The blog of Xeno, a slightly mad scientist
… News about the NSA and FBI’s surveillance programs doesn’t just have privacy advocates wringing their hands in consternation; IT security analysts have raised the critical question as to how a 29-year-old government contractor was able to surreptitiously abscond with sensitive classified documents, share them with two media outlets, and escape the country unmolested.
It turns out Edward Snowden didn’t need to employ any clever hacking tricks to carry out the data heist. He didn’t have to lower himself into a secured server room via the air ducts, deftly avoiding infrared beams, to snag a disc containing the files. He simply plugged in a USB thumb drive, snagged the files off a server, and smuggled the device out of the NSA office in Hawaii, an unnamed investigatortold the Los Angeles Times.
This bit of trivia should concern any IT admin worth his or her salt, because USBs have long been the bane of security professionals: They provide a perfect mechanism for malicious insiders to make off with sensitive data, and they are a tool for infecting target networks with all manner of nasty malware. (Any USB device poses a potential security threat, even an innocent-looking mouse.)
Ironically, the NSA is aware of the threat to the point that it has instituted a ban on thumb drives. The problem: “There are always exceptions” to the ban, a former NSA official told the Los Angeles Times. “There are people [particularly network admins] who need to use a thumb drive, and they have special permission. But when you use one, people always look at you funny.”
Remember, we’re talking about the NSA here, an agency charged with protecting sensitive information — moreso than many of us realized. Yet not only did the NSA enable a third-party contractor to access and copy classified files to his own personal, portable storage device, but his actions didn’t trigger any automated alerts….
As I was saying, they collect credit card numbers and transactions, so how do I know that my number wasn’t leaked to organized crime for a price by an underpaid NSA member? Sure, fraud detection catches it and I don’t have to pay for the items, but I do have to pay with my time and its a pain in the ass. The police never tell me how criminals get my number in the first place. I still have my card and my bank wasn’t hacked. Most places I use my card it goes into an electronic system and the cashiers can’t even see the number after the transaction. Am I wrong about that part?