NASA Has Been Under Heavy Cyber Attack
NASA Repeatedly Attacked, Jet Propulsion Lab Compromised, eWeek
“The National Aeronautics and Space Administration was under heavy attack over the past two years, as adversaries tried to infect machines with malware or use advanced persistent threats to get into the network, according to Congressional testimony.
Attackers from a Chinese-based IP address had breached the network at NASA’s Jet Propulsion Laboratory and gained full access to the networks and sensitive user accounts, NASA Inspector General Paul Martin told the House Science, Space and Technology committee Feb. 29. NASA made the discovery in November, and the JPL incident is still under investigation, according to Martin.”
Marc’s note: One reader pointed this story out to me and now another has notified me I should have looked at the date a little closer. My bad, the story is a year old. With all the Chinese hacking being reported these days I assumed the story was from last week. My apologies.
Just once let’s have a meaningful description of the method used in the attack and the form of access gained, so we understand the threat and can judge whether appropriate protective measures have been taken, and whether the many tedious measures that are mandated are actually relevant to the actual theft of data. We do not even know what operating systems were involved. Despite years of failure by IT to achieve “security”, there is never any discussion with users of the effectiveness of proposed security measures or the potential problems that will be created. (The hackers already have this information, so only the users are being kept in the dark.) Absent meaningful discussion, management has no justification to blame users and burden them will still more costly (in employee time) barriers to efficient use of their information systems.
Agree!!
Saying “we are under persistent attack” but not giving the slightest hint about what form the attacks are taking or how hackers are attempting to get in doesn’t allow us to take any effective measures against it.
I sincerely doubt that any hackers are being foiled by the requirement to change passwords every 60 days– but with no information about the attack vector, it is impossible to tell which measures are useful, which ones are meaningless, and which ones not only waste time but actually make us less secure.
And to carry it a step further, I haven’t seen anything to indicate if/what employee habits are making it easier or even allowing the attacks. Given the large number of users involved, I would be surprised if all of them have been given sufficient “protection” training for their environment. And how is it enforced?
For example, I have seen countless times (not at NASA) where users on a large corporate network go for lunch or a coffee break and leave themselves logged in on their desk computers. This is an obvious bad habit and is a vulnerability in more than one sense, but the guilty parties often didn’t know that, simply because they’d never been told. Others didn’t take it seriously — “that sort of thing only happens to other people; we’re not into spy stuff.” And this is just about the simplest example of user bad habits, realized or not.
There’s still a large hole in the system if you’re encrypting and adding monitoring software, etc. (all of which is stealing your computer horsepower and slowing everybody down), but the users are unknowingly (or sloppily) leaving open ports in the system for automated hacking tools to scan for. You’ve installed smoke alarms, but you didn’t check to see if kids are still playing with matches. (I suspect that most users have no idea just how many port addresses there are in every desk computer that can be communicated with from outside.)
Also, similar to what I said in a previous thread, I think it’s inappropriate to state that “Attackers from a Chinese-based IP address had breached the network“. This statement clearly implies that someone from inside China has been doing all of these attacks, when, in fact, there is no way of knowing who has been doing it (it could have been many different attackers). Anybody knowledgeable enough to hack JPL’s systems certainly knows how to mask their own IP address and place somebody else’s IP address in the packet headers. In fact, it’s quite simple to do. When this explanation is omitted from a news item or op ed, the result is an inflammatory accusation, with no basis, that has the potential to do a lot of political/social harm. Given the technical nature of what the author of this article writes for a living (and many other like him), one would think he would know this, therefore I have to wonder if the omission is an oversight or a deliberate accusation. Either way, I find it unacceptable and I’m surprised that his editor would let it go though.
For example, I have seen countless times (not at NASA) where users on
a large corporate network go for lunch or a coffee break and leave
themselves logged in on their desk computers. This is an obvious bad
habit and is a vulnerability in more than one sense, but the guilty
parties often didn’t know that, simply because they’d never been told.
Others didn’t take it seriously — “that sort of thing only happens to
other people; we’re not into spy stuff.” And this is just about the
simplest example of user bad habits, realized or not.
That is why screen savers come with login procedures. They can be set to 5 minutes and login required when computers are installed. Existing machines can have theirs switched on.
Screen savers only lock out the monitor and keyboard/mouse to prevent anyone physically present from using the computer. Screen savers do nothing to lock up the dozens of communications ports on the computer. The attacks come through wires, not fingers.
Direct attacks through the wires are not stopped by a person being there. A computer going into hibernation can, that is normally on the power timeout.
Er, February 29?
I highly doubt any committee meeting happend on Feb. 29th of this year. Maybe last year?
There is no security procedure that I know of that will stop an employee from authorizing a program to update their system especially when it is a software certificate saying that adobe or microsoft wants to update their system to the latest version. You are committing suicide when browsing a site and get one of those certificates and you authorize it to update your system. Also email phishing is a favorite of the Chinese. if you don’t know the sender don’t open the email. The problem is orgs like JPL have global contacts and it gets tons of email from people they never heard of.
It all boils down to the fact that if you have sensitive info then it shouldn’t be on a system that is connected to the Internet because somebody will authorize access no matter what. Outfits like JPL probably figures it is worth the hassel of being hacked in order to have unrestricted email access and website browsing rights(and get fake software udate certificates).
One problem is known exploits in Flash… and you can’t even update it without asking for escalated privileges.
The story may be a year old but does the attempted hacking still continue?