Hack Targets NASA's Earth Observation System

← Back to Stories (view on slashdot.org)

Hack Targets NASA's Earth Observation System

Posted by CmdrTaco on Wednesday May 18, 2011 @01:39AM from the even-nasa-ain't-safe dept.

Gunkerty Jeb writes "A hacker is claiming that a security hole in a server at NASA's Goddard Space Flight Center has exposed data related to a satellite-based Earth observation system used to aid in disaster relief. The hacker, who uses the handle 'Tinkode,' has published a screen capture from what he claims is an FTP (File Transfer Protocol) server at NASA's Goddard Center. The hack comes exactly a month after the same hacker exposed a similar hole in a server operated by the European Space Agency."

32 of 45 comments (clear)

Min score:

Reason:

Sort:

Wait... by fuzzyfuzzyfungus · 2011-05-18 01:42 · Score: 1

Somebody is running an FTP server on a computer that has a screen? Also, the obligatory "SFTP Motherfucker! Why don't you use it?"
1. Re:Wait... by jhoegl · 2011-05-18 01:50 · Score: 2
  
  FTPS... where security comes after the protocol.
2. Re:Wait... by Anonymous Coward · 2011-05-18 01:56 · Score: 2, Funny
  
  Jules Winnfield: What do NASA computers look like?
  Brett: What?
  Jules Winnfield: What OS do they run?!?
  Brett: What?
  Jules Winnfield: What ain't no OS I ever heard of!! They have SFTP on What?!?
  Brett: What?
  Jules Winnfield: SFTP Motherfucker! Do they use it?!?
  Brett: Yes!
  Jules Winnfield: Then you know what I'm transferring?!
  Brett: Yes!
  Jules Winnfield: Describe what NASA computers look like!!
3. Re:Wait... by Kompressor · 2011-05-18 03:07 · Score: 1
  
  This.
  That link right there is some brilliant stuff!
  Zed: "Bring out the Hack!"
  Maynard: "The Hack's not online."
  Zed: "Then I guess you'll just have to page him, won't you?"
  ---
  Jules:
  "FAQ 25.17: The righteous higher resolution modes require correspondingly more system memory in order to run..."
  "Blessed are such modes that are not listed in the video modes menu, for they would only slow down the microprocessor."
  ---
  Fabienne: Whose synthesizer?
  Butch: It's not a synthesizer, it's a sampler.
  Fabienne: Whose sampler?
  Butch: Chemlab's.
  Fabienne: Who's Chemlab?
  Butch: Chemlab's dead, baby. Chemlab's dead.
  
  --
  kmem russian roulette: Aquillar> dd if=/dev/urandom of=/dev/kmem bs=1 count=1 seek=$RANDOM
Dumbing down by Anonymous Coward · 2011-05-18 01:46 · Score: 3, Insightful

When FTP needs to be explained on /. it's time to find another "News for Nerds" site.
1. Re:Dumbing down by DanTheStone · 2011-05-18 01:56 · Score: 3, Insightful
  
  It's because our submitters and editors are too lazy to write a summary, so they just copy-paste a chunk of the article (which may be intended for a less-technical audience).
2. Re:Dumbing down by symes · 2011-05-18 01:57 · Score: 3
  
  I would say defining FTP is just being polite - anyone can come here and browse, some might even want to stay a little while. What's the problem?
3. Re:Dumbing down by migla · 2011-05-18 02:16 · Score: 3, Funny
  
  I, for one, am grateful they explained the acronym, because until I read the next words, I thought NASA had a fuck-the-police server, which didn't make much sense, but that's what the kids writing/spraying FTP around here mean. Unless, of course, this is a neighbourhood of poor geeks...
  
  --
  Some of my favourite people are from th US; Vonnegut, Chomsky, Bill Hicks.
4. Re:Dumbing down by SETIGuy · 2011-05-18 08:30 · Score: 1
  
  It's understandable that it needs to be explained. Nobody except the government and anonymous FTP sites use it anymore. And nobody including the government should be using it.
  I've worked on unclassified DOD and NASA projects in the past, and FTP is the default for uploads and downloads. I've never been on a project where personnel would act on an upload without voice confirmation usually involving commands coded in the ICAO phonetic alphabet. I don't know this site, so I don't know if there's anything particularly sensitive there, or if it's just data distribution.
  There's a reason they don't want to use SFTP. SFTP is just something that looks like FTP tunneled over SSH. SSH usually means a local account, and that's often not allowed even if shell access is disabled.
  Government FTP sites tend to be poorly administered, sometimes with a single username and a guessable password given to all that need access. If there were a satellite named PRJ, the username would probably be prjuser and the password might be prjrules!!.
  For my group access sites, I use https, with user changeable passwords for all users, a password reset that requires admin intervention, and custom upload/download code. I don't work for the government, though.
  
