Less than an hour after news site The Intercept published a report on Monday detailing Russian hacking related to the 2016 U.S. presidential election, the U.S. Justice Department said federal investigators had arrested someone suspected of leaking classified information to the media. Subsequent reports linked the two incidents.
The suspect in question, Reality Leigh Winner, a 25-year-old federal contractor based in Atlanta with the defense firm Pluribus International, had been found due to a series of security flubs, according to the FBI. An affidavit filed in support of Winner’s arrest as well as the case against her laid out some of these alleged blunders, and security experts pointed out others.
Follow the yellow dots
The most talked about gaffe came to light thanks to the scrutiny of outside experts, rather than in the FBI write-up. This clue pointing to the leaker’s identity involves tiny yellow printer dots. This refers to a watermarking system used to fingerprint printed documents with a pattern of barely visible specks of ink. Dot-tagging comes as a default setting on most color laser printers.
Because The Intercept published scanned images of the top secret National Security Agency document, rather than posting a transcription, anyone can decode the dots with help from a tool provided by the Electronic Frontier Foundation.
Good Lord, my eyes now hurt after recreating the DocuColor pattern on @EFF. Got the same results. pic.twitter.com/5orzqKG9DX
— Ming Chow @0xmchow@infosec.exchange (@0xmchow) June 6, 2017
As Robert Graham, founder and CEO of the security firm Errata Security, demonstrated in a blog post, someone appears to have printed the document on a printer with the model number 54 and the serial number 29535218 at a certain time on May 9, 2017. “The NSA almost certainly has a record of who used the printer at that time,” as Graham noted, assuming it was printed at an NSA facility, or on the site of one of its contractors.
The FBI’s court filing further alleges that The Intercept, unnamed in the affidavit, provided the government agency, presumably the NSA, with a copy of the leaked document to verify its authenticity prior to publication. This allowed the organization to detect creases in the pages, “suggesting they had been printed and hand-carried out of a secure space,” and hinting that the source was an insider.
While the FBI affidavit does not cite the yellow dots, it does mention the presence of page folds.
Security experts have criticized The Intercept for failing to retype a copy of the leaked document, one stripped of ink-encoded identifiers and timestamps, before approaching the NSA and before taking the report public. Barton Gellman, a journalist who won a Pulitzer Prize for his role reporting on the leaks by former NSA contractor Edward Snowden in 2013, called The Intercept’s error a “catastrophic failure of source protection” in a post on Twitter.
Even so, everyone agrees the alleged source’s cover was likely already blown without these tip-offs.
Digital tracks
A far bigger giveaway than the dots involved the digital traces that the suspected leaker left on work computers.
After learning about the media outlet possessing the document, the affected government agency undertook an “internal audit” to see who had access to that intelligence report, according to the FBI affidavit. Only six people had physically printed the report, one of whom was Winner, the FBI reported.
A review of Winner’s email contacts then revealed that she had been in touch with the news outlet, according to the affidavit. This finding gave the government the confidence it needed to pursue Winner and charge her with the leak.
It’s common for employers, especially ones involved in national security and defense, to keep records of the electronic transactions of their workers. Anyone seeking to extract information from an internal network and to leak it should know about this risk.
“Probable Intercept leaker of TS document emailed the Intercept from work!?!?!” Nicholas Weaver, a security researcher at the University of California, Berkeley, said on Twitter, using the acronym for “top secret.” “Talk about making investigation easy,” he said.
When questioned by investigators at her home, Winner allegedly said she had indeed taken, stored, and mailed the classified intelligence to the media. She is now being held in Georgia while awaiting a hearing.
“Winner faces allegations that have not been proven. The same is true of the FBI’s claims about how it came to arrest Winner,” The Intercept said in a statement on its website. “[B]ecause of the continued investigation, we will make no further comment on it at this time.”
Even though the The Intercept appears to be partly to blame for mishandling the leak, Winner, if guilty, was likely already done in by computer forensics.
