Slashdot Mirror
NASA Vulnerable To Crippling Cyber Attacks
RedEaredSlider writes "The computer network NASA relies upon to carry out its billion dollar missions is just like your Mac or PC at home; vulnerable to cyber attacks. NASA's servers contain vulnerabilities that could enable a cyberattack to cripple the entire agency, according to a recent audit report from The Office of the Inspector General. The report was an unflattering look at NASA's internal computer security operations, as the Inspector General recommended the agency expedite the implementation of a new agency-wide program to oversee the network security problem."
this worked well for the NHS...
Given how their website was so full of holes I'm sure they could have told NASA where to look.
yay for a goatse link...
"Ubuntu" -- an African word, meaning "Slackware is too hard for me". - stolen from Dan C alt.os.linux.slackware
NASA has always been lax about security. Every few years there's another story about them getting owned by a bored teen. And let's face it, their shoestring budget isn't going to pay for top dollar infosec support.
I thought there was a highly funded government agency that was charged with providing security for the nation's communications and information systems. Dang! Now what was that called... SAN? ANS? SNA?... Something like that. Anyways, why isn't NASA using them?
When our name is on the back of your car, we're behind you all the way!
Internet-connected Enterprise Vulnerable To Crippling Cyber Attacks
There, fixed that for you.
IT is not rocket science!
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Microsoft.
Have a day!
Yours In Miami,
K. Trout
You'd think after all the fuss made about Gary McKinnon accessing the system 10 years ago - they'd have done something about it by now
Why are these things connected to the internet? Does mission control watch Youtube while they're waiting for the countdown or what?
TFA is kind of sketchy on details though, so i'm wondering if anyone knows anything more about these "servers... that control spacecraft." Sounds like ignorant reporting to me.
sue hacker who hacks it
???
Profit!
enable a cyberattack to cripple the entire agency
What would that look like exactly? To the best of my knowledge NASA is kind of a management consultant group... They contract EVERYTHING out. All capital, all operations, all services. So its not like the space station will fall out of the sky, or space probe data will be lost, because thats all done by contractors, whom presumably do a better job, since its their money on the line not the taxpayers.
Most of their contractors are large, therefore politically well connected, which in a circular way explains why they are NASA contractors, duh. So if accounts payable takes a couple extra days to restore the backups and cut the checks for services rendered, eh, the contractors will be OK.
I'm envisioning a vast array of power points and TPS reports being lost... would that necessarily be all that bad?
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
A little off topic but didn't the Space Shuttle use QNX as their OS? I know some of their satellites do but I thought their prime mover did as well. Meh, with everything important on Windows (e.g. NASA and SCADA among others) it keeps the haxors away from my Mac
Every agency is responsible for securing their own infrastructure. NIST only provides only guidance.
If you mod me down, I shall become more powerful than you could possibly imagine.
Their crack team of web developers can't even get nasa.com to work without the www. in front of it.
Computer networks can be accessed by computers. Film at eleven.
Yeah, like half, or 3.1%, same thing. I thought we were supposed to be bad at math.
How does it feel to be a liar with pants constantly on fire?
When I worked at NASA LaRC some decade ago, all of their systems were still using public IPs with no firewalls. A compromise of all of their systems via one server, multiplying because they used standard telnet for remote access, led them to enforce stricter patching to their systems. They left themselves open to the same problem: one unpatched system could lead to the same issue all over again. They didn't want to hear anything to do with SSH or more secure networking practices (e.g. putting all user systems on a private network behind a firewall).
So any chump working in NASA LaRC could attach a system to the network and instantly open up the entire center to compromise. It's government politics at its best.
NASA's servers contain vulnerabilities that could enable a cyberattack to cripple the entire agency
The congress already got there, there's a new amendment stating NASA must place "goatse.cx" placards on every door.
this is how the US government takes over and militarizes space...
A computer is vulnerable. This is news?
