Hack Targets NASA's Earth Observation System

← Back to Stories (view on slashdot.org)

Hack Targets NASA's Earth Observation System

Posted by CmdrTaco on Wednesday May 18, 2011 @01:39AM from the even-nasa-ain't-safe dept.

Gunkerty Jeb writes "A hacker is claiming that a security hole in a server at NASA's Goddard Space Flight Center has exposed data related to a satellite-based Earth observation system used to aid in disaster relief. The hacker, who uses the handle 'Tinkode,' has published a screen capture from what he claims is an FTP (File Transfer Protocol) server at NASA's Goddard Center. The hack comes exactly a month after the same hacker exposed a similar hole in a server operated by the European Space Agency."

13 of 45 comments (clear)

Min score:

Reason:

Sort:

Dumbing down by Anonymous Coward · 2011-05-18 01:46 · Score: 3, Insightful

When FTP needs to be explained on /. it's time to find another "News for Nerds" site.
1. Re:Dumbing down by DanTheStone · 2011-05-18 01:56 · Score: 3, Insightful
  
  It's because our submitters and editors are too lazy to write a summary, so they just copy-paste a chunk of the article (which may be intended for a less-technical audience).
2. Re:Dumbing down by symes · 2011-05-18 01:57 · Score: 3
  
  I would say defining FTP is just being polite - anyone can come here and browse, some might even want to stay a little while. What's the problem?
3. Re:Dumbing down by migla · 2011-05-18 02:16 · Score: 3, Funny
  
  I, for one, am grateful they explained the acronym, because until I read the next words, I thought NASA had a fuck-the-police server, which didn't make much sense, but that's what the kids writing/spraying FTP around here mean. Unless, of course, this is a neighbourhood of poor geeks...
  
  --
  Some of my favourite people are from th US; Vonnegut, Chomsky, Bill Hicks.
Re:Wait... by jhoegl · 2011-05-18 01:50 · Score: 2

FTPS... where security comes after the protocol.
Re:Wait... by Anonymous Coward · 2011-05-18 01:56 · Score: 2, Funny

Jules Winnfield: What do NASA computers look like?
Brett: What?
Jules Winnfield: What OS do they run?!?
Brett: What?
Jules Winnfield: What ain't no OS I ever heard of!! They have SFTP on What?!?
Brett: What?
Jules Winnfield: SFTP Motherfucker! Do they use it?!?
Brett: Yes!
Jules Winnfield: Then you know what I'm transferring?!
Brett: Yes!
Jules Winnfield: Describe what NASA computers look like!!
Houston, we have a serious security problem... by digitaldc · 2011-05-18 02:00 · Score: 2

Someone over at NASA, and government agencies in general, need to seriously step-up their security team.
Hire people that can effectively put a system in place to secure their networks, data, and disposition of old equipment. Monitor your networks and data, put systems and people place that can predict and respond to security issues.
My assumption is that NASA is so budget-constrained, and has so many wasteful expenditures that security gets left to the wayside and then things like this happen (if it indeed DID happen.)
Time to abort the mission until we can verify the mission's security has not been compromised.

--
He who knows best knows how little he knows. - Thomas Jefferson
1. Re:Houston, we have a serious security problem... by camperdave · 2011-05-18 02:29 · Score: 2
  
  I thought there was a whole three letter agency (sharing many of the same letters as NASA), whose job it was to secure US government databases and communications. Maybe they're fixing things alphabetically and they're only up to the Ms.
  
  On the other hand, this data is on a server accessed by "scientists, educators, project managers and policy implementers to better respond to a range of issues including disaster management, agricultural development, biodiversity conservation and climate change"... with "a strong emphasis is placed on partnerships to fortify the availability of searchable and viewable earth observations, measurements, animations, and analysis." The SERVIR project is endorsed by governments of Central America and Africa and principally supported by NASA and the US Agency of International Development (USAID). So, hiding the data behind restrictive protocols counterproductive to the intended purpose of the site. Furthermore, some of the organizations who use the site may be prevented from using more secure protocols by ITAR restrictions.
  
  --
  When our name is on the back of your car, we're behind you all the way!
2. Re:Houston, we have a serious security problem... by _Sprocket_ · 2011-05-18 03:12 · Score: 2
  
  Someone over at NASA, and government agencies in general, need to seriously step-up their security team.
  To outsiders, NASA looks like a big monolithic Government agency. The reality is that NASA is schizophrenic. It is really a collection of entities that operate at different levels of control and coordination depending on what particular issue is at hand. When you quote "Houston, we have a serious security problem", I'm inclined to point out that it isn't Houston's problem.
  