  --
  Support SETI@home
Houston, we have a serious security problem... by digitaldc · 2011-05-18 02:00 · Score: 2

Someone over at NASA, and government agencies in general, need to seriously step-up their security team.
Hire people that can effectively put a system in place to secure their networks, data, and disposition of old equipment. Monitor your networks and data, put systems and people place that can predict and respond to security issues.
My assumption is that NASA is so budget-constrained, and has so many wasteful expenditures that security gets left to the wayside and then things like this happen (if it indeed DID happen.)
Time to abort the mission until we can verify the mission's security has not been compromised.

--
He who knows best knows how little he knows. - Thomas Jefferson
1. Re:Houston, we have a serious security problem... by camperdave · 2011-05-18 02:29 · Score: 2
  
  I thought there was a whole three letter agency (sharing many of the same letters as NASA), whose job it was to secure US government databases and communications. Maybe they're fixing things alphabetically and they're only up to the Ms.
  
  On the other hand, this data is on a server accessed by "scientists, educators, project managers and policy implementers to better respond to a range of issues including disaster management, agricultural development, biodiversity conservation and climate change"... with "a strong emphasis is placed on partnerships to fortify the availability of searchable and viewable earth observations, measurements, animations, and analysis." The SERVIR project is endorsed by governments of Central America and Africa and principally supported by NASA and the US Agency of International Development (USAID). So, hiding the data behind restrictive protocols counterproductive to the intended purpose of the site. Furthermore, some of the organizations who use the site may be prevented from using more secure protocols by ITAR restrictions.
  
  --
  When our name is on the back of your car, we're behind you all the way!
2. Re:Houston, we have a serious security problem... by _Sprocket_ · 2011-05-18 03:12 · Score: 2
  
  Someone over at NASA, and government agencies in general, need to seriously step-up their security team.
  To outsiders, NASA looks like a big monolithic Government agency. The reality is that NASA is schizophrenic. It is really a collection of entities that operate at different levels of control and coordination depending on what particular issue is at hand. When you quote "Houston, we have a serious security problem", I'm inclined to point out that it isn't Houston's problem.
  
  Hire people that can effectively put a system in place to secure their networks, data, and disposition of old equipment. Monitor your networks and data, put systems and people place that can predict and respond to security issues.
  Sounds so easy when you put it down on paper like that.
  
  My assumption is that NASA is so budget-constrained, and has so many wasteful expenditures that security gets left to the wayside and then things like this happen (if it indeed DID happen.)
  I would say your assumption is mostly incorrect. It is more about NASA's bureaucracy than squandering limited resources; though budget constraints are certainly a fundamental issue. The CAIB Report hinted at a culture that was broken within NASA in general. And years later, despite best efforts to change that culture, many of the same problems echo throughout NASA's daily business.
3. Re:Houston, we have a serious security problem... by CBM · 2011-05-18 04:19 · Score: 2
  
  I would also like to add that over the past ten years, "security" has gotten much much tighter at NASA. NASA has many roles that involve interfacing with the industrial community, the scientific community, and the public community at large. It is often difficult to reconcile those roles with the additional goal of "more security!" In fact, in the interests of blanket security, I would say that NASA's ability to interact with communities, and lead through good example, have been partially stifled in the name of security.
  Another thing to mention is that often-times, large institutions like NASA are dealing with legacy systems that do not have the latest security. The common knee-jerk reaction is to say, "just upgrade it!" But the reality is that there can be knock-on effects that prevent upgrading or make it cost-prohibitive. Critical systems that have been running for years often do not have the funds or staff expertise to execute a major upgrade. But as I said, this is a problem with most large institutions, it's just that "NASA" in the title of an article makes it higher profile.
  This post has my personal opinions only.
4. Re:Houston, we have a serious security problem... by _Sprocket_ · 2011-05-18 04:56 · Score: 2
  
  I would also like to add that over the past ten years, "security" has gotten much much tighter at NASA. NASA has many roles that involve interfacing with the industrial community, the scientific community, and the public community at large. It is often difficult to reconcile those roles with the additional goal of "more security!" In fact, in the interests of blanket security, I would say that NASA's ability to interact with communities, and lead through good example, have been partially stifled in the name of security.
  That's a fair point. Security has been an even bigger issue over the past 10 years. Although unfortunately a fair amount of that effort has been around feeding the bureaucracy of compliance rather than actual technical security practices. Which is boon and bane. At least the compliance drive is pushing technical issues that in the past would be entirely ignored by some organizations within NASA.
  
