backtop


Print 52 comment(s) - last by Magnus909.. on Mar 8 at 7:37 PM

Only 1 percent of laptops were encrypted, 48 laptops were stolen with a wealth of data

The National Aeronautics and Space Administration (NASA) has suffered in recent years from budget cuts.  Underpaid and understaffed, NASA's hopes of recruiting the best and have faded as a divided House has expressed disinterest in funding NASA.  Meanwhile President Barack Obama's administration completed George W. Bush's plan to scrap the Space Shuttle programprivatized cargo launches (which Congress then refused to fund), and dramatically scaled back NASA's targets, including ditching the return to the Moon proposed by George W. Bush.

I. NASA Seldom Patches Computers or Encrypts, Lost ISS Codes, 47 Other Laptops

The last thing NASA needs at this point is any bad news, which could make it look like the space agency's thinning house of cards is about collapse.  It would be pretty bad if you lost a $125M USD Mars orbiter due to mixing up metric units and English units (NASA and contractor Lockheed Martin Corp. (LMT) did that in 1999).

An inspector general assigned to inspect and diagnosis the abysmal security at the space agency has just revealed [PDF] that NASA lost the control codes to the International Space Station, along with what sounds like a good portion of NASA's other secrets.

ISS
"Ahh... how do I say this. Er. I lost the keys to mankind's only active space station.  No, really."
[Image Source: NASA]

The only good news is that the station itself used secondary encryption meaning that whoever stole the control codes would be unable to gain full command, unless they also managed to get ahold of that code, as the station only accepts commands encoded with that day's encryption.  Still the data loss is an embarrassing highlight in a lengthy report detailing NASA's failing information technology efforts.

Thefts of NASA employees' laptops and mobile devices began in April 2009 and continued until April 2011.  In all about 48 devices were stolen, before NASA tightened security.  Or actually, says NASA Inspector General Paul K. Martin the number could be higher, as NASA relies on employees to report the theft of work devices.

Apparently information technology-wise, NASA is operating as if the year was 1969 -- the year NASA triumphantly landed on the moon.  A lot of things have changed since then in the world of computing, but NASA's IT department appears to be a little bit behind the times.  

Mr. Martin describes that as of February 1 only about 1 percent of NASA laptops are encrypted, despite carrying a host of state secrets – third-party contractors' intellectual property, spaceship designs, control codes, and even astronauts' personal information.  

More astoundingly, NASA reportedly seldom patches its aging computers.
Windows Update
Do you know how to patch your computer?  If so, you're a step ahead of the glowing minds in NASA's IT department.  [Image Source: Microsoft]

While the agency is mandated to patch its machines under national security guidelines, the agency's chief information officer apparently "has limited ability" to accomplish the process, as NASA appears to lack any sort of coherent device management.  And of course, NASA employees appear to be either not authorized to apply Windows Update/apt-get or are unaware of how to use these modern marvels.

II. Hostile Parties Revel in NASA's Incompetent Security

The net result is that everyone from amateurs up to seasoned foreign level actors appears to be victimizing NASA and its IT department.  The worst incident described was the theft of the space station control codes, which were on an unencrypted laptop.

The IG didn't say exactly where that laptop might be today, leaving it unclear whether it even knows.  Nor did it say what become of the other devices which contained employee (and astronaut) social security numbers, data on the Orion spacecraft design, data on the cancelled Constellation Program, "export-controlled, Personally Identifiable Information", and "third party intellectual property".

As for the ISS control codes, NASA engineers were forced to scrap parts of the station's software when they realized that security had been presumably completely compromised.  As Mr. Martin puts it, there was "loss of the algorithms."

U.S. intelligence agents recently succeeded in arresting Razvan Manole Cernainu, handle "TinKode", who was among the reportedly numerous independent hackers who penetrated NASA's networks for fun and bragging rights.  TinKode in 2011 hacked into Goddard Space Flight Center FTP server, posting screen grabs of confidential information from NASA's SERVIR disaster relief satellite effort.  He would hack into NASA and other U.S. government agencies several more times, allegedly before he was caught. But not all the parties hacking into NASA's servers were attention-seeking young adults.  Comments Mr. Martin, "These incidents spanned a wide continuum from individuals testing their skill to break into NASA systems, to well-organized criminal enterprises hacking for profit, to intrusions that may have been sponsored by foreign intelligence services seeking to further their countries' objectives."

The comment hint that China -- which is investing heavily in its own space effort -- may have been up to its usual game of stealing U.S. state secrets.  According to government security officials, including Pentagon officials, China has repeatedly victimized U.S. networks.  

China hackers
U.S. agencies have proved woefully incapable of protecting their data against Chinese hackers.
[Image Source: Asia Society]

This has led to the occasional hollow complaint from government talking heads, but ultimately the U.S. has exercised measured meekness in accepting that it ultimately has no way of retaliating against the attacks.  China holds a portion of the U.S. national debt, but more importantly, the majority of U.S. companies manufacture their products in China.  To alienate China would be economic suicide.

