NSA Employees Routinely Undermined 'Non-Attributable' Web Access With Personal Web Use

from the ONE-OF-US dept

Another large batch of Snowden docs have been released by The Intercept. The new documents are part of the site's "SID (Signals Intelligence Directorate) Today" collection, a sort of interoffice newsletter featuring discussions of intelligence-gathering efforts the agency has engaged in, as well as more mundane office business.

The one discussed in this Intercept post details some careless opsec by Intelligence Community (IC) employees. Like anyone in any office anywhere, IC employees use their office computers to send personal email, shop online, and fritter away the downtime with some web surfing.

That's where they're running into problems. This SID Today document [PDF] deals with the IC's personal use of company computers -- namely, the "attribution" problem that develops when outside websites are accessed using IP addresses that can be traced back to the NSA and other IC components.

The IC uses a system called AIRGAP to provide internet access for IC employees while supposedly still preventing outsiders from tracing IP addresses back to sensitive locations. Set up in 1998 by "one of the world's largest internet providers," the system was supposed to provide non-attributable access to the outside internet world.

Unfortunately, as is detailed by the SID Today doc, the execution of AIRGAP was lacking.

One early concern about the firewall was that it funneled all internet traffic through a single IP address, meaning that if any activity on the address was revealed to be associated with U.S. spies, a broad swath of other activity could then be attributed to other U.S. spies. More IP addresses were subsequently added, but “occasionally we find that the ISP reverts to one address, or does not effectively rotate those assigned,” Speight wrote.

Speight added that the “greater security concern” was the very intelligence agents the system was designed to protect. “Despite rules and warnings to the contrary, all too frequently users will use AIRGAP for registering on web sites or for services, logging into other sites and services and even ordering personal items from on-line vendors,” Speight wrote in a classified passage. “By doing so, these users reveal information about themselves and, potentially, other users on the network. So much for ‘non-attribution.'”

It's the sort of simple carelessness that's almost unavoidable in large organizations. The NSA's effort to distance itself from its employees' internet use was thwarted by the ISP's funnel and IC employee sloppiness. As The Intercept points out, this mirrors some of the brainlessness exhibited by Russian hackers, who used a system designed to obscure their origin, but constantly undermined that protection by using the same system to log in to personal social media accounts.

The difference between the two is AIRGAP was just there to open a portal out of the IC's closed system. The Russian's system was designed to obscure the source of attacks. But the personal use of the IC's firewall/AIRGAP is still a violation of internal policy, as the document points out.

Rather than work towards preventing the unpreventable (personal web use), the IC set up another system -- OUTPARKS -- which provided more than 200 random IP addresses, all of which would be registered to an ISP, rather than the IC itself. Confusingly, the new system -- put in place in 2005 -- is also referred to as AIRGAP, primarily because IC employees are creatures of habit and referred to OUTPARKS as AIRGAP despite it being an entirely new, NSA-owned operation.

Ultimately, the document shows NSA employees are just like the rest of us: periodically bored and prone to using work computers for personal reasons.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 20 Sep 2017 @ 12:19pm

    >Like anyone in any office anywhere, IC employees use their office computers to send personal email, shop online, and fritter away the downtime with some web surfing.

    Nope. Not me. :-p

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 20 Sep 2017 @ 1:35pm

    entertaining..

    AS IF..
    a smart person would do this type of thing..
    And not route data thru a portal suggesting it WAS the other IP..
    Love Caller ID, thinking that YOU have the info on WHO is on the other end of the phone..

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Sep 2017 @ 2:36pm

    And no one employed with the NSA has ever downloaded a Britney Spears song or have they?

    reply to this | link to this | view in chronology ]

  • identicon
    Mike W., 20 Sep 2017 @ 3:27pm

    non-attributable

    I worked for a company which gave us email and internet access but told us not to use it for non-company business. I must have been the only person who strictly followed policy. For 20 years I did not access any web sites or send any non-company business emails but I saw everyone around me goofing off.

    If I owned the company or was in charge of a TLA, I would tell every employee that if I found even one exception to the rule, they would lose their job, all company contributions to their retirement, and be prosecuted.

    Another company I worked for redirected all web requests to the corporate policy page and asked you to get the URL approved by your supervisor.

    reply to this | link to this | view in chronology ]

    • identicon
      Cowardly Lion, 21 Sep 2017 @ 9:42am

      Re: non-attributable

      I'm sorry, but you sound like a Luddite. The Internet is one of mankind's greatest inventions, and of enormous benefit to individuals, employees and employers alike.

