This is not a NASA Website. You might learn something. It's YOUR space agency. Get involved. Take it back. Make it work - for YOU.
Uncategorized

NASA's IT Incompetence (Update)

By Keith Cowing
NASA Watch
November 17, 2012
Filed under , ,

NASA breach update: Stolen laptop had data on 10,000 users, ComputerWorld
“Personally identifiable information of “at least” 10,000 NASA employees and contractors remains at risk of compromise following last month’s theft of an agency laptop, a spokesman told Computerworld via email Thursday. … Responding to questions from Computerworld today, NASA spokesman Allard Beutel acknowledged that agency waited nearly two weeks to publicly disclose the breach. He said that in the interim, NASA was working with law enforcement personnel to recover the laptop, and was working to determine exactly whose personal data was stored on it.”
Agencywide Message to All NASA Employees: Breach of Personally Identifiable Information (PII) (Original NASA Memo to employees)
Keith’s 15 Nov note: There is no common sense evident in the NASA CIO organization. Why on Earth would anyone allow information on this many people to leave the agency on a single laptop – without sufficient encryption/protection – and then leave it unattended in a car? What baffles me is that NASA waited 2 weeks to tell the people affected. I guess that means that NASA had no idea what was on the laptop in the first place – but they allowed it to leave the building anyway – and that the person taking the laptop off site either had no idea what was on the laptop (not good) or knew what was on the laptop and did not care to treat the contents the way that they should have been protected. This borders on sheer negligence.
Keith’s 16 Nov update: A NASA Watch reader forwarded the letter that they received as a result of the stolen laptop. Note that NASA has yet to explain to any affected employees exactly what sort of personal information of theirs was on the laptop. So … what is it that people need to be watching out for? Apparently everything since NASA has yet to tell people what data of theirs is affected. People are given a list of things that they have to do at their own time and expense such as freezing their credit. NASA annoyingly notes that if one choses to implement such a freeze “you will not be able to borrow money, obtain instant credit, or get a new credit card until you temporarily lift or permanently remove the freeze, The coast of placing the freeze varies by the state you live in and for each credit reporting agency.”
NASA made this mistake – not the thousands of its employees who were affected. Its about time for the agency to tell its employees exactly what sort of risk they face as a result of the agency’s incompetence. NASA has had more than 2 weeks to work on this. The fact that NASA still cannot – or will not – tell its employees what they need to be looking out for is simply inexcusable.

NASA Watch founder, Explorers Club Fellow, ex-NASA, Away Teams, Journalist, Space & Astrobiology, Lapsed climber.

19 responses to “NASA's IT Incompetence (Update)”

  1. Gonzo_Skeptic says:
    0
    0

    My company requires that all laptops have their hard disks encrypted by the IT department before they are deployed to the user.  No exceptions.  It has been this way for at least five years.

    There is no excuse for NASA’s IT department to allow users to have unencrypted laptops.  The software to do this is off the shelf.

    This is just another example how the agency lacks the discipline to act like a professional organization.

    • kcowing says:
      0
      0

      This just baffles me. Then again, it doesn’t.  In the real world this would be done (as you note) as a routine process. But this is NASA.

    • DocM says:
      0
      0

      Cripes, even my 12 year old grandson encrypts his laptop with TrueCrypt.

      Sad.

      • dogstar29 says:
        0
        0

        Truecrypt is under user control, and can use partition or file encryption, which increases usability.

  2. dogstar29 says:
    0
    0

    A thief who steals a laptop seldom even bothers to hack the password; they just reformat the drive and sell it (or use it themselves), because searching through all the files on every laptop they steal would be time consuming and unproductive. SFAIK there have not been any reports linking an actual case of identity theft to a stolen NASA laptop. Conversely, someone who wants your SSN would not waste their time stealing a laptop. Since it can never be changed and is on hundreds of forms accessible to thousands of people, many of whom make only minimum wage, your SSN is definitely not secure and is probably already for sale on the internet. But that isn’t the real problem. The SSN was intended as a way to unambiguously state your identity, like your name, not as a way to verify your identity, like a password, PIN, biometric identifier or picture ID. The only reason the SSN can be used for identity theft is that banks want to be able to sell credit cards to new customers by mail, which is very profitable, without bothering to  verify their identity in person. This is the real cause of the identity theft.

    Of course, there is no reason to put sensitive data on a laptop when such data could easily be stored securely on a remote server. However NASA makes it relatively hard to access remote storage offsite; you can’t even keep more than about a month of email accessible. Finally, if you absolutely had to put a sensitive file on a laptop _and_ take it off center you could easily encrypt the files or the user partition, which is what most private industries might do, without altering the operating system or logon procedures. DAR is not a particularly good solution (except perhaps for management, since it seems so simple on paper). The OS itself is encrypted and inaccessible at startup, so the computer cannot access the network for authentication. Consequently DAR requires two separate logons with different passwords, delaying every user. Computational speed is reduced considerably since every file must be encrypted or decrypted for each disk access. The installation script downloads and starts without warning or any way for the user to delay while you back up critical data.  Once the unstoppable script starts there is no guarantee you will ever be able to log on again, and I am personally aware of systems where the entire drive had to be reformatted and valuable data has been lost as a result. 

