Ex-NSA contractor Edward Snowden used user names and passwords that colleagues at a spy base in Hawaii gave him to access some of the classified material he exfiltrated. Around 20-25 agency employees who gave their login details to Snowden were tracked down, questioned and taken off the job, said a source close to several U.S. government investigations into the damage caused by the leaks.
Snowden social engineered these people by telling them he needed their login to do his job as a computer systems administrator. It is highly surprising that people -within- the NSA would fall for a basic hacker trick like this.
The fact that Snowden was able to do this shows NSA's policy and procedures were totally inadequate and caused the worst breach of classified data in the super-secret eavesdropping agency's 61-year history. Snowden worked at the Hawaii site last spring, during which he got access to and downloaded tens of thousands of secret NSA documents.
It is loud and clear that the employees broke a bunch of basic security rules by giving Snowden their passwords, and it's clear that even in highly secure environments employees want to help each other and are eager to please co-workers, causing security breaches. This is something that can easily be prevented with security awareness training, which must have been sorely lacking at the NSA.
Embarrassing, to say the very least. My partner Kevin Mitnick tweeted: "I guess NSA employees need some training too. LOL!" Here's the new 2014 Kevin Mitnick Security Awareness Training course:
http://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/
Related Pages: Social Engineering