Future Tense

It’s Easier to Steal State Secrets if You Take Your Co-Worker’s High-Access Password

Some of the information Edward Snowden aquired came from classified documents he accessed using stolen login credentials from a co-worker.

Photo by AFPTV/AFP/Getty Images

We’ve all been there. Your security clearance isn’t high enough to get all the information you want to steal for your high-profile whistle-blowing campaign. What to do? Trick a co-worker with higher clearance into typing his or her credentials on your computer. Then you capture the keystrokes and exploit that password until you have everything you want. Petty office politcs, amirite?

This is apparently how Edward Snowden filled in some of the gaps during his data dump days at the NSA. A memo filed earlier this week by Ethan Bauman, the NSA’s director of legislative affairs, shows that a civilian employee Snowden duped has resigned following the revocation of his or her security clearance. The memo, an unclassified document “for official use only” that was obtained by NBC, says, “Unbeknownst to the civilian, Mr. Snowden was able to capture the password, allowing him even greater access to classified information.” Similar evidence emerged in Novemeber that Snowden had tricked 20-25 employees into giving him their passwords. The NSA questioned a number of them, and they lost their assignments.

This most recent memo describes the employee typing his or her “public key infrastructure” certificate into Snowden’s computer, thus giving Snowden access to a broader swath of the NSA’s internal network. And though the employee didn’t know  Snowden’s intent, he or she  “failed to comply with security obligations,” according to the memo.

An active duty military member and a contractor have apparently also been “implicated” and have lost their security clearances. So far the NSA’s action plan for responding to the security breach hasn’t been clear, but this memo is one of the first major, public signs of movement on that front. The takeaway here for NSA employees and just everyone is don’t give your passwords out. Just don’t. Come on, people.