    • ex_NASA says:
      0
      0

       Actually, I’ve had a SysAdmin run a DAR comparison case for me on a single laptop to compare system speed when running a complicated analysis pre- and post-DAR.  The test showed that the computation time was not measurably affected by the addition of the DAR software.

      • dogstar29 says:
        0
        0

        How do you know the “comparison case’ created by your Sysadmin even required that data be actually written to disk rather than cached? Encryption occurs on disk writes, so performance degradation depends on the size of the files written to disk, which in scientific computation can easily exceed cache capacity, not the amount of computation done in the CPU.

        I personally have seen a complete drive lost because it was impossible to login after the installation. And I am mystified by the software being pushed onto some desktops as well. Apparently the DAR package was produced by a contractor and implemented with no user-level testing. 

        If employees are responsible and have common sense, those who actually have sensitive data can keep it onsite, on the cloud, or in an encrypted partition without adding additional login requirements. If they lack these qualities DAR will not protect the data. The main rationale for carrying sensitive data on a laptop at all seems to be that a manager would have to work with hundreds of sensitive files while en route  on an airliner where he could not connect tot he network. How would he keep passengers in the adjacent seats from reading his files? 

        The requirement to change domain passwords every two months (itself never substantiated) while the separate DAR password is stored locally on every separate laptop makes for confusion in any office that uses shared resources. 

        Finally, there has so far as I can tell been no evidence of actual identity theft or any dissemination of the “personal data” on one of the stolen laptops. So the initial and recurrent cost of this program was incurred to prevent a theoretical problem.

        The common thread in IT is that there is little or no meaningful discussion with the users about what the real problem is and what the best solution is before implementing a “solution” chosen by management which is far more expensive when one considers the total additional time and effort required of every user, every day.

        • ex_NASA says:
          0
          0

          I’m not arguing the individual pros and cons of DAR.  But, my test case was a Nastran job that generally develops between several hundred MB and tens of GB of data IO to/from disk.

          That test convinced me to allow the DAR’ing of not only our laptops but desktop systems as well.

  3. Steve Whitfield says:
    0
    0

    I’m guessing that this situation exists in part because every NASA center has its own everything, even databases?  The only place I can imagine this type of data being “transferred to” is another NASA center; what need would there ever be to take it to a non-NASA facility?  If the centers were more integrated, instead of seemingly being in competition, then this sort of thing might never happen, since personal data would be directly accessible from all centers.

  4. Brian_M2525 says:
    0
    0

    While it might be easy to encrypt everything, my guess is that 99.9 % of NASA people and their laptops have nothing worth encrypting. So the idea that no laptops can be removed from a NASA center until they are encrypted, or that all initiatives for remote access and working from home have to be curtailed, driving up the cost of keeping centers open and operating over upcoming holiday breaks, is just another over-reaction on the part of the NASA bureaucracy.

    • Gonzo_Skeptic says:
      0
      0

      While it might be easy to encrypt everything, my guess is that 99.9 % of
      NASA people and their laptops have nothing worth encrypting.

      You certainly have a very negative view of the value of NASA work products and information.

      There is no significant technical or cost hurdle to encrypting every single laptop at NASA.  None.  And there has been a directive to do so since at least 2006.  Yet NASA’s IT departments flounder around, preferring to lock the gate after the horse has left the barn.

      So the idea that no laptops can be removed from a NASA center until they
      are encrypted, or that all initiatives for remote access and working
      from home have to be curtailed, driving up the cost of keeping centers
      open and operating over upcoming holiday breaks, is just another
      over-reaction on the part of the NASA bureaucracy.

      Don’t worry.

      This will be just another rule that NASA workers ignore.

      • space1999 says:
        0
        0

        Interesting concept of value. Good thing most scientists don’t value their own research… I mean, all that publishing they do. Most of NASA does non-secret science and engineering. Last I checked, even secret information can be checked out unencrypted… if it’s written on paper. Over-reaction is about the size of it.

