"The OIG review found that six computer servers associated with information technology (IT) assets that control NASA spacecraft and contain critical data had vulnerabilities that would allow a remote attacker to take control of or render them unavailable. Moreover, once inside the Agency-wide mission network, the attacker could use the compromised computers to exploit other weaknesses we identified, a situation that could severely degrade or cripple NASA operations. We also found network servers that revealed encryption keys, encrypted passwords, and user account information to potential attackers."
"Gail Robinson of the OIG's office tells Nature the IG can't say publicly which systems are affected for security reasons, but that it has told NASA the information. Although only six examples were documented, the IG report makes clear that up to 130 systems could be affected by the inconsistent oversight."
"Anup Ghosh, founder and chief scientist for Invincea, noted that events like the recent attacks against HBGary, RSA, and Comodo, and this audit report from NASA might lead IT admins to ask: "If it is happening to organizations like these, can it happen to us?" But, Ghosh says the better question to ask is: "If it is happening to the top security companies, is it happening everywhere?" Ghosh volunteers the answer to that question, saying it is undoubtedly "yes"."
"What's the problem? The OIG said NASA has been slow to act on a recommendation it made in May 2010 that NASA secure its networks. At that point, the OIG told NASA to immediately establish an IT security oversight program for its mission network, but as of February 2011, NASA had done nothing."
Space Mission Networks at Risk of Major Breach, Govinfosecurity
"NASA CIO Linda Cureton, in a letter to the IG, generally concurred with the IG's recommendations, saying she will work with mission directorates and centers to develop a comprehensive approach by Sept. 30 to ensure that Internet-accessible computers on NASA's mission networks are routinely identified, vulnerabilities are continually evaluated and risks are promptly mitigated. In addition, Cureton said she will develop and implement a strategy for conducting an Agency-wide risk assessment by Aug. 31."