The office responsible for overseeing NASA’s activities has reported some spectacular security breaches. Not only did Chinese-based hackers briefly gain control of a lab’s network, but a stolen laptop contained unencrypted codes for controlling the International Space Station.
A report by NASA’s Inspector General Paul K Martin to Congress this week revealed that across 2010 and 2011, there were more than 5,000 computer security “incidents” that involved either unauthorized access to the network or malware being installed.
Many of these appear to be either general malware that wasn’t targeted at NASA, or cases of curious folk poking around to see if they could break into networks just for the fun of it. However, Martin reports that last year 47 cases fell into the “advanced persistent threat” category, made up of serious, well-funded and organized attempts to cause damage. Of these, 13 resulted in NASA computers being compromised, including the theft of 150 employee user credentials.
In another case, somebody operating from a Chinese IP address was able to gain complete control over the network of the Jet Propulsion Lab, meaning they could access, delete or alter files, install malware, add bogus user accounts to gain access later on, and even modify system logs to cover their tracks.
Part of the problem is that although NASA is legally required to patch its software, doing so is a complete shambles with computer security chiefs often unable to do so remotely and individual staff either unable or unwilling to do patch their own machines.
The most spectacular breaches were physical rather than virtual however. A total of 48 NASA laptops and mobile devices were stolen in a two-year period, containing everything from sensitive data that is barred from export to other countries, to social security numbers for NASA staff.
The most embarrassing of these thefts involved a laptop containing control codes for the International Space Station, which hadn’t been encrypted.
Thankfully there was no danger of these being misused. To execute the codes and thus control the ISS, a user must first encrypt them with an algorithm that changes each day. The codes in the form stored on the laptop would be rejected by the ISS.