  5. Steve Whitfield says:
    0
    0

    Keith,

    I have to admit that that I originally completely missed the obvious “what’s wrong with this picture.”The person from whom the laptop was stolen was a teleoperator (work from home person), which is something I’m all in favor of.  But, their job requires him/her to work with this PII data — strike 1: should a job that requires PII data be a candidate for a teleoperator employee?  It seems like an golden invitation to all of the malicious troublemakers attacking the web.He/she had copied this PII data to a laptop — strike 2: why was it copied in the first place?  If he/she really needs to work with this data, then they should be working with the original master data, not a copy!  If the teleoperator’s job involves amending that data, then the master database becomes outdated, which means in error, until the amended data on the laptop eventually updates (overwrites) it.  Bad practice; very, very bad.  The only way that this could be made to work is if the entire rest of the planet is locked out of the master database completely until it has been brought back up to date with the amended laptop data.In the case where the teleoperator doesn’t alter the data, you’d still have to lock the rest of the planet out of the master database — strike 3: because the moment anybody else alters the content of the master database, the laptop data is invalid.  You could argue that there are lots of software packages that can synchronize the laptop data with the master database in real time, but a) it’s an increased security risk, b) are any of them compatible with the database format being used?, and c) the biggy, if you’re going to maintain a real time connection anyhow, then why not just access the master database directly instead of a copy on a laptop?  It’s likely way faster that way, anyhow.So, the whole encryption issue is secondary.  What we’re facing is a serious lack of process control, because this job never should have been a candidate for teleoperation in the first place.  The simple fact that this situation arose screams amateurs to me.Somewhere in the chain of command is the person responsible for overseeing, reviewing and controlling this sort of thing.  In my opinion, if either that person or the individual who OK’ed the copying of the data to a laptop still working for NASA, then there’s strike 4.Steve

    • jimlux says:
      0
      0

       without knowing the actual data and software applications in use, there’s a whole lot of issues.
      1) Using a VPN from some location with a NASA supplied laptop is a heck of a lot better than telework with your personal computer.   So taking the laptop home is a “good idea” in this case.
      2) Whether you’re at home, or in a hotel, or at work, the basic threat is about the same (aside from physical loss or theft).  There’s no particular reason why the information you work with should have ANY effect on where the work is done (barring classified information where you have air gap kind of security anyway).  Who is to say that there isn’t some malevolent entity sniffing the network *at work*?
      3) There’s a whole raft of reasons why someone might have PII (which, as others point out can range from “telephone book banal” to “mindbendingly private”) and not need, nor should they have access to the master database.  Perhaps you’re preparing a statistical analysis of educational attainment vs worker age vs longevity at NASA? That requires PII for lots of people, but doesn’t get into modifying a database.  And, while remote access to shared data works moderately well, it’s certainly not the universal case that your analysis tool happens to have “live links” to the required dataset.  Often it requires doing an extraction from one place, then some manipulation to get it into a different form, etc.   THis is certainly not unique to NASA.. it’s pretty much everywhere: try making a nice plot of hourly temperatures for your city for the past year.  You have to get the data in chunks, in one format, perhaps from multiple sources, then merge it all together and reformat it for plotting, etc.
      4) There are all sorts of ways to deal with multiple user access to a database without the lockout scheme you describe. Any decent database (and even lame ones) support transactions, record or field locking, rollbacks, referential integrity among tables, etc. 
      5) Historically, many of the big compromises of PII in industry occur from auditors losing their laptops.  The regular business process is well analyzed and secure, it’s the off-nominal stuff (e.g. auditors taking a copy to analyze) that raises issues.  You don’t know that this wasn’t the case here.
      6) Full Disk Encryption is a “best practice”, but it’s not something you can wave a magic wand and have occur.  It typically gets rolled out incrementally over several years (as people replace their computers, you give them a new one with FDE installed).  In an enterprise environment, FDE is a big more tricky than just saying “go download truecrypt and install it”.  You need a controlled backdoor (people DO forget their passwords, for instance). There’s also significant potential performance impact which needs to be assessed, if only to ensure it’s NOT a problem.
      7) At a guess, I’d say that NASA has maybe 30% of its computers that are not explicitly managed within the standard “lease a computer from vendor along with support” (ODIN, ACES, LMIT, etc.) mechanism. That computer population is incredibly diverse and difficult to manage for a variety of reasons.  So while you could roll out suitable security (FDE, Two Factor Authentication, etc.) to the 70% pretty easily (and I suspect that NASA has), getting the last 30% is harder. Does your chosen FDE support Windows NT 4.0?  This kind of thing comes up because there’s some software driver supporting some hardware that being used to support something that’s 15 years old, and the company that made that hardware is long since out of business, so no handy Linux or Windows 7 driver available.  It’s not like you’re running a call center where you can mandate that all workstations have the same exact configuration, refreshed from a central server 3 times a day.

