Critical Nasa Network Was Open To Internet Attack

[Infiltrator]

Six NASA servers exposed to the Internet had critical vulnerabilities that could have endangered Space Shuttle, International Space Station and Hubble Telescope missions -- flaws that would have been found by a security oversight program the agency agreed to last year but hasn't yet implemented, according to a report by the agency's inspector general.

NASA's CIO Linda Cureton says she has patched the vulnerabilities, but IG Paul Martin found that NASA still has no ongoing program for spotting and correcting similar problems as they arise and is giving itself until the end of September just to come up with a plan, according to the report titled "Inadequate Security Practices Expose Key NASA Network to Cyber Attack." The deadline for the plan is Sept. 30.

MORE ON SPACE: Gigantic changes keep space technology hot

The six vulnerable servers were associated with IT projects that control spacecraft or contain critical NASA information, the report says. The audit also found other servers that exposed encryption keys, encrypted passwords and user-account information, all of which could enable attackers to gain unauthorized network access. The report didn't assess the agencywide network that isn't directly used for missions.

"These deficiencies occurred because NASA had not fully assessed and mitigated risks to the network and had not assigned responsibility for IT security oversight to ensure the network was adequately protected," the report says. "A security breach of a moderate- or high-impact system or project on this key network could severely disrupt NASA operations or result in the loss of sensitive data."

One server was found vulnerable to FTP bounce attacks, which if exploited, "could have significantly disrupted NASA's space flight operations and stolen sensitive data," the report says. Other servers weren't securely configured, exposing the encryption keys, encrypted passwords and user account lists to attackers.

The IG says NASA didn't know about these problems but could have if it performed broad risk assessment, part of the agreed-to security program. "As a result, NASA's Agency-wide mission network was vulnerable to a variety of cyber attacks with the potential for devastating adverse effects on the mission operations the network supports," the report says.

In addition to the oversight program on Internet-connected servers, NASA's CIO promises she will start a pilot program by Aug. 21 for spotting risks on the rest of NASA's networks that don't have Internet connectivity.

The IG performed port scans using Nmap and manually verified open ports. It also performed NESSUS vulnerability scans.

Source: http://www.networkworld.com/news/2011/032911-nasa-network-open.html?hpg1=bn

[Infiltrator]

This article makes me wonder, how can a so advanced agency that Nasa is, not care about their own computer network security.

[TuX^]

This is just ridiculous. This could quite easily put men and women's lives at stake. Are they aware of this or do they simply just not care?

TuX^

[digip]

NASA advanced? Maybe on a scientific level, but not at a computer network level. Todays cell phones are more powerful than the technology they used to put a man on the moon, but that doesn't say anything about their network security practices or even whether or not they keep them up to date.

Lets face it, our government doesn't seem to have the same security in place that even their own requirements and standards are set for. Same goes for our military. Stolen laptops and hard drives? Wikileaks? Come on people, why are we surprised at their lack of security? Banks probably have better security on their networks than the government does.

If they secure their networks and have someone actively monitoring and auditing the data, we would never hear of things like the guy from the UK who hacked into the Pentagon over dial up. I'm no longer surprised when I hear of things like this, because its one of the things that used to piss me off how our government seems to be so lax on IT Security. Now I'm just jaded from the whole thing.

There was a fellow from the Navy a few years back who was a SysAdmin and I recall him coming here asking for help with his network. I was really shocked to think that our military was coming to a site like Hak5 for help (not that we couldn't have been useful or given him correct information), when to me seemed to clearly be something a SysAdmin at that level should not only already know, but info he should not be exposing to the general public at large. Giving any info to the public about a private network or inner workings of our Navy, Military, etc, made me feel uncomfortable.

Now things have changed, and I'm surprised that our governments networks are even up and running at all. I went from thinking we were secure by competent people, to waiting the day when the whole system comes crashing down. I'm not surprised by this sort of thing any more and nobody else should either. I suspect every government has departments like this whose networks and security practices are weak. We just don't hear about it because no one has come forward to publish it to the public.

Edited March 30, 2011 by digip

[Jason Cooper]

There are very few constants in computing, but NASA leaving it's computers wide open is one of them. :)

Edited March 30, 2011 by Jason Cooper

[Infiltrator]

@Digip,

I have to agree with you on that one, our government worry more about ripping money from its tax payers than actually investing into their own network security.

Furthermore, I think they are very far behind the whole technology thing. I used to work for a Government agency and frankly speaking its not even worth mentioning, how intolerant about computer systems they are.

[joeypesci]

And they moaned at Gary McKinnon for breaking in all those years ago yet still haven't plugged the holes. Tits

http://en.wikipedia.org/wiki/Gary_McKinnon

[Infiltrator]

And they moaned at Gary McKinnon for breaking in all those years ago yet still haven't plugged the holes. Tits

http://en.wikipedia.org/wiki/Gary_McKinnon

They should employ some white hat personnel to do the computer security for them.

[Guest leg3nd]

NASA advanced? Maybe on a scientific level, but not at a computer network level

Pretty much what he said. Its not the first time NASA has gotten owned, nor will it be the last.