Slashdot Mirror

← Back to Stories (view on slashdot.org)

NASA Vulnerable To Crippling Cyber Attacks

Posted by CmdrTaco on from the aren't-we-all dept.

RedEaredSlider writes "The computer network NASA relies upon to carry out its billion dollar missions is just like your Mac or PC at home; vulnerable to cyber attacks. NASA's servers contain vulnerabilities that could enable a cyberattack to cripple the entire agency, according to a recent audit report from The Office of the Inspector General. The report was an unflattering look at NASA's internal computer security operations, as the Inspector General recommended the agency expedite the implementation of a new agency-wide program to oversee the network security problem."

36 of 67 comments (clear)

  1. Did they figure this out with McAfee software? by dstyle5 · · Score: 5, Funny

    Given how their website was so full of holes I'm sure they could have told NASA where to look.

    1. Re:Did they figure this out with McAfee software? by sunderland56 · · Score: 1

      No, McAfee is for people on a budget. Someone with as much money as NASA uses *serious* security protection from HBGary.

  2. Re:Sure thing by wmbetts · · Score: 1

    yay for a goatse link...

    --
    "Ubuntu" -- an African word, meaning "Slackware is too hard for me". - stolen from Dan C alt.os.linux.slackware
  3. What security? by Anonymous Coward · · Score: 1

    NASA has always been lax about security. Every few years there's another story about them getting owned by a bored teen. And let's face it, their shoestring budget isn't going to pay for top dollar infosec support.

    1. Re:What security? by flappinbooger · · Score: 1

      maybe they're just all high on teh Crizzak

      http://www.huffingtonpost.com/2011/03/15/nasa-finds-cocaine-space-center_n_836109.html

      --
      Flappinbooger isn't my real name
  4. I thought... by camperdave · · Score: 1

    I thought there was a highly funded government agency that was charged with providing security for the nation's communications and information systems. Dang! Now what was that called... SAN? ANS? SNA?... Something like that. Anyways, why isn't NASA using them?

    --
    When our name is on the back of your car, we're behind you all the way!
  5. Come on guys! by Locke2005 · · Score: 3, Funny

    IT is not rocket science!

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.
    1. Re:Come on guys! by Sinning · · Score: 2

      I think that's the whole problem.

    2. Re:Come on guys! by Thud457 · · Score: 1

      Is Dr. No going to start stealing our rockets with trojans now?


      oh, no that's Congress that's grounding the U.S. nevermind....

      --

      the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

    3. Re:Come on guys! by Nyeerrmm · · Score: 1

      As a professional rocket scientist (well navigation engineer) and an amateur IT technician (manage a non-profits web presence), let me tell you: IT is a whole hell of a lot harder.

      Of course it may just be that I have a lot more education in one topic than the other.

    4. Re:Come on guys! by Coren22 · · Score: 1

      The trick to most IT support is knowing how to frame a Google query. If you have the background, it isn't terribly hard to setup networks, servers, desktops, etc. Securing these systems is a whole other bag of worms though; security is a constantly moving target, and you have to keep up with it constantly to do a good job. Even then, there is no truly secure system, there will always be flaws in the underlying OS and any other software that you use that only the attackers have found (Zero-Day Exploits).

      It frankly doesn't surprise me that NASA has vulnerabilities, every system does, I just hope that this will put them on the path to correct those problems and implement good security practices from now on.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  6. Still ??? by Goose+In+Orbit · · Score: 1

    You'd think after all the fuss made about Gary McKinnon accessing the system 10 years ago - they'd have done something about it by now

    1. Re:Still ??? by vlm · · Score: 1

      You'd think after all the fuss made about Gary McKinnon accessing the system 10 years ago - they'd have done something about it by now

      Maybe Gary was right all along, they're too busy covering up the UFO conspiracy to bother with simple stuff like periodic "apt-get upgrade" or whatever it is that windows people have to suffer thru.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  7. Re:Repeat After Me: by kvvbassboy · · Score: 1

    I highly doubt their servers run on IIS.