Aren't all computers vulnerable to attacks? Sure, there are actions you can take to minimize your exposure to the risks, but they can never be eliminated.
People are vulnerable to being shot or stabbed. Sure, I can hire a body guard, or even a whole phalanx of them. Won't stop a sniper shooting from 300 yards. Won't stop someone from releasing saran gas in your vicinity.
Computers are vulnerable. If you think otherwise, you are just ignoring potential attack vectors.
No, mysql.com and sun.com are helping this week... :-)
A greater crippling obstacle appears to be (Con)gress, they can't even get their story straight on the budget let alone anything else.
Billions are dumped on our so-called "friends" and yet, everybody hates us. If 1/10th of the war budget went to NASA, we would be somewhere past the asteroid belt, let alone fiber optic networks for everyone.
The mind conceives, the body achieves, the spirit manifests.
You be good now Australian hackers!
Over 18.7 billion in 2010 is hardly a shoestring budget. In the grand scheme of the Federal Budget it isn't a lot, but hardly shoestring. (It is one program that should get more $ in my book.)
(http://www.washingtonpost.com/wp-dyn/content/article/2010/01/31/AR2010013101058.html?wprss=rss_print/asection)
I'm not going to give many details, it's not good business. I don't know much about the non-mission critical systems, but I do maintain mission critical ones and I will venture a mention they're not on the internet. The internet and the mission critical stuff are far separated. That's more specific than I probably should have gotten, things that communicate with the station, the shuttle and TDRS are isolated, often from one another.
The preceding post was not a Slashvertisement.
Just wait until it is medical records that are as exposed by some agency with no encryption of them and no recourse due to sovereign immunity.
The internet and the mission critical stuff are far separated. That's more specific than I probably should have gotten,
Yeah, whatever you do, don't use the top secret phrase "air gap firewall".. Come on, enough security theater.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Try 0.75%...
Yeah, whatever you do, don't use the top secret phrase "air gap firewall".. Come on, enough security theater.
But., those firewalls are really expensive and extremely difficult to configure!!
I worked on the NASA Flight Control Room upgrade contract in the mid-1990s and as a software introduction specialist for my software development group. Besides programming, I brought all and any software into the mission control network using approved, multi-stage, methods. Our group didn't follow the same development standards as the other teams writing code were forced to follow. We had approvals mainly because the software was built in collaboration with 3 other NASA centers, and not by the MOD prime contractor, Loral SIS.
The mission control centers were on a private network with data flows outbound within the NASA center only, then extended to specific locations around the world over dedicated NASA links. Getting data into the MCC network happened through specific spacecraft data links or through introduction workstations that are air-gapped from the rest of the center networking. There was no way to push data inside over the normal center network without physically going to a highly secured area just outside the data center floor of the building. Most people with access to the flight control rooms did not have access to this floor.
None of the flight control workstations (they were running Digital UNIX at the time) had any way to access the internet or any portable media capabilities. There weren't any floppy discs, USB or CDROMs in those workstations.
Just before I left NASA, they were adding a PC network inside the MCC - completely separate from the control network. It seemed like they planned to use it so flight controllers to be able to access everything they would at their desks, including the internet and email. I thought it was a bad idea, but can appreciate that a flight controller working a 12 hour shift might need access to his desktop email during really slow parts of the mission. There are lots of slow moments and hours.
How the other projects and centers worked is completely unknown to me, unless they were remotely connected to the JSC MCC network. If they were connected, then I remotely installed software on every workstation there and around the world. Most of these remote centers had only a few workstations so they could monitor space station or shuttle activities and flight data.
BTW, that was a pretty cool job.
Many more Gary McKinnons out there who have been in their networks for ages and know the truth.
Jeez, with IT like that, by this summer they probably won't even be able to launch a space shuttle!