  Hire people that can effectively put a system in place to secure their networks, data, and disposition of old equipment. Monitor your networks and data, put systems and people place that can predict and respond to security issues.
  Sounds so easy when you put it down on paper like that.
  
  My assumption is that NASA is so budget-constrained, and has so many wasteful expenditures that security gets left to the wayside and then things like this happen (if it indeed DID happen.)
  I would say your assumption is mostly incorrect. It is more about NASA's bureaucracy than squandering limited resources; though budget constraints are certainly a fundamental issue. The CAIB Report hinted at a culture that was broken within NASA in general. And years later, despite best efforts to change that culture, many of the same problems echo throughout NASA's daily business.
3. Re:Houston, we have a serious security problem... by CBM · 2011-05-18 04:19 · Score: 2
  
  I would also like to add that over the past ten years, "security" has gotten much much tighter at NASA. NASA has many roles that involve interfacing with the industrial community, the scientific community, and the public community at large. It is often difficult to reconcile those roles with the additional goal of "more security!" In fact, in the interests of blanket security, I would say that NASA's ability to interact with communities, and lead through good example, have been partially stifled in the name of security.
  Another thing to mention is that often-times, large institutions like NASA are dealing with legacy systems that do not have the latest security. The common knee-jerk reaction is to say, "just upgrade it!" But the reality is that there can be knock-on effects that prevent upgrading or make it cost-prohibitive. Critical systems that have been running for years often do not have the funds or staff expertise to execute a major upgrade. But as I said, this is a problem with most large institutions, it's just that "NASA" in the title of an article makes it higher profile.
  This post has my personal opinions only.
4. Re:Houston, we have a serious security problem... by _Sprocket_ · 2011-05-18 04:56 · Score: 2
  
  I would also like to add that over the past ten years, "security" has gotten much much tighter at NASA. NASA has many roles that involve interfacing with the industrial community, the scientific community, and the public community at large. It is often difficult to reconcile those roles with the additional goal of "more security!" In fact, in the interests of blanket security, I would say that NASA's ability to interact with communities, and lead through good example, have been partially stifled in the name of security.
  That's a fair point. Security has been an even bigger issue over the past 10 years. Although unfortunately a fair amount of that effort has been around feeding the bureaucracy of compliance rather than actual technical security practices. Which is boon and bane. At least the compliance drive is pushing technical issues that in the past would be entirely ignored by some organizations within NASA.
  
  Another thing to mention is that often-times, large institutions like NASA are dealing with legacy systems that do not have the latest security. The common knee-jerk reaction is to say, "just upgrade it!" But the reality is that there can be knock-on effects that prevent upgrading or make it cost-prohibitive. Critical systems that have been running for years often do not have the funds or staff expertise to execute a major upgrade. But as I said, this is a problem with most large institutions, it's just that "NASA" in the title of an article makes it higher profile.
  The problem is that security impacts productivity. So much of what is done in IT is done without security issues in mind. Which eventually means disruption of services as security issues are addressed. The challenge has always been to catch security issues early in to a project's development or find the most graceful path to addressing a project's security issues. Those who drive infosec aren't always good at doing these things.
  
  This post has my personal opinions only.
  These are my own personal opinions as well. :)
5. Re:Houston, we have a serious security problem... by AMuse · 2011-05-18 05:40 · Score: 3, Insightful
  
  Hi all; I actually work for NASA as an IT Security guy.
  While I can't answer specifics about this incident, you should remember that a great many things done by NASA are "General Science", and the data output from them is specifically and consciously made public.
  It's possible that the FTP server is meant to be serving those files "to the public".
  Why FTP instead of SFTP? Usually when you choose to make data public to the world, you don't bother implementing crypto on the data. And just because it's available via FTP for distribution, does not mean insecure FTP was used to *place* the data on the server.
Re:Hacking assholes. by Steauengeglase · 2011-05-18 03:43 · Score: 2

This is nothing new: http://en.wikipedia.org/wiki/WANK_(computer_worm)
For whatever reason, NASA is like flame for hacker's moths. They have interesting, groundbreaking research, a budget and lets be honest, they have things in orbit, but they aren't going to shoot you in the head like other agencies who may or may not have things up there. .