So, when we think of NASA, we usually think of how smart people are that work there and how advanced they are technologically. However, the network that NASA uses to control the International Space Station and the Hubble Telescope has some unpatched vulnerabilities which could be exploited via the internet according to NASA’s inspector general.
According to the inspector general’s report, the risk of an attack is real. Hackers were able to steal 22GB of export-restricted data from Jet Propulsion Laboratory systems at NASA in 2009 and were also able to make thousands of unauthorized connections to the network from countries as far away as China, Saudi Arabia and Estonia.
“Until NASA addresses these critical deficiencies and improves its IT security practices, the agency is vulnerable to computer incidents that could have a severe to catastrophic effect on agency assets, operations and personnel,” according to the report which was given the title “Inadequate Security Practices Expose Key NASA Network To Cyber Attack”.
The inspector general attributed all of the problems to a lack of oversight. NASA had agreed to establish an IT security oversight effort for the network last May after a critical audit. As of February, however, that effort had yet to be launched.
NASA’s inspector general, as a part of the investigation, used open source network mapping as well as a security auditing tool map in order to uncover the fact that 54 separate NASA servers, all of which were associated with efforts used to “control spacecraft or process critical data”, were able to be accessed via the internet.
NESSUS, which is a network vulnerability scanner, uncovered multiple servers at NASA that were at a high risk of attack. One server was susceptible to an FTP bounceback which can be used to scan servers through a firewall for other insecurities.
A lot of other servers, which were also configured improperly, served up encryption keys, user account information and even passwords to network monitoring and investigating auditors. These could have opened the doors on more NASA systems and personally identifiable information.
NASA CIO Linda Cureton, in response to the report, agreed to add continuous monitoring to the network as well as mitigating risks to currently Internet-accessible servers. She also put in place more comprehensive agency-wide cyber risk management strategies. The interesting thing is that neither Cureton nor the report mentioned anything about the insecurities being fixed.
It kind of makes you wonder how safe we really are if an organization like NASA has so many insecurities and vulnerabilities.
Source: Information Week – NASA Servers At High Risk of Cyber Attack