Prism whistle-blower Edward Snowden persuaded other National Security Agency (NSA) colleagues to give him their login details and passwords, which he later used to gain access to classified information that he later leaked to the media.
The news highlights how “human engineering” is often used to compromise systems, rather than raw hacking.
The report by Reuters, which cites unnamed sources, raises particular questions about security measures at the NSA, given that employees at the security service handed their login credentials to Snowden, who was a contractor rather than on the books at the organisation.
It’s thought that Snowden managed to persuade up to 25 of his colleagues at the NSA regional operations centre in Hawaii to give him access to documents that he subsequently shared in the biggest data leak in US history. Snowden told NSA staff that he required their usernames and passwords for systems administration.
Some of the employees who gave their login details to Snowden have been identified by the agency, questioned and removed from the assignments they were working on.
According to one expert, contractors might regularly be able to access such details as they are deemed to be trusted personnel.
“In the classified world, there is a sharp distinction between insiders and outsiders.
If you’ve been cleared and, especially if you’ve been polygraphed, you’re an insider and you are presumed to be trustworthy,” Steven Aftergood, a secrecy expert with the Federation of American Scientists told Reuters.
“What agencies are having a hard time grappling with is the insider threat, the idea that the guy in the next cubicle may not be reliable,” he added.Edward Snowden exposed US and UK government spying on internet traffic and phone calls earlier this year, with the organisations reportedly not just collecting data about who is contacting who, but also what they’re saying.
As more revelations have been exposed, it’s been revealed that a wide variety of organisations have been compromised by the NSA with Apple, Android and BlackBerry all victims of government snooping.
World leaders including the Mexican President and German Chancellor Angela Merkel have also seen their communications tapped by the US authorities.
Social engineering – the art of persuading “insiders” to part with confidential information that can be used in an attack – was popularised by 1990s hacker Kevin Mitnick.
He wrote about such activities in the book “The Art of Deception” and now consults on how organisations can combat the threat