III. An Epic Failure

But even in terms of the typical security-deficient U.S. government and equally challenged contractors, NASA's computer administrators appear to be setting a new standard in inability.  Of course, as mentioned, part of this can be attributed to budget cuts and red tape placed upon the agency by Congress.  But much of it comes back to the staff, if Mr. Martin's testimony is to be believed.

Stupidity
NASA's IT dept. has veered dangerously down the lower road.
[Image Source: Maintenance Mode]

NASA officials had previously admitted that U.S. satellites were hacked in 2007 and 2008 by unknown, likely national-level players.  China was mentioned as a prime suspect.  But the loss of the codebook to controlling the ISS is a far more embarrassing low for the agency.

His comments seem to hint that it might be time for the CIO to go.  And he says that it's vital for NASA to adopt mass encryption.  He comments, "Until NASA fully implements an agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft."

Data encryption
The IG said NASA must encrypt or it will be embarassed again.
[Image Source: How Stuff Works]

That sounds like pretty sound logic.

Source: U.S. House



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Uhm...
By angryplayer on 3/1/2012 7:53:04 PM , Rating: 4
For my company, we spend a week testing Microsoft patches before we release them on our WUS. There is no way in hell we could afford our inhouse systems going down because of an incompatible patch.

NASA probably needs to test things to death, and let the wide world do the same to make sure it doesn't take down satellite monitoring or whatnot.


RE: Uhm...
By JasonMick (blog) on 3/1/2012 8:48:29 PM , Rating: 2
quote:
For my company, we spend a week testing Microsoft patches before we release them on our WUS. There is no way in hell we could afford our inhouse systems going down because of an incompatible patch.

NASA probably needs to test things to death, and let the wide world do the same to make sure it doesn't take down satellite monitoring or whatnot.
I get that, but when you have such sensitive info on machines can't be patched they should be air-gapped, tagged with some sort of RFID alarm, and never allowed off-site.

Not every workstation at NASA is a mission critical one, clearly. That was my original point. Actually I'd guess there's at least as many non-mission critical devices (workstations, smartphones, laptops, etc.) @ NASA as there are misssion critical servers.

You should test general updates before deployment, sure, but on non-mission critical machines, like you said that should take a week, not "forever".


RE: Uhm...
By JediJeb on 3/1/2012 11:38:20 PM , Rating: 4
quote:
I get that, but when you have such sensitive info on machines can't be patched they should be air-gapped, tagged with some sort of RFID alarm, and never allowed off-site.


Exactly! How often have we been hearing about sensitive information being on a laptop that was stolen lately? You would think that most government agencies store the most sensitive data on laptops instead of servers and just hand them out to anyone to carry around out in public. I understand a need to work outside the office from time to time, but why do those working outside the office need to be carrying around information like their employee's Social Security Numbers or state secrets?

By comparison, I once mentioned to our IT guy why not use Open Office on some of our non critical computers to save money, the next day I could not even access the Open Office website since he had blocked it in case anyone got the idea to try it out. Pardon the pun but it shouldn't be rocket science to secure your computers!


RE: Uhm...
By TSS on 3/2/12, Rating: 0
RE: Uhm...
By Labotomizer on 3/2/2012 12:19:39 PM , Rating: 2
I don't think he was complaining about it being blocked. I think he was simploy pointing out how simple it was for them to block something they deemed a problem.

As for totally securing a network, it's pretty much impossible. The problem being that you will always allow SSL out and users can just proxy everything out of SSL. In fact forcing them to seek alternative methods can be bad as you can no longer tracking what they're doing.

Plus, most IT departments seem to forget what their true job is and believe they are more important than they really are. IT is there to make the company more efficient and more productive and often reduce overall cost for the business. Anything that detracts from that goal or makes life more difficult for users is a waste and self defeating.


RE: Uhm...
By JediJeb on 3/2/2012 1:56:34 PM , Rating: 2
As the other response says I was pointing out how even the one IT guy our small company of 50 employees(only about 30 of which even use computers) was able to control what is going on.

Also if he had brought in Open Office (which a few computers do have now ) it wouldn't be a nightmare to upkeep since even our MS Office is only updated maybe once ever 5 years or more. The computers needing Open Office are ones where we need to do a simple spreadsheet to keep track of a few numbers and assist in some calculations we do, these are computers we normally can get by with using Notepad for our word processing needs. As for interoperability, the ones that do have Open Office the spreadsheets we have made there are so simple they work well if you need to send them over to someone with MS Office since even there we still save most of our files to the older .xls format so that all of our computers can read them. (We still have WinNT on some computers attached to our equipment, finally got rid of the last Win95 box last year)

Not even all of our computers have MS Office simply because the cost to license it for all of them would cost us too much. Now if we had huge deployments of in house programs to worry about then yes, we would have problems mixing untested software. Thing is we don't even have to test IE or FF since the only thing we need to look at with those are the in house message board that lists our Standard Operating Procedures, and that is a whole different issue with me since the IT guy only knows how to write stuff for that using ActiveX so only IE will display the .pdfs.


"The whole principle [of censorship] is wrong. It's like demanding that grown men live on skim milk because the baby can't have steak." -- Robert Heinlein














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki