NASA Systems Are Still Too Vulnerable to Attack

Thursday, March 31, 2011

Dan Dieterle

B64e021126c832bb29ec9fa988155eaf

Serious security gaps were found in NASA computers during a recent security audit. According to MSNBC:

“Six computer servers associated with IT [information technology] assets that control spacecraft and contain critical data had vulnerabilities that would allow a remote attacker to take control of or render them unavailable,” the audit report released Monday by Inspector General Paul K. Martin said.

“The attacker could use the compromised computers to exploit other weaknesses we identified, a situation that could severely degrade or cripple NASA’s operations,” the report continued. “We also found network servers that revealed encryption keys, encrypted passwords, and user account information to potential attackers.”

Lets be realistic though, NASA is a very large organization and just by sheer volume would make securing all their systems a very daunting task.

But also according to the article, NASA was specifically warned about security lapses and a plan was recommended for remediation:

“In a May 2010 audit report, we recommended that NASA immediately establish an IT security oversight program for this key network,” Monday’s report reads. “However, even though the agency concurred with the recommendation it remained unimplemented as of February 2011.”

I really find this stunning, as NASA has had a very long history with dealing with hackers. They have run the gamut from simple web defacements to more serious penetrations and data theft.

A short list of attacks that NASA has faced includes:

  • 2003 – The “Trippin Smurfs” – Jet Propulsion Labs defacement.
  • 2009 – Jeremy Parker Penetration – Accessed a NASA pay service for the science community that provided Oceanic Data recorded from satellites (which is now free).
  • 2009 – The “Code.Breaker” SQL Injection attack – NASA’s “Instrument Systems and Technology Divisions” and “Software Engineering Division” were breached via SQL injection attack. 25 Administrator accounts were compromised.

And let’s not forget about when a couple JPL sites were offering Viagra, and NASA’s twitter site was offering TV’s for sale last year.

Sure, some of these side on the ridiculous, but the fact remains, NASA has faced several serious data attacks over the years.

NASA isn’t just all about space exploration either, they do a lot of scientific research and joint military projects.

The fact that a government run entity has been attacked, and then apparently ignored a plan to remedy the situation speaks volumes about our nation's ability, or maybe better said desire, to thwart hacking attempts.

Cross-posted from Cyber Arms

Possibly Related Articles:
4034
Network->General
SQl Injection Access Control Security Audits Attacks NASA Network Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.