Recent NSA Leak Arrest: A Few Observations and a Lesson

Reality Leigh Winner, a recently separated Air Force linguist and a new hire by Pluribus International Corporation as a support contractor with a Top Secret clearance, allegedly searched for and printed out a Top Secret government report, folded it up, and dropped it in the mail to an online news outlet. Yesterday, the U.S. Attorney’s office revealed her arrest in an unsealed indictment. The arrest warrant and independent reporting indicate that the classified material was almost certainly a report published by the Intercept just two hours before the indictment became public.

Winter apparently searched for this report within classified systems on May 9th and at some later point mailed the document to The Intercept. The Intercept attempted to verify the authenticity of the document (marked TS//SI//OC//REL USA,FVEY) through both official and unofficial channels. Upon being contacted for confirmation, both official and unofficial channels reported the apparent breach and the FBI became involved on June 1st. When the FBI interviewed Winner on June 3rd, she confessed to being responsible for disclosing the material and was subsequently arrested. Below are a few brief thoughts, both on the arrest and the leaked document itself.

This isn’t the beginning of a “war on leaks.”

The FBI received information regarding a stolen classified document. The document was clearly printed, folded, and physically mailed. Internal records showed only six individuals had printed the document, Winner was the only person who printed the document and also had email communication with the receiving news outlet. The document was mailed from the town where Winner lives. Winner herself confessed her involvement. No reasonable agency would decline to investigate the breach and no reasonable prosecutor would decline to seek charges on the basis of such clear-cut criminality.

Insider controls (sort of) worked.

Insider threat controls clearly didn’t prevent the breach from occurring, but they do seem to have worked after the fact. It is not clear why a linguist specializing in Pashto, Farsi, and Dari would need to access a report on Russian hacking. But the FBI was easily able to identify the possible source of the leak.

The Intercept messed up, but only somewhat.

There has been considerable commentary on whether the Intercept burned its own source. It is clear that inquiries to verify the documents authenticity triggered the leak investigation that lead to Winner. The Intercept journalists conduct may have shifted the arrest a few days earlier, but it was probably inevitable. Between the identifying microdots in the document itself, the presumably limited distribution and printing records would have lead to Winner once the report was published.

For those who cheer the protection of these kinds of sources, the bigger problem, as highlighted by Matthew Garrett, is the incompleteness of The Intercept’s instructions to potential sources. This source did almost everything right on the guide: the only correspondence known with The Intercept was innocuous, unrelated, and significantly older, from a private account that just happened to be accessible from her work computer. The source used U.S. mail, dropped in a mailbox, with no return address. But the instructions never mention that modern computers, especially those involving sensitive matters, are often configured to log access. Or that color printers place a hidden serial number on everything they print. Or that even the city of origin might convey significant information. Media outlets that are representing themselves as secure to would-be leakers, do so without communicating the necessary understanding the risk.

The Intercept’s response plays poorly.

It took 20 hours for The Intercept to respond to Winner’s arrest with a rather formal and legalistic statement. The middle paragraph seems intended to be simultaneously honest and deceptive:

While the FBI’s allegations against Winner have been made public through the release of an affidavit and search warrant, which were unsealed at the government’s request, it is important to keep in mind that these documents contain unproven assertions and speculation designed to serve the government’s agenda and as such warrant skepticism. Winner faces allegations that have not been proven. The same is true of the FBI’s claims about how it came to arrest Winner.

In the response they note that the government requested the unsealing, apparently to imply this is not standard procedure. In noting these are still mere allegations, The Intercept also seems to imply there is some reason to doubt the FBI’s version of how they discovered Winner’s identity.

The value of the story is minimal—certainly not worth the cost to the source.

Despite it’s length, The Intercept’s story conveys essentially no new substantive knowledge. We already knew that the Russians were targeting voting systems in multiple states using a variety of methods. The only thing The Intercept’s reporting adds, beyond the publication finally acknowledging the severity of Russian hacking, is a somewhat more detailed analysis of a single incident, which does demonstrate that the Russians simply ignored Obama’s diplomatic missives to “cut it out.”

The actual attack depicted in the document was not a particularly enthusiastic campaign. The Russians appeared to phish a voting support system vendor and used this information to then phish various county voting offices with malicious (presumably macro-enhanced) Word documents. Nothing about zero days or other ninja-level hacking, just the boring persistent stuff used by any halfway competent Annoyingly Petulant Teenager. It also doesn’t include whether this was intended to tamper with voter rolls (to feed into a “stolen election” narrative if Trump lost) or simply preparing the ground for subsequent elections.

Lesson: Buy yourself a U2F security key and use it.

It is well understood in the security community that most two-factor authentication systems, including SMS or authenticator applications, do not actually protect against phishing. In order to defeat those systems, the phisher need only have their system immediately attempt to log in using the phished credentials and then, if faced with a two-factor request, present that request to the victim as well. The only commonly-available safeguard against this is Universal Two Factor (U2F) security keys.

With U2F, the security key itself generates a unique key for each web site and, since it communicates with the browser, it knows that the phishing site is not the real thing and thus will not authenticate. If just ten Lawfare readers buy and set-up a U2F security key, my time in writing this will be well spent.