It's been an interesting day with the newswires running hot with updates on the infamous Edward Snowden, who (allegedly in line with being innocent until proven guilty) stole data from the NSA then decided to announce key parts of it publicly.
Whilst not daring to enter into any discussion as to whether this was warranted action taken by Mr Snowden or not, what is of concern is the manner in which a contractor gained access to what undoubtedly was sensitive, very highly classified information on national security.
Just the Facts Mam
The key phrase used in this video is "
This leaker was a System Administrator and ran the SharePoint account at NSA Hawaii, so his responsibility was to move data.."
So why was a System Administrator needed at all? if you scan the video forward from 45:15, you will also hear "
This leaker was a System Administrator who was trusted with moving information to actually make sure the right information was on the SharePoint Servers that NSA Hawaii needed."
You mean manual intervention by a Sys Admin is needed?
You mean that a single userid and password are all that are needed?
Where are the inbuilt checks and balances Microsoft?
Where is the inbuilt ability to enforce a two userid, 2 password (or even more) security policy to access?
Who watched the watches of SharePoint? Apparently no one. All you need is System Admin privileges and you're free to go your own way.
Personally moving off of SharePoint would be a good start for the NSA to close these gaping holes, more so since research into attacking SharePoint is due to be presented at this year's DEF CON conference.
Sorry Microsoft, it's not just your slip showing, it looks like its your whole rear end.