      Frankly I'd rather sandpaper my nipples off than work for any company or TLA you owned.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Sep 2017 @ 3:45pm

    Most people at three letter acronym agencies would be immediately fired with cause for violating the security policies. Maybe these people are low level types with minimal clearance?

    reply to this | link to this | view in chronology ]

    • identicon
      Cowardly Lion, 21 Sep 2017 @ 9:28am

      Not necessarily...

      I can't speak for the NSA, but similar organisations segregate their networks by function. For example; production, development, restricted, public, and so on. Certainly the NSA will have an over-arching security policy for it's employees, but their networks will be enforcing their own local policies applicable to their function.

      The general principle is the more secure the data, the more stringent the policies and access controls. You might for example allow USB access and screenshots on internet facing machines, but on secure networks you'd want controls in place.

      reply to this | link to this | view in chronology ]

  • icon
    Ehud Gavron (profile), 20 Sep 2017 @ 4:13pm

    IC "security" is ... stupid... or incompetent?

    Real hackers don't route their traffic through "20 IP addresses" or even 200 or even 2000. They use an anonymizing system such as TOR.

    A hacker as "shortsighted" so as to use a pool of 200 addresses from which to launch attacks would be laughed out of any room at DEFCON. How even worse that our vaunted intelligence services are stupider than that.

    There's some comparison in the article (twice) to Russian Hackers obfuscating their IP addresses. The point is missed that Russian hackers DID obfuscate their IP addresses. The US IC people were stupid. Or incompetent.

    E

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Sep 2017 @ 6:02pm

      Re: IC "security" is ... stupid... or incompetent?

      See also "Who uses Tor?":

      Law enforcement officers use Tor

      Online surveillance: Tor allows officials to surf questionable web sites and services without leaving tell-tale tracks. If the system administrator of an illegal gambling site, for example, were to see multiple connections from government or law enforcement IP addresses in usage logs, investigations may be hampered.

      ...

      Militaries use Tor

      Field agents: It is not difficult for insurgents to monitor Internet traffic and discover all the hotels and other locations from which people are connecting to known military servers. Military field agents deployed away from home use Tor to mask the sites they are visiting, protecting military interests and operations, as well as protecting themselves from physical harm.

      It's important that "normal" people use it too. If everyone on Tor is a government agent, server/network operators who see Tor traffic might not care which agency it is.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 21 Sep 2017 @ 5:42am

      Re: IC "security" is ... stupid... or incompetent?

      The point isn't to be secure in the conventional sense. These are information requests sent to and from the open, public Internet. They're insecure by nature.

      The original AIRGAP is a system that acknowledges that any TLA-owned IP address will eventually be identified, and seeks to obscure, rather than secure, by routing all information through it.

      A query goes out that interacts with a location in Russia. If that can be associated with a "contacting friends" address, then the activity was to contact a US spy in Russia. If it can be associated with an "observing our enemies" address then that information is similarly revealed.

      Funnel everything through a single contact point though and you lose all context for the interest. You can't see whether the TLA was contacting a friend or foe.

      OUTPARKS takes that data decontextualisation and spreads it out over a wider range of addresses that are then more difficult to discover.

      You might see my message out through IP address A on Monday and infer one thing but on Tuesday I'm communicating through IP address B, which you don't know about and therefore miss.

      It's a good, sensible system.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Sep 2017 @ 6:59am

      Re: IC "security" is ... stupid... or incompetent?

      This setup isn't even for hacking. It's for far more mundane things, like setting up a .ru email address, or connecting to the websites of state-owned agencies (Gazprom, for example). Law enforcement agencies often have these as well.

      In the DarkMarket case, Master Splynter, the undercover FBI agent who ended up as an admin on a server for carders, almost got exposed when the IP address he used was traced back to a law enforcement agency. He managed to recover his credibility, but almost lost the entire case for that. He was not hacking, he was just undercover as a hacker.

      https://en.wikipedia.org/wiki/DarkMarket provides some basic info, but doesn't specifically mention that incident.

      reply to this | link to this | view in chronology ]

  • icon
    stderric (profile), 20 Sep 2017 @ 5:58pm

    Just more evidence that it's perfectly safe to forgo robust oversight and let these trustworthy, button-down 'SIGINT Hacker Geniuses' dig through the the minute details of our personal lives in order to protect our freedoms from the threat of terrorism.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Sep 2017 @ 6:05am

    and these people vote?

    Who's watching the guards?

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.