...they've always had a problem with this, though. I was there years ago (at the beginning of the Internet boom) and we were one of the most hacked targets on the planet. Everyone seems to think that all the secret UFO data was in NASAs network -- and the pace of attacks was astounding. You had to have an RSA token to login to anything. It got so bad that we ended up having to put an optical tap (even as contractors, we fought that one) on the FDDI ring what was MAE-WEST so the FBI and other TLAs could try to track some of these idiots down.
Given that funding went down and many of the top IT / networking guys went into the booming private sector, I'm not surprised it's still a problem. All of the mission critical stuff is pretty well walled off -- but the rest of it has major issues. I don't think we'll loose a spaceship to it, but getting your email can be very annoying.
I don't understand the problem. McAffee's web check said their site was okay!!
Be seeing you...
http://uptime.netcraft.com/up/graph?site=www.nasa.gov
(There's your website 'subdomain' scan first)
http://uptime.netcraft.com/up/graph?site=nasa.gov
(There's your MAIN domain scan)
"Read 'em & WEEP", /. *NIX Trolls!
---
Oh - Yes, yes - the "supreme security of Linux", lol (not)!
Funniest part of all, since your post was modded "+5 FUNNY" is this quote from the article summary today:
---
"The computer network NASA relies upon to carry out its billion dollar missions is just like your Mac or PC at home; vulnerable to cyber attacks"
(Hahaha, except this time, as we can ALL see above? NASA uses Linux & a LAMP stack setup... (@ least the "LA" part, for sure) funny they OMIT noting that in that source article used here!)
---
Yea, lol, FUNNY alright & I agree...
Except I don't think the "Pro-*NIX Trolls" around here will! Why?
WELL, because it's SURE NOT SEEMING "so secure" per this article (at least, not like "Pro-*NIX trolls" around here have been snowing folks about for years here now, in their "fantasyland" of 1/2 truth "straight-outta-pravda" tactics the use here daily & FOR YEARS now, & "lord knows" they don't like it when actual FACTS are brought into the picture exposing the FRAUD of "Linux is secure", lol!)
Hell, & each week almost this year? ANDROID (yes, a Linux too) does the rest, showing security issues week in & week out!
(LMAO! Next, in fact? I predict that my usage of facts here anyone can test themselves above in this reply will be met by "The DOWNMOD SQUAD" of wannabe "Adjustment Bureau" Trolls & *NIX 'fanbois'!!!)
APK
P.S.=> Fact is that here today, I showed that Linux has MORE unpatched security vulnerabilities in its KERNEL ALONE (and a Linux distro is a LOT more than just THAT), by 3x in fact, than does Windows 7 alone (in its entirety/more than just kernel), as well as the ENTIRE MS "Stack" for doing business only having 7 total errors in unpatched vulnerabilities, vs. 19 on Linux latest/greatest!
Again - Kernel ONLY though... it's not showing all the ones the GUI shells, Window managers, Browsers etc. that a FULL Linux distro has that COMPOUNDS THAT FURTHER!
http://it.slashdot.org/comments.pl?sid=2059420&cid=35656126
(Now, THAT? That's funny... and, since they used NMap to determine what systems are "internet facing"? You can pretty much bank on it that NASA.GOV is one of them, & it's vulnerable...) apk
"We found that computer servers on NASA's agency-wide mission network had high-risk vulnerabilities that were exploitable from the Internet. Specifically, six computer servers associated with IT assets that control spacecraft and contain critical data had vulnerabilities that would allow a remote attacker to take control of or render them unavailable" link
By any chance, would these 'computer servers' be running on Microsoft Windows?
"a recent audit report .. cited a 2009 incident in which cybercriminals .. caused the computer system to make 3,000 unauthorized connections to domestic and international IP addresses"
Wouldn't it be a good idea to put these 'computer systems' behind a firewall and only allow access through authenticated VPN connections?