  8. Why... by MachDelta · · Score: 1

    Why are these things connected to the internet? Does mission control watch Youtube while they're waiting for the countdown or what?
    TFA is kind of sketchy on details though, so i'm wondering if anyone knows anything more about these "servers... that control spacecraft." Sounds like ignorant reporting to me.

    1. Re:Why... by Nyeerrmm · · Score: 1

      I'm learning the process of doing operations for unmanned spacecraft right now, and some of them are definitely internet accessible.

      The reason, at least for what I do, is that we're not always sitting in the control room for operations. For big events, yes, but when you're getting telemetry, processing it, and updating the onboard ephemeris, a cube or office is a lot more comfortable. Furthermore, you need to stay and work from home sometimes, sick child/repairman coming/car broke/whatever, but you still need to get on the flight ops machine and run a maneuver design or upload a file. SSH in and get what you need done.

      Not all operations involve sitting in a room on dedicated hardware looking at a screen, and for the more mundane parts, flexibility is wonderful.

  9. What would that look like exactly? by vlm · · Score: 1

    enable a cyberattack to cripple the entire agency

    What would that look like exactly? To the best of my knowledge NASA is kind of a management consultant group... They contract EVERYTHING out. All capital, all operations, all services. So its not like the space station will fall out of the sky, or space probe data will be lost, because thats all done by contractors, whom presumably do a better job, since its their money on the line not the taxpayers.

    Most of their contractors are large, therefore politically well connected, which in a circular way explains why they are NASA contractors, duh. So if accounts payable takes a couple extra days to restore the backups and cut the checks for services rendered, eh, the contractors will be OK.

    I'm envisioning a vast array of power points and TPS reports being lost... would that necessarily be all that bad?

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    1. Re:What would that look like exactly? by robot256 · · Score: 3, Informative

      To the best of my knowledge NASA is kind of a management consultant group... They contract EVERYTHING out.

      No, you're confusing us with DoD. DoD contracts everything out, but NASA has a mix of contract and in-house services. We generally contract out pieces of satellites and assemble them ourselves (and fix everything the contractor f***ed up). In terms of IT, basic workstations are administered by contract suppliers, but other systems are owned by the government and administered by civil servants (engineering workstations, lab equipment computers, ground support operations, data processing supercomptuers, etc.). Many of these systems are connected to the Internet to get software updates and research problems when troubleshooting. But I do know that the ground support networks for satellites and large tests are definitely not connected to the Internet.

  10. NIST, and not quite. by Gary+W.+Longsine · · Score: 2

    Every agency is responsible for securing their own infrastructure. NIST only provides only guidance.

    --
    If you mod me down, I shall become more powerful than you could possibly imagine.
    1. Re:NIST, and not quite. by peragrin · · Score: 1

      which is both a blessing and a curse. A curse from the fact that so many disparte angencies have such varing standards and security means the total cost of government IT goes up and up. however because there are so many non interconnecting systems it makes it harder for the government to spy on you.

      --
      i thought once I was found, but it was only a dream.
    2. Re:NIST, and not quite. by Truth+is+life · · Score: 1

      Actually, considering the three letters present in all of the provided options--I think he was thinking of the NSA.

  11. Not suprising by FunkyELF · · Score: 1

    Their crack team of web developers can't even get nasa.com to work without the www. in front of it.

    1. Re:Not suprising by FunkyELF · · Score: 1

      ... of course I meant to say nasa.gov
      The people cybersquatting nasa.com were about to figure it out.

  12. This just in... by bjohnso5 · · Score: 2

    Computer networks can be accessed by computers. Film at eleven.

  13. Re:question by cobrausn · · Score: 1

    Yeah, like half, or 3.1%, same thing. I thought we were supposed to be bad at math.

