NSA Employees Routinely Undermined 'Non-Attributable' Web Access With Personal Web Use

from the ONE-OF-US dept

Another large batch of Snowden docs have been released by The Intercept. The new documents are part of the site's "SID (Signals Intelligence Directorate) Today" collection, a sort of interoffice newsletter featuring discussions of intelligence-gathering efforts the agency has engaged in, as well as more mundane office business.

The one discussed in this Intercept post details some careless opsec by Intelligence Community (IC) employees. Like anyone in any office anywhere, IC employees use their office computers to send personal email, shop online, and fritter away the downtime with some web surfing.

That's where they're running into problems. This SID Today document [PDF] deals with the IC's personal use of company computers -- namely, the "attribution" problem that develops when outside websites are accessed using IP addresses that can be traced back to the NSA and other IC components.

The IC uses a system called AIRGAP to provide internet access for IC employees while supposedly still preventing outsiders from tracing IP addresses back to sensitive locations. Set up in 1998 by "one of the world's largest internet providers," the system was supposed to provide non-attributable access to the outside internet world.

Unfortunately, as is detailed by the SID Today doc, the execution of AIRGAP was lacking.

One early concern about the firewall was that it funneled all internet traffic through a single IP address, meaning that if any activity on the address was revealed to be associated with U.S. spies, a broad swath of other activity could then be attributed to other U.S. spies. More IP addresses were subsequently added, but “occasionally we find that the ISP reverts to one address, or does not effectively rotate those assigned,” Speight wrote.

Speight added that the “greater security concern” was the very intelligence agents the system was designed to protect. “Despite rules and warnings to the contrary, all too frequently users will use AIRGAP for registering on web sites or for services, logging into other sites and services and even ordering personal items from on-line vendors,” Speight wrote in a classified passage. “By doing so, these users reveal information about themselves and, potentially, other users on the network. So much for ‘non-attribution.'”

It's the sort of simple carelessness that's almost unavoidable in large organizations. The NSA's effort to distance itself from its employees' internet use was thwarted by the ISP's funnel and IC employee sloppiness. As The Intercept points out, this mirrors some of the brainlessness exhibited by Russian hackers, who used a system designed to obscure their origin, but constantly undermined that protection by using the same system to log in to personal social media accounts.

The difference between the two is AIRGAP was just there to open a portal out of the IC's closed system. The Russian's system was designed to obscure the source of attacks. But the personal use of the IC's firewall/AIRGAP is still a violation of internal policy, as the document points out.

Rather than work towards preventing the unpreventable (personal web use), the IC set up another system -- OUTPARKS -- which provided more than 200 random IP addresses, all of which would be registered to an ISP, rather than the IC itself. Confusingly, the new system -- put in place in 2005 -- is also referred to as AIRGAP, primarily because IC employees are creatures of habit and referred to OUTPARKS as AIRGAP despite it being an entirely new, NSA-owned operation.

Ultimately, the document shows NSA employees are just like the rest of us: periodically bored and prone to using work computers for personal reasons.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: covering tracks, mistakes, nsa, security

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. identicon
    Cowardly Lion, 21 Sep 2017 @ 9:28am

    Not necessarily...

    I can't speak for the NSA, but similar organisations segregate their networks by function. For example; production, development, restricted, public, and so on. Certainly the NSA will have an over-arching security policy for it's employees, but their networks will be enforcing their own local policies applicable to their function.

    The general principle is the more secure the data, the more stringent the policies and access controls. You might for example allow USB access and screenshots on internet facing machines, but on secure networks you'd want controls in place.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.