  Another thing to mention is that often-times, large institutions like NASA are dealing with legacy systems that do not have the latest security. The common knee-jerk reaction is to say, "just upgrade it!" But the reality is that there can be knock-on effects that prevent upgrading or make it cost-prohibitive. Critical systems that have been running for years often do not have the funds or staff expertise to execute a major upgrade. But as I said, this is a problem with most large institutions, it's just that "NASA" in the title of an article makes it higher profile.
  The problem is that security impacts productivity. So much of what is done in IT is done without security issues in mind. Which eventually means disruption of services as security issues are addressed. The challenge has always been to catch security issues early in to a project's development or find the most graceful path to addressing a project's security issues. Those who drive infosec aren't always good at doing these things.
  
  This post has my personal opinions only.
  These are my own personal opinions as well. :)
5. Re:Houston, we have a serious security problem... by AMuse · 2011-05-18 05:40 · Score: 3, Insightful
  
  Hi all; I actually work for NASA as an IT Security guy.
  While I can't answer specifics about this incident, you should remember that a great many things done by NASA are "General Science", and the data output from them is specifically and consciously made public.
  It's possible that the FTP server is meant to be serving those files "to the public".
  Why FTP instead of SFTP? Usually when you choose to make data public to the world, you don't bother implementing crypto on the data. And just because it's available via FTP for distribution, does not mean insecure FTP was used to *place* the data on the server.
6. Re:Houston, we have a serious security problem... by tyldis · 2011-05-18 07:09 · Score: 1
  
  And I work for a company that deals a great deal with NASA, and they are happy to lose satellite data while waiting for a replacement demodulator to pass their security scans on an internal network.
  They do make an effort, but personally I think they strive to achieve perfect security and in the process people has to poke holes in it in order to make it work :)
7. Re:Houston, we have a serious security problem... by sysrammer · 2011-05-18 08:28 · Score: 1
  
  +1
  Thank you. This was my thought exactly. If it's read-only data, no problem.
  sr
  
  --
  His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
Choosing your targets by Daetrin · 2011-05-18 02:07 · Score: 1

Hack Targets NASA's Earth Observation System [...] The hack comes exactly a month after the same hacker exposed a similar hole in a server operated by the European Space Agency.
Now _this_ is a hacker who knows how to aim high!

--
This Space Intentionally Left Blank
Hey /. by mehrotra.akash · 2011-05-18 02:11 · Score: 1

Could you please stop spamming facebook??
OMGWTFBBQ I FOUND ANOTHER ONE!!!!! by bmo · 2011-05-18 02:12 · Score: 1

DUDE! CHECK OUT THIS FTP SERVER THAT I COULD JUST WALK INTO! OMG I HACK IT! ALL I HAD TO DO WAS PUT IN MY EMAIL ADDRESS AS THE PASSWORD! MY GOD I COULD HAVE PUT IN ANYTHING! bmo@owlcomm:~$ ftp ftp.linux.org.uk Connected to ftp.linux.org.uk. 220 (vsFTPd 2.2.0) Name (ftp.linux.org.uk:bmo): anonymous 331 Please specify the password. Password: 230-Welcome to ZenIV 230- 230-The software on this site is made available for free without warranty or 230-other right of recourse implied or otherwise. No statement save one in 230-writing by the owner of the system changes this usage agreement. This 230-software is provided in the United Kingdom for United Kingdom users, 230-any export download is at your own risk and liability. 230- 230-Many parts of this archive are mirrors of other sites. While we try not 230-to mirror any inappropriate material we do not have editorial control over 230-such mirrors and cannot make such a guarantee. 230- 230-There is no other user agreement, should your local law make such an 230-agreement invalid you are prohibited from using this site, and may be 230-committing an offence under the computer misuse act by continuing. 230- 230-By downloading any file from this site you agree to these terms and 230-conditions, disconnect now if you do not. 230- fucking lameness filter 230-* * 230-* If you are having problems accessing this site, then please use * 230-* "passive" transfer mode rather than "port" transfer mode. Thanks. * 230-* * fucking lameness filter 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. -- BMO
1. Re:OMGWTFBBQ I FOUND ANOTHER ONE!!!!! by Kompressor · 2011-05-18 03:13 · Score: 1
  
  Holy crap! Anonymous has hacked the kernel servers and left a backdoor?
  What FTP server will they hit next, sunsite?
  