  6. NASA321321 says:
    0
    0

    This is the second time this year this has happened and 9 months after the incident at KSC with a co-op that left their car unlocked.
    NASA is doing nothing for the employees beyond loosely written emails which includes the one yr watchguard.  Questions and calls go unanswered.  NOT one communication from employees back in March/April to the agency has addressed preventing this from happening again.
    Both HQ and KSC may have violated the Privacy Act of 1974, the Cohen Clinger Act, and the Paper Reduction Act (the part to reduce use of Social Security numbers).
    Even after the KSC incident, NASA HQ is clearly not using the guidance within Document number M-07-16 OMB  Memorandum for the Heads of Executive Departments & Agencies.  It explicitly provides policies to safeguard PII and guidance & expectations if breaches occur.  There’s even a section that discusses how to provide assistance to those affected which is not being followed at KSC.
    Keith – Please help us by posting this on the front page so someone in DC will ask the NASA Senior Managers the right questions to ensure the hard working employees at KSC are treated fairly.  This is the second major breach this year increases the risk that this could have significant impacts on our personal lives and we deserve to have our questions answered by managers.  Lastly, the law states when their is an information security breach involving PII, the IG is supposed to investigate, What happened that their was no review of the KSC incident that could have generated a public document causeing the agency to improve the processes to safeguard PII. 

    • Gonzo_Skeptic says:
      0
      0

      That is because there is no real penalty for doing nothing.

      No one is fired, demoted, publicly censured, or whatever.  Life just goes on at the top like rules were meant to be ignored.

  7. Robert_M_Nelson says:
    0
    0

    Dear Keith:

    Five years ago, I and 27 colleagues at JPL,  were successful in obtaining an injunction from the Ninth Circuit Court of Appeals which blocked NASA, JPL and Caltech from undertaking unconstrained, unlimited investigations into the most intimate details of our private lives. The Ninth Circuit ruled that such investigations had to be narrowly tailored to meet the employer’s needs. Open ended fishing expeditions were ruled out. One of the principal arguments that was advanced by our attorneys was that NASA, and any other federal agency, was not able to protect our personal data. 
    Regrettably the Department of Justice appealed this decision to the Supreme Court. The DOJ argued that our personal information was secure under the terms of the Privacy Act.
    The ACLU, in a brief filed on our behalf said,” Notwithstanding the Privacy Act, moreover, there have recently been
    numerous high-profile incidents in which, despite government’s best
    efforts and best intentions, highly personal and sensitive information
    collected by the government has been disclosed.” The ACLU added, “At a minimum, this troubling history of unauthorized disclosures
    highlights the importance of requiring the government to demonstrate its
    need for the sort of highly personal and intimate information it is
    requesting from Respondents in this case.”
    Unfortunately,the Supreme Court overturned the injunction and the secret snooping was allowed to
    continue. Worse yet, if the inquisitors found unfavorable information
    about an employee the accused had only limited rights to appeal within
    NASA and no recourse in the courts.
    Now, the theft of a laptop due to the ineptitude of a NASA bureaucrat has proven our case!!

    Yours sincerely
    Robert M. Nelson, Lead Plaintiff, NASA et al vs Nelson et al

  8. nasa817 says:
    0
    0

    If NASA keeps this up, I will never have to pay for ID theft protection again.  At least they pay for this for one year every time it happens.  It happened early in 2012 and that free coverage is still in effect.

  9. Susan_DJ_Foster says:
    0
    0

    Dear Keith,
    Thank you for the opportunity to comment on this important issue.

    The technical discussion in this thread is
    interesting, but it fails to address the larger, more important concern about
    the NASA data breach; namely, What private information is NASA collecting on its
    employees and contractors, and why? We do not know what data are on the stolen
    laptop—the data could go far beyond basic PII such as social security numbers. The
    government, including NASA, is using post-9/11 homeland security concerns to justify
    increasingly intrusive investigations into the lives of NASA employees and
    contractors who want nothing more than to live honest lives, doing interesting,
    unclassified work that benefits the nation.

    After the Supreme Court ruled against us on the pretense that the Privacy Act would protect us, I left JPL after a 44-year career. Although it was an expensive decision for me, both financially and emotionally, I could not
    in good conscience cooperate with the HSPD12 investigation process that so
    egregiously violates civil liberties, wastes valuable federal dollars, and
    potentially squelches open scientific inquiry. I could not participate in an
    activity that I see as part of an increasing assault on American values and
    liberties. If we have come to a place in our history where our civil liberties
    have so little value to our government, then perhaps the terrorists have
    already won. Imagine if we used the HSPD12 investigation funding for legitimate
    homeland security measures, such as infrastructure improvements that would
    truly protect us from terrorist attack.

    We have only to consider the government’s enthusiasm for warrant-less
    wiretapping to realize that we must be ever vigilant if we are to protect our
    precious and fragile civil liberties—liberties that countless Americans have
    fought and died for, both at home and abroad. It’s
    time for NASA to stop once and for all the unjustified, warrantless, open-ended,
    overly intrusive investigations into the lives of its employees and contractors—no
    matter where and how NASA stores the data.