Would you like an eat to bite?
At the time of writing I'm not sure if Edward Snowden is still sitting in a Moscow transfer lounge or settling in to his 'luxury apartment' in a barrio in Venezuela.
Regardless of where he is, I've become relatively blasé when it comes to hearing about yet another security breach, or of stories that Big Brother is watching us. It's almost like a traffic policeman going to the press and saying that speeding fines are a money-making racket; as if the average person in the street is going to be surprised.
Of course the rather predictable shock and protests from certain EU governments that the US government was eavesdropping is really a case of the pot calling the kettle black. For those old enough to remember last century, the French government admitted to being actively involved in extensive international spying to try and give French companies an advantage in the international market.
So it seems that when the French president Francois Hollande said allegations that the US bugged European embassies could threaten a huge planned EU-US trade deal, and that there could be no negotiations without guarantees that spying would stop immediately, he seemed to conveniently forget that the French government has been doing this for years. Maybe he just didn't like the idea of a level playing field.
In fact one of the earliest examples of industrial espionage goes back to the beginning of the 18th century with the French stealing porcelain manufacturing methods from the Chinese. What goes around comes around as they say. During the early 1990s, France was described as one of the most aggressive perpetrators of industrial espionage, and it seems like the Americans and the French have been having a ding dong battle for years.
It's not just these two countries that have either been suspected, or even caught red handed – they're all pretty much at it. In fact the Chinese government must be enjoying this period of relative tranquillity since they're usually blamed for everything.
So spying is not really news, and neither is yet another 'insider' abusing privileged access to steal confidential data from IT systems. According to NSA director Keith Alexander, Snowden reportedly “fabricated digital keys that gave him access to areas way above his clearance as a low-level contractor and systems administrator”.
Now I'm sorry, but anyone stupid enough to decide that an airport was the place to settle down cannot be that clever. Or maybe he thought that having seen the Tom Hanks movie 'The Terminal', he'd have a Catherine Zeta Jones moment and try the chat up line “Would you like an eat to bite?” Who knows, but anyone who has the slightest understanding of digital keys will know that you don't just simply fabricate them.
By now you would think that every organisation, whether governmental or private sector would have realised that protecting passwords and keys is an absolute essential. Additionally, technology that monitors the activity of systems administrators has been around for years.
The problem frequently starts with the failure of organisations to know where the accounts are throughout the infrastructure. For example, all of your Windows systems have service accounts, scheduler task accounts, COM+ accounts, IIS6 Metabase accounts, IIS7 accounts, etc. It's not just simply the administrator accounts. A typical example of how easy it can be to circumvent policies is what happens when IT support departments are pressed to solve a problem.
Take for example, a situation where a user is unable to gain administrative access to their systems. The workaround is to call the IT helpdesk, who will have a solution. Very often IT will have set up an account that allows administrator access to every machine and once this is given to the user, unless it is immediately changed, the user has unlimited access.
More disturbing is the question of who is the IT admin? However, the same organisation will most likely have spent a fortune on perimeter security, blocks loads of malicious websites and constantly reminds its staff of the dangers of malware,
What this shows is the massive risk that organisations are faced with if they do not control access to privileged accounts. In the case in point, not only should the IT helpdesk have required an audited approval process to gain access to the backdoor password, but once accessed it should have immediately been changed.
Without properly managed and secure control of the credential that gives privileged access, everything underneath becomes vulnerable. As in the example of the NSA, it would appear that badly managed passwords and keys gave Snowden the access he needed to discover SSL keys, SSH keys, symmetric keys and other passwords.
Having good processes for your SSL, SSH and Symmetric is all well and good, but ultimately flawed if you don't control your privileged accounts.
Finally, my advice to Snowden would be to watch another Tom Hanks movie called ‘Castaway' since that may be his safest bet as far as a good location goes, and maybe president Hollande may want to check the origins of the word espionage.
Calum MacLeod is vice president EMEA at Lieberman Software