• United States



Senior Staff Writer

Snowden accused of using hacking’s greatest weapon to access NSA files: wget

Feb 10, 20145 mins
Network Security

Exfiltrated data said to be using previously unknown port 80. Experts remain amused by media hype.

Classify this one as FUD. Over the weekend, the New York Times ran a story highlighting the fact that Snowden used a “low-cost” tool to “scrape” the internal Wikis used by the NSA in order to obtain some 1.7 million classified documents. This new information from the Snowden case came to the Times by way of senior intelligence officials who are investigating the incident.

The tool used by Snowden isn’t named directly, but the Times is reporting that their sources say Snowden “set the parameters for the searches, including which subjects to look for and how deeply to follow links to documents and other data on the [NSA’s] internal networks.”

Using “web crawler” software designed to search, index and back up a website, Mr. Snowden “scraped data out of our systems” while he went about his day job, according to a senior intelligence official. “We do not believe this was an individual sitting at a machine and downloading this much material in sequence,” the official said. The process, he added, was “quite automated.”

Later in the article, there are references to evidence submitted during Chelsea Manning’s trial, where prosecutors noted that she used wget to download batches of diplomatic cables. Similarly, Snowden is said to have used a tool that acted like Googlebot, and when “inserted with Mr. Snowden’s passwords, the web crawler became especially powerful.”

So this is where the FUD and comical nature of this story starts. In essence, the big news here is that Snowden used wget, or something similar, to mirror the NSA’s SharePoint archives. This isn’t mastermind-level hacking, it’s something at any network administrator would know how to do.

There are plenty of tools to mirror a website from inside the network or externally. HTTrack is a popular one for Windows users, but wget itself is available for Windows too, assuming Snowden stuck with Microsoft as his platform of choice.

In addition, Pavuk, a mirroring application for UNIX (as well as Linux and OS X), would also accomplish the same tasks Snowden is said to have performed. If Snowden used shell, and stuck to wget itself, then all he’d need to issue is a single command:

$ wget –mk http://www.domain.tld/

In fact, while mirroring the domain entirely, this command is likely to raise several internal alarms. As written, the command has no wait when it comes to request speeds, so pages are being accessed and mirrored as fast as the application can touch them. Adding a delay switch (e.g., -w 30) would help throttle the requests, if such a thing is needed.

The Times’ story notes that red flags were raised during Snowden’s mirroring mission, and internal investigators interviewed him about his usage on the network and access to massive volumes of sensitive data.

“In at least one instance when he was questioned, Mr. Snowden provided what were later described to investigators as legitimate-sounding explanations for his activities: As a systems administrator he was responsible for conducting routine network maintenance. That could include backing up the computer systems and moving information to local servers, investigators were told.”

So the NSA knew that Snowden was accessing – in the words of Rick Ledgett (NSA Deputy Director) – “the keys to the kingdom.” But because Snowden was an insider, not to mention a network administrator with legitimate access to the commands and portals he was mirroring, his explanation for the access and archiving was accepted at face value.

At the time the investigators were duped, the NSA had the same problem many organizations have; they were more worried about defending the network from threats that came from the outside, and didn’t seriously consider the potential for threats from within.

Granted, that stance was mirrored by other government agencies, and changed after Chelsea Manning took the diplomatic cables. But again, the NSA was slow to upgrade their defenses, so Snowden was operating on a network that wasn’t yet hardened with the new security measures.

Still, the fact that the senior intelligence officials went to the press with their findings did amuse Snowden. Through his lawyer at the ACLU, Snowden gave the Times a statement:

“It’s ironic that officials are giving classified information to journalists in an effort to discredit me for giving classified information to journalists. The difference is that I did so to inform the public about the government’s actions, and they’re doing so to misinform the public about mine.”

I’m not sure why this story gained so much attention over the weekend. It isn’t news really, at best it is speculation and misinformed hype. The way wget is portrayed makes the application come off as some sort of super secret hacking weapon, which is completely off the mark.

For the record, Snowden still hasn’t explained the process he used to access the documents, and he didn’t confirm the FUD-based findings as reported by the Times.

IMAGE: (c) 2007 Miramax Films