    --
    How does it feel to be a liar with pants constantly on fire?
  14. But really... by JohnnySlash · · Score: 1

    this is how the US government takes over and militarizes space...

  15. discernment by slick7 · · Score: 2

    A greater crippling obstacle appears to be (Con)gress, they can't even get their story straight on the budget let alone anything else.
    Billions are dumped on our so-called "friends" and yet, everybody hates us. If 1/10th of the war budget went to NASA, we would be somewhere past the asteroid belt, let alone fiber optic networks for everyone.

    --
    The mind conceives, the body achieves, the spirit manifests.
  16. Hope they don't catch another WANK virus by Eightbitgnosis · · Score: 1

    You be good now Australian hackers!

  17. As someone who actually maintains these systems, by pecosdave · · Score: 1

    I'm not going to give many details, it's not good business. I don't know much about the non-mission critical systems, but I do maintain mission critical ones and I will venture a mention they're not on the internet. The internet and the mission critical stuff are far separated. That's more specific than I probably should have gotten, things that communicate with the station, the shuttle and TDRS are isolated, often from one another.

    --
    The preceding post was not a Slashvertisement.
  18. Re:As someone who actually maintains these systems by vlm · · Score: 1

    The internet and the mission critical stuff are far separated. That's more specific than I probably should have gotten,

    Yeah, whatever you do, don't use the top secret phrase "air gap firewall".. Come on, enough security theater.

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  19. Re:Just wait until it is medical records... by MaskedSlacker · · Score: 1

    People can, and do, routinely sue the federal government (and state, and local). Hell, that's how Judicial Review was established in the first place. The FTCA establishes pretty clearly that sovereign immunity would not apply in that case.

    Of course, it's more fun to just ignorantly spout bullshit.

  20. Space Shuttle by asylumx · · Score: 1

    Jeez, with IT like that, by this summer they probably won't even be able to launch a space shuttle!

  21. Yeah, they've got a problem... by Loudog · · Score: 1

    ...they've always had a problem with this, though. I was there years ago (at the beginning of the Internet boom) and we were one of the most hacked targets on the planet. Everyone seems to think that all the secret UFO data was in NASAs network -- and the pace of attacks was astounding. You had to have an RSA token to login to anything. It got so bad that we ended up having to put an optical tap (even as contractors, we fought that one) on the FDDI ring what was MAE-WEST so the FBI and other TLAs could try to track some of these idiots down.

    Given that funding went down and many of the top IT / networking guys went into the booming private sector, I'm not surprised it's still a problem. All of the mission critical stuff is pretty well walled off -- but the rest of it has major issues. I don't think we'll loose a spaceship to it, but getting your email can be very annoying.

  22. But they passed McAffee's web check! by Nyder · · Score: 1

    I don't understand the problem. McAffee's web check said their site was okay!!

    --
    Be seeing you...
  23. computer server vulnerabilities? by doperative · · Score: 1

    "We found that computer servers on NASA's agency-wide mission network had high-risk vulnerabilities that were exploitable from the Internet. Specifically, six computer servers associated with IT assets that control spacecraft and contain critical data had vulnerabilities that would allow a remote attacker to take control of or render them unavailable" link

    By any chance, would these 'computer servers' be running on Microsoft Windows?

    "a recent audit report .. cited a 2009 incident in which cybercriminals .. caused the computer system to make 3,000 unauthorized connections to domestic and international IP addresses"

    Wouldn't it be a good idea to put these 'computer systems' behind a firewall and only allow access through authenticated VPN connections?

  24. NASA used to be about undeniable precision by hesaigo999ca · · Score: 1

    They used to be hailed as the corner stone of undeniable precision, where they could lose contact with a shuttle, and plan its course and be able to tell with 100% accuracy where it would show up once it regained contact with them (apollo mission)....here, this makes them look like newbs....i dont know what happened, if some outsourced agency was hired to throw together their network configs, but i am surprised to say the least.