NASA lost 'full control' to hackers, pwned 13 times last year

Houston still has a problem with security


Cybercrooks broke into NASA's computer systems 13 times last year gaining "full functional control" of important systems in the worse cases, according to the testimony before the US Congress by the space agency's inspector general.

Paul Martin told a Congressional panel on information security at the space agency that NASA spent $58m of its $1.5bn annual IT budget on cyber security. The space agency has long been a prestige target for hackers of various skill levels and motivations, including profit-motivated malware distributors (cybercrooks) and intruders thought to be in the pay of foreign intelligence services.

Poorly implemented security policies mean that these attacks were often successful. In 2010 and 2011, NASA reported 5,408 computer security incidents that resulted in the installation of malicious software on or unauthorised access to its systems, Martin testified (PDF) before the US House Committee on Science, Space and Technology last Wednesday.

Some of these intrusions have affected thousands of NASA computers, caused significant disruption to mission operations, and resulted in the theft of export-controlled and otherwise sensitive data, with an estimated cost to NASA of more than $7m.

In the most serious of these incidents, hackers gained control of systems at NASA's Jet Propulsion Laboratory. The attack was traced back to IP addresses in China, Martin explained. Another of the most serious APT (advanced persistent threats) that hit NASA last year resulted in the extraction of user credentials from 150 space agency workers.

Martin told the panel:

In FY 2011, NASA reported it was the victim of 47 APT attacks, 13 of which successfully compromised Agency computers. In one of the successful attacks, intruders stole user credentials for more than 150 NASA employees – credentials that could have been used to gain unauthorised access to NASA systems. Our ongoing investigation of another such attack at JPL involving Chinese-based internet protocol (IP) addresses has confirmed that the intruders gained full access to key JPL systems and sensitive user accounts."

The compromised access would have allowed hackers to gain "full functional control over these networks" including the ability to extract data, delete sensitive files, plant hacking tools, add accounts or modify logs meant to provide a warning that such attacks had taken place.

More than 130 NASA computers were infected by DNS changer malware connected to the Operation Ghost Click bust, Martin testified. NASA computers were among the millions of PCs worldwide infected by malware capable of highjacking internet searches to run click-fraud scams, punt scareware at potential victims and to promote unlicensed pharmaceutical stores.

Fortunately, we found no evidence of operational harm to NASA or compromise of sensitive data caused. Nevertheless, the scope and success of the intrusions demonstrate the increasingly complex nature of the IT security challenges facing NASA and other Government agencies.

Martin noted the agency faced particular difficulties, including its need to share its scientific research, and acknowledged the agency had made progress in improving security loopholes uncovered by previous audits. Nonetheless he criticised the agency for lagging behind other US government agencies in encrypting data on laptop computers.

He said the government-wide encryption rate for mobile devices stood at around 54 per cent. However, as at the start of February 2012, only 1 per cent of NASA portable devices/laptops have been encrypted.

Between April 2009 and April 2011, NASA reported the loss or theft of 48 of the agency's mobile computing devices, some of which resulted in the leak of all manner of sensitive data. For example, the March 2011 theft of an unencrypted NASA notebook computer resulted in the loss of the codes used to command and control the International Space Station. Other lost or stolen notebooks contained Social Security numbers and sensitive data on NASA’s Constellation and Orion programmes. Martin warned:

Until NASA fully implements an Agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft.

Martin added that Office of Inspector General investigators had conducted more than 16 separate investigations of breaches of NASA networks during recent years, several of which have resulted in the arrests and convictions of foreign nationals in China, Great Britain, Italy, Nigeria, Portugal, Romania, Turkey, and Estonia.

NASA was one of the organisations breached by the British hacker Gary McKinnon, during his self-admitted search for UFO files on US military systems during 2001 and 2002. A decade after his initial arrest, McKinnon and his supporters are still fighting attempts to extradite him to the US to answer charges related to alleged intrusions against US military and NASA systems.

Linda Cureton, NASA's Chief Information Officer, defended the space agency's record in a statement (PDF) submitted to the Congressional committee.

She said:

Like most Federal agencies, NASA has seen the full spectrum of cyber attacks, ranging from minor attacks, where countermeasures are sufficient and appropriate, to sophisticated attacks where in some cases countermeasures are reactive and need improvement. NASA has a high public and internet profile, its information can be highly attractive to attackers, and whenever IT security compromises occur they tend to generate media attention when the information is public in nature.

NASA has acted on previously reported shortcomings by scanning its websites for flaws, improving its patch management and developing an incident response programme, she explained.

She added:

Since NASA’s infrastructure is worldwide, the agency is striving to achieve a risk-based balance between security, system operability, and user requirements. While demanding a culture of security awareness, NASA will continue to improve the defense of our IT security posture and build security into the System Development Life Cycle (SDLC) of our IT solutions and everyday work habits.

®

Similar topics


Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022