  --
  kmem russian roulette: Aquillar> dd if=/dev/urandom of=/dev/kmem bs=1 count=1 seek=$RANDOM
2. Re:OMGWTFBBQ I FOUND ANOTHER ONE!!!!! by JWW · 2011-05-18 03:26 · Score: 1
  
  I have to concur with this sentiment. NASA data policy states that they give quite a bit of their data away freely.
  I appears that ASAR data is freely available. So this could be as simple as this hacker logging into the ftp server that distributes the data, which, as you've show is not exactly a "hack".
Hacking assholes. by Anonymous Coward · 2011-05-18 02:16 · Score: 1

Agreed. Although, someone hacking into the SERVIR computers has to be a real goddamn low-life sub-human sack of shit and should be ashamed to even post that they even attempted such a thing.
What next assholes? Breaking into the UNICEF servers or something to delay help to needy children? Do you fucks go around kicking puppies and kittens?
You're not "cool". You're not "l33t" or whatever the fuck you losers call yourselves.
You wanna be "l33t" and "cool"? Invent something that helps humanity, makes a billion, or both. At least if you make a billion you'll be creating jobs - even you blow your money and go all Charlie Sheen, it'll be more respectable.
1. Re:Hacking assholes. by Steauengeglase · 2011-05-18 03:43 · Score: 2
  
  This is nothing new: http://en.wikipedia.org/wiki/WANK_(computer_worm)
  For whatever reason, NASA is like flame for hacker's moths. They have interesting, groundbreaking research, a budget and lets be honest, they have things in orbit, but they aren't going to shoot you in the head like other agencies who may or may not have things up there. .
Hackers Blog by RdeCourtney · 2011-05-18 02:26 · Score: 1

Hackers Blog: http://tinkode27.baywords.com/nasa-goddard-space-flight-center-ftp-access/

--
Insert signature here...
Sexist summary! by 6Yankee · 2011-05-18 03:07 · Score: 1

"he"? I'd be asking where spaceyhackerlady is and whether she's Tinkode. :)
Uhh Why is this a problem by harrytuttle777 · 2011-05-18 03:17 · Score: 1

So is disaster preparedness information now considered "classified" and only able to be disseminated to the highest bidder. Was Tinkode trying to show a dangerous lack of security on the part of NASA that would just allow anyone to log in and get the information needed to track tsunamis? Shouldn't this be what we want government to be doing?
I can not read the comments! by dotancohen · 2011-05-18 03:38 · Score: 1

I see that there are 30 comments on this article, but I cannot see them! Pressing "Get More Comments" does nothing, and neither does the javascript slider! Slashpot, fix your website! It's been broken for a few months, since the last update!
Kubuntu 11.04, Firefox 4

--
It is dangerous to be right when the government is wrong.
1. Re:I can not read the comments! by PhxBlue · 2011-05-18 07:31 · Score: 1
  
  If you think this site is borked, you should check out their Facebook page!
  
  --
  !#@%*)anks for hanging up the phone, dear.
And the UFO pictures? by Adeptus_Luminati · 2011-05-18 05:05 · Score: 1

What's the point of hacking NASA if you're not going to download their superTopSekreT UFO pictures? Anybody can modify an FTP login screenshot, but clear pictures of UFOs close up, now that's the money shot!

--
No trees were killed in the making of this post; however, many trillions of electrons were horribly inconvenienced.
Summary: He got into an ftp server: big whooptedo: by Hartree · 2011-05-18 05:08 · Score: 1

Well, BFD.
This is hardly data that is soopersekret national security info.
The ftp server is now down on that machine, but who knows. For all I can see, it may have even been open for read only anonymous ftp access and he just didn't know it for what it was.
Otherwise he may have guessed an obscure login like "data" with password "data". Or, if it was running something unpatched from way long ago, used an existing hack. ftp buffer overflows were a dime a dozen at one point.
Not everything is worth heavily securing especially when you want a broad and diverse audience to have access to it.
RO or RW access? by RockDoctor · 2011-05-20 11:06 · Score: 1

So I RTFS and think "Big Fucking Deal, someone can use FireFox to get into an FTP server that appears to carry data for some Earth Observation satellites. So far so BFD."
Next BIG question is - did he have RO access, or RW access? TFS says nothing, so I RTFA - still nothing. Look at the screen shots, still nothing. Not even a claim of a RW access.
So far, the guy has found a FTP server that looks like it contains data which is likely public domain already. BFD.

--
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"