This is not a NASA Website. You might learn something. It's YOUR space agency. Get involved. Take it back. Make it work - for YOU.
Congress

NASA IT Security is a Mess – Stolen Laptops and Hacking JPL

By Keith Cowing
NASA Watch
March 2, 2012
Filed under , , , ,

Testimony by NASA IG Paul Martin: NASA Cybersecurity: An Examination of the Agency’s Information Security
“Between April 2009 and April 2011, NASA reported the loss or theft of 48 Agency mobile computing devices, some of which resulted in the unauthorized release of sensitive data including export-controlled, Personally Identifiable Information (PII), and third-party intellectual property. For example, the March 2011 theft of an unencrypted NASA notebook computer resulted in the loss of the algorithms used to command and control the International Space Station….”
“…In one of the successful attacks, intruders stole user credentials for more than 150 NASA employees – credentials that could have been used to gain unauthorized access to NASA systems. Our ongoing investigation of another such attack at JPL involving Chinese-based Internet protocol (IP) addresses has confirmed that the intruders gained full access to key JPL systems and sensitive user accounts.”

Testimony by NASA CIO Linda Cureton: NASA Cybersecurity: An Examination of the Agency’s Information Security
“The NASA IT Security program is transforming and maturing. The real-world requirement is to protect NASA’s information and information systems at a level commensurate with mission needs and information value. Therefore, NASA is increasing visibility and responsiveness through enhanced information security monitoring of NASA’s systems across the Agency.”
Space station control codes on stolen NASA laptop, CNet
“A laptop stolen from NASA last year contained command codes used to control the International Space Station, an internal investigation has found. The laptop, which was not encrypted, was among dozens of mobile devices lost or stolen in recent years that contained sensitive information, the space agency’s inspector general told Congress today in testimony highlighting NASA’s security challenges.”

NASA Watch founder, Explorers Club Fellow, ex-NASA, Away Teams, Journalist, Space & Astrobiology, Lapsed climber.

6 responses to “NASA IT Security is a Mess – Stolen Laptops and Hacking JPL”

  1. dogstar29 says:
    0
    0

    Yeah, but NASA requires user passwords to have at least 35 characters including 7 mathematical symbols and a diacritical mark, and forces users to change passwords  every other day and commit them to memory. Or write them on an encrypted post-it note. That HAS to make NASA IT secure.

  2. cb450sc says:
    0
    0

    I was one of those stolen laptops, one of which walked from my office. The article is a bit overblown. “..resulted in the loss of the algorithms used to command and control the International Space Station…” probably just means there were some Word documents showing the command protocol. It’s not like you can log in and drive it into the sun. And the document was probably available from some web site if you looked hard enough. I doubt my stolen laptop wound up in the hands of a Chinese spy – more likely some stoner is checking his email on it today.

    • Ray Hudson says:
      0
      0

      I doubt my stolen laptop wound up in the hands of a Chinese spy – more likely some stoner is checking his email on it today.

      You can keep thinking that way. NASA folks who scream about invasive security background checks would tend to think that way.  But those who hold security clearances under DOD, and are regularly briefed about the intel collection threats, know better.  Did you hear about the Chinese hackers who broke into JPL?  Lesson one in security: Never underestimate your adversaries.

  3. Pete Harding says:
    0
    0

    Interestingly, the ISS has recently undergone a big software update – so I wonder whether these stolen access codes where changed out?

  4. WIntelAgency says:
    0
    0

    The biggest vulnerability is people practice within the disconnect of a centralized ‘unpersonal’ system.  Without good one on one discussions from visiting IT Security Managers, and personal training, regular quarterly pen tests to impress users, you loose the “think before you use mentality of the system users”.    

  5. sanyo2012 says:
    0
    0

    Is this  related to the us drone in iran back in 2011?just thinking