NSA Secrets Stolen; Edward Snowden 2.0?
As the name implies, this is based on my analysis of another NSA contractor stealing secrets, similarly to Edward Snowden. I have no insider information and my analysis hinges on what I have read from various news outlets and my own perspective of the events. While I make every effort to be thorough and hit every aspect, there are times that I inadvertently omit things or skip them due to scope, time, length or applicability. Email any questions you have about this or any other topic to [email protected]
This seems to be a relatively busy week for those of us who follow information security. First we have the Yahoo revelations, then Kim Kardashian (OSINT), and now a second act of Edward Snowden (albeit not believed to be related) via an NSA contractor stealing secrets. The irony is that both the contractor, Harold Thomas Martin III, aka HTM3, also worked for Booz Allen Hamilton (BAH). The New York Times was the first to report that Martin was secretly arrested by the FBI in August because “he stole and disclosed highly classified computer codes developed to hack into the networks of foreign governments, according to several senior law enforcement and intelligence officials.” The New York Post reports that he was “charged with theft of government property and unauthorized removal and retention of classified materials by a government employee or contractor.”
My initial thought was “WOW!” How could this happen AGAIN??! The FBI executed a search warrant on his home, storage shed(s), vehicles, and property and found material in print and digital form that classified “TOP SECRET” or a similar classification and/or compartments (Document Cloud [Affidavit], 2016).
I would prefer to gather my thoughts around his motive, which hasn’t been publicly stated (or on a platform of which I have seen it). I would treat it different if he were selling the materials than if he were publicly releasing programs that are classified not out of national security or the threat to human life, but to hide things from the public. Aldrich Ames isn’t the same as Edward Snowden because of intent and context.
I’m surprised that NSA did not detect this in near real time and prevent it themselves. The fact that he walked out with digital media and physical copies of classified material is deplorable. Could he be associated with the Shadow Brokers? Edward Snowden seems to think so.
This is huge. Did the FBI secretly arrest the person behind the reports NSA sat on huge flaws in US products? https://t.co/otgOwB5efm
— Edward Snowden (@Snowden) October 5, 2016
After my initial reaction, my next thought process was immediately the Shadow Broker leaks. I commented to friends that they are apparently not as 1337 (hacker slang for elite or ‘leet’) as we once thought. I also opined that NSA might not be as sloppy as we thought in the wake of the zero day leaks. During a twitter exchange, the grugq quite reasonably asked if HTM3 was in TAO, the Tailored Access Operations: NSA’s offensive hacking team.
HTM3 stole intelligence product or raw intercepts. Which is a bit weird, since those compartments shouldn't(?) include TAO operators pic.twitter.com/MtzgYCSErT
— the grugq (@thegrugq) October 5, 2016
While the data does not square up precisely, but there is a little cross correlation with the timeline.
— movrcx (@movrcx) October 5, 2016
It may be safe to assume that he may know something about the zero days leaked earlier in 2016. If he’s the source, then Shadow Brokers lose a lot of credibility. I always thought that the notion of NSA leaving the exploits on a server on the public internet, (compromised or not,) seemed amateur, especially for them. Perhaps HTM3 was using them for personal gain and he was sloppy. Again, we can almost be certain that we’ll never know.
Conclusion and preventative measures
In conclusion, I am not sure this could have been truly prevented. I think there are measures like Data Loss Prevention (DLP) and other mitigating factors such as disabling USB devices wholly (exception for keyboards and mice; which can still be circumvented via the Rubber Duckie) that could have been employed. While I am not sure User Behavior Analytics as we know it now is mature enough to detect this, I would also think that NSA is one of a handful of organizations what would be on the cutting edge of detecting anomalous behavior, especially in the wake of Edward Snowden’s leaks. They have the talent, the processing power, and the necessity to have advanced insider threat detection.
No level of scrutiny or additional polygraphs will prevent these from happening. They will deter them in the interim, but the deterrence will wear off as it has since 2013. It appears as if there is more than meets the eye in this. What was he doing with the classified materials? Was he going to leak them or sell them? And finally, is he affiliated with the Shadow Brokers? This will all pan out in the coming weeks and months.
Announcements and Resources
SANS Mentor Session
Security 504: Hacker Tools, Techniques, Exploits, and Incident Handling
Joe will be leading a SANS Mentor session for Security 504: Hacker Tools, Techniques, Exploits, and Incident Handling, which is the class that corresponds to the GIAC Certified Incident Handler (GCIH) certification. The dates are October 27 -December 15 from 6-9 PM (Eastern Time). Location is TDB. If your organization wants to host the training, email Joe and you can receive a discount. Therefore sign up before September 29 and get a discount and a free attempt at GCIH. https://www.sans.org/mentor/class/sec504-atlanta-27oct2016-joe-gray
OTHER APS POSTS
Implications of Powershell Going Open Source
Yahoo Data Breach: What We Know Now
Most of What You Need to Know: Wi-Fi
Cybersecurity & the US 2016 Presidential Election
Most of What You Need to Know: Passwords
Change Your Email Password Now!
Qatar Bank Breached After Bangladesh
Bangladesh Bank Loses 80 Million USD
Thanks for stopping by and checking out our podcast. We would appreciate if you could subscribe (assuming you like what you hear; we think you will). To learn more about us, check out our “About Us” page.
If you have ANY Cybersecurity needs, please contact us and we will promptly reply to your question or concern.