They used to be hailed as the corner stone of undeniable precision, where they could lose contact with a shuttle, and plan its course and be able to tell with 100% accuracy where it would show up once it regained contact with them (apollo mission)....here, this makes them look like newbs....i dont know what happened, if some outsourced agency was hired to throw together their network configs, but i am surprised to say the least.
Not. You don't know jack shit about my PC at home.
Microsoft's DOWN TO 5 UNPATCHED SEC. VULNS IN THE ENTIRE MS PRODUCT LINE YOU USE TO DO BUSINESS ONLINE: (& 4x less unpatched security vulnerabilities than Linux has, no less, in its "latest/greatest", albeit KERNEL ONLY (makes a difference, read on)):
---
Vulnerability Report: Microsoft Office 2010: (04/12/2011)
http://secunia.com/advisories/product/30529/?task=advisories
Unpatched 0% (0 of 4 Secunia advisories)
---
Vulnerability Report: Microsoft SQL Server 2008: (04/12/2011)
http://secunia.com/advisories/product/21744/
Unpatched 0% (0 of 4 Secunia advisories)
---
Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (04/12/2011)
http://secunia.com/advisories/product/17543/
Unpatched 0% (0 of 6 Secunia advisories)
---
Vulnerability Report: Microsoft Visual Studio 2010: (04/12/2011)
http://secunia.com/advisories/product/30853/?task=advisories
Unpatched 17% (0 of 6 Secunia advisories)
---
Vulnerability Report: Microsoft Internet Explorer 9.x: (04/12/2011)
http://secunia.com/advisories/product/34591/
Unpatched 0% (0 of 0 Secunia advisories)
---
Vulnerability Report: Microsoft Windows 7: (04/12/2011)
http://secunia.com/advisories/product/27467/?task=advisories
Unpatched 8% (5 of 59 Secunia advisories)
AND, of those 5 vulnerabilities, yes... 2 are still "remote". HOWEVER, they have EASY work-arounds, OR, are caused/utilized by faulty 3rd party apps you can just avoid, as there's usually an alternate app for most anything!
(E.G.., & of ALL things? Apple stuff triggers one, ITunes another, iirc, etc. but no other apps are KNOWN to - go figure, eh?).
The remaining can be avoided by not just downloading & running "anything" etc. (being utterly stupid in other words, or just ignorant (which in the case of a child, I could excuse (not an adult)).
I.E.-> "NO PROBLEMO!"
&
ALMOST 4x LESS THAN IS PRESENT ON THE LINUX 2.6x KERNEL ALONE (toss on the rest of what goes into a Linux distro? That # goes "up, Up, UP & AWAY...", bigime, "increasing that lead, that Linux has", lol, in more unpatched known security bugs present that is (a dubious honor/win, lol, to say the least!)
---
So, that "all said & aside"?
Microsoft's doing a HELL OF A GOOD JOB on the security front!
APK
P.S.=> Compare a "*NIX/Open SORES" OS in Linux's "latest/greatest"?:
---
Vulnerability Report: Linux Kernel 2.6.x (04/12/2011)
http://secunia.com/advisories/product/2719/?task=advisories
Unpatched 7% (19 of 259 Secunia advisories)
---
THAT? That's more than 4x as many as Windows 7 has that are unpatched, & has a REMOTE BUG UNPATCHED in the "ROSE" subsystem... PLUS, I'd wager there aren't EASY workarounds for them (or as many as MS has shown above)...
AGAIN - THAT'S ONLY THE LINUX KERNEL MIND YOU, not the entire 'gamut/array' of what actually comes in a Linux distro (such as the attendant GUI, Windows managers, browsers, etc. that ship in distros too that have bugs, and yes, THEY DO), THAT ADDS EVEN MORE BUGS that COMPOUNDS THAT # EVEN MORE!
So, so much for "Windows is less secure than Linux" stuff you see around here on /., eh?
(It gets even WORSE for 'Linuxdom' when you toss on ANDROID (yes, it's a LINUX va