIA does, anything from "I have nothing to hide" to "privacy is dead, stop bitching because the Good Guys are working t protect you".

    I predict the kind of practice in TFA is going to keep mushrooming until someone uses it as a political weapon and then gets caught. Only then will the jock-sniffing Congress do something substantive about this mess.

    If I were advising Hillary Clinton, I'd tell her to never touch another computer until her political career is over.

    • While some of the apologists you decry are probably real, it's a safe bet that most of them are sock puppets. There is a thriving market for 'media consulting firms' who take money to provide sock puppet services. I've personally identified quite a few working Slashdot. They already have 'full capture' of this service, and of most online social networks. They are most apt to turn up when someone posts a 'controversial' story, and otherwise try to keep a low profile.
  • It would be nice if we could sick the CFAA on the NSA. Unofrtunately, they are immune from that law.
  • by nimbius (983462) on Friday March 21, 2014 @10:23AM (#46543035) Homepage
    But you merely adopted the shell. I was born in it, molded by it. I didn't see the GUI until I was already a man, by then it was nothing to me but BLINDING!
    The login prompts betray you, because they belong to me.

    so give it your best, young man. I and my greybeards are forged in this art. We know that behind your presentation, your boldface scrawlings and your bemused predatory preamble that we have coffee ringed RFC's that have seen more fervent attempts than yours. Save yourself some grief and maybe curry our favour. target our PHB instead.
  • My take on it. (Score:4, Informative)

    by Noryungi (70322) on Friday March 21, 2014 @10:47AM (#46543225) Homepage Journal

    If you are a sysadmin, and you have a Facebook page, LinkedIn account, social-media-whatever thingmagajig or Slashdot account, the NSA may well come after you.

    Remember: this is written in plain sight and the NSA created fake Slashdot account to get into Belgacom.

    I am a sysadmin. I have a Slashdot account. Maybe it is time for me to say so long, and thanks for all the fish. What Beta was not able to do, the NSA did.

    • by Nyder (754090)

      If you are a sysadmin, and you have a Facebook page, LinkedIn account, social-media-whatever thingmagajig or Slashdot account, the NSA may well come after you.

      Remember: this is written in plain sight and the NSA created fake Slashdot account to get into Belgacom.

      I am a sysadmin. I have a Slashdot account. Maybe it is time for me to say so long, and thanks for all the fish. What Beta was not able to do, the NSA did.

      Ya, and admitting your a sysadmin probably doesn't help either.

  • It has already happened.
  • So they're basically running through LinkedIn and targeting anyone who says they're a SysAdmin, a VP, or anyone else who looks like they might have elevated privileges?

  • Do our bidding or we'll out your posts on /mlp/.

  • by Lumpy (12016) on Friday March 21, 2014 @12:23PM (#46544195) Homepage

    Wow they are amateurs now.

    Dear NSA, want to do your job right? then start watching top networking companies for job openings and have your Networking expert agents apply for the jobs there. Nothing better than having your agent working on the inside.

    a "hit list" is stupid, you waste a LOT of time having to deal with them, but if Agent Davis is a network admin at VERIZON or AT&T then you make a single phone call to own the network.

    This tip is free, otherwise I am $4500 an hour minimum of 10 hour charge for any more consulting, als you pay all travel costs and I only fly private or military jet. F16 trainer preferred.

  • So many attempted lawsuits against the USG over various spying revelations have been refused because the complainant has no "standing," i.e. legal proof that they have been damaged. I imagine that if the list of targets were to leak, that would give those individuals valid standing to sue. As someone who was the DBA at a US$6-7B/yr corporation for more than 7 years I sort of suspect my name is on their list. I will say one thing, there's no fucking way any NSA ratware got into systems under my control using

  • > are ROFL-easy [...] And pointing out for the lulz [...]

  • - seperate normal surfing from your admin job
    - encrypt everything
    - consider to bounce connections via another server. Bonus if the final connection is via an intranet
    - consider using a vpn-service, which routes many people over one ip
    - avoid facebook and webmail (are they talking about specific webmails?)

    for the selector stuff: install a cookie-killer like self-destructing-cookies (firefox) or tab-cookies (chromium).

  • does it; but when the government and it's many contractors do it, it's A-OK.
  • by PPH (736903)

    So now you, the company CIO, go back to work and wonder if your sysadmins might inadvertently infect your servers with a trojan. Or worse, they have already been turned by the NSA. So screw this running your own infrastructure in-house. Pull the plug and put everything in The Cloud. Where they promise you security. Its possible that this document was leaked purposefully, to sew some doubts into decision makers minds with regard to their in-house admins.

    In reality, The Cloud makes things easier to crack. A

There is no royal road to geometry. -- Euclid

Working...