This is not a NASA Website. You might learn something. It's YOUR space agency. Get involved. Take it back. Make it work - for YOU.
IT/Web

All Those Empty Promises From NASA Security …

By Keith Cowing
NASA Watch
July 21, 2015
Filed under ,
All Those Empty Promises From NASA Security …

NASA JPL Memo: Office of Personnel Management Cyber Incidents, NASA JPL
“If you underwent a background investigation through OPM from 2000 or thereafter (which occurs through the submission of forms SF 86, SF 85, or SF 85P for a new investigation or periodic reinvestigation), the OPM says there is a high likelihood that anyone who filled out one of those SF forms has had their information compromised.”
Keith’s note: All that talk from NASA about securing personal information as they complied with HSPD-12 and … oh well. FWIW anyone who was screened for a NASA headquarters press pass a few years back (when they actually issued them) was at risk. Guess who got an OPM letter as a result of that screening. Thanks a bunch NASA.
HSPD-12, earlier postings
NASA IT issues, earlier postings

NASA Watch founder, Explorers Club Fellow, ex-NASA, Away Teams, Journalist, Space & Astrobiology, Lapsed climber.

22 responses to “All Those Empty Promises From NASA Security …”

  1. Joe Denison says:
    0
    0

    Be fair Keith. This isn’t NASA’s fault, it is OPM’s. NASA isn’t OPM’s cyber security branch. How are they supposed to control the actions of another independent agency?

    No offense intended Keith but sometimes it seems that you have nothing positive to say about NASA. It is almost always “NASA is doing this wrong or NASA is awful at this or NASA isn’t treating me right ect.”

    Look I actually agree with a good number of your criticisms of NASA and it is important to point out problems. (If I were elected President I would hire you on day one to get the CASIS problem straightened out) That said consider having more positive news. NASA is doing a lot of good stuff and being overly pessimistic about everything isn’t good or helpful.

    • eddrw2014 says:
      0
      0

      Yeah, don’t see how this one is NASA’s fault. That other breach was completely unrelated to this…

      But hey, if it’s any consolation OPM is only the latest. Surely Linkedin, Google (Gmail), Target, Michael’s, Sony and many other retailers, organizations and websites have already lost or compromised your personal and financial details. And they’re not going to send a letter about it either. More to come!

      All we can do is monitor our credit and our bank accounts, vary our passwords, keep a really good anti-virus in place and up-to-date.

      • sunman42 says:
        0
        0

        Well, for what it’s worth, in 2012, a NASA employee left a NASA laptop in the trunk of his/her car, whence it was boosted. The laptop contained the PII, including Social Security numbers, of numbers of people who had been screened for security around the Agency. The good news was that agency then got serious about “data at rest” encryption, indeed whole-disk encryption for laptops, and maybe even thought fleetingly about which data should and shouldn’t be on portable devices. The bad news is, several thousand people had their PII compromised.

        Bottom line, no agency appears to do security right until they’ve had a serious incident: NASA, OPM, whoever. Human nature?

        • kcowing says:
          0
          0

          By definition NASA IT managers cannot manage.

        • Daniel Woodard says:
          0
          0

          The response to that incident was wrong. The problem was that the employee did not need the file on her personal laptop, and did not consider that it was confidential. If she had needed it, it could have easily been encrypted with available software. DAR has been extremely expensive in lost productivity and personnell time for researchers and others not doing simple admin tasks, and has actually destroyed research data during the encoding process.

          That said, there is no evidence the PII on the computer was ever compromised. Hackers don’t go around stealing laptops, and laptop thieves just want computers they can reformat and sell.

          • sunman42 says:
            0
            0

            Since laptops are meant primarily for use when on travel, whether to other scientific institutions, to engineering meetings such as reviews at contractor sites, and to scientific and engineering conferences, some of them abroad, the laptops are targets. Whole-disk encryption is a good thing when implemented right, but as you describe, a mess when implemented in such a cockeyed fashion.

            We are fortunate enough to be on a non-NDC network, and so were allowed to use Apple’s full-disk encryption, which is fast and painless (unless you lose your encryption key and haven’t escrowed it with someone).

          • Daniel Woodard says:
            0
            0

            I’m not sure laptops are used primarily on travel; in research they are used where ever portable computing is needed. In any case they require authorization to take off site so encryption of all laptops, just because they are laptops, is of no benefit. If the user does not recognize that specific data is confidential than the user is likely to leave a printout or unencrypted flash drive lying around or email the file to an unauthorized user. If the user recognizes confidential data than the data can easily be encrypted or stored on a secure server. Anyone can encrypt a partition without encrypting the entire system, and personnel data files should certainly be kept on a server.

          • sunman42 says:
            0
            0

            No argument on any point, but it is also NASA policy that _all_ portable data at rest be encrypted, including flash drives. We are probably not far from a requirement for encryption of all drive volumes, desktops or laptop, as well as on mobile devices.

      • kcowing says:
        0
        0

        NASA required me and others to provide this data so we could enter NASA HQ and talk to people. That was NASA’s requirement. Now they do not require it. They changed their mind. But NASA required it. If NASA had not required media to provide this information none of us would be having issues.

    • AstroInMI says:
      0
      0

      Implementation of HSPD-12 was at NASA’s discretion. The JPL people who pushed this issue emphasized in their concerns that this type of breach could occur regarding the personal questions in SF-85. They have been proven right.

    • AstroInMI says:
      0
      0

      P. S. In Keith’s defense (not that he needs it ;), the title of this site is NASA Watch, not Celebrate NASA. There are plenty of sites that celebrate all things NASA and NASA Watch also has plenty of positive stories. There are very few (any?) other sites that do what NASA Watch does and the needling here, while I’m sure annoying, makes NASA better. I don’t agree with everything on here either, but it’s not my website.

    • kcowing says:
      0
      0

      NASA’s AA for Security at the time personally assured me that the information I provided would be kept confidential. He did so in an official capacity via an official email account. He required media to provide this info. Not all agencies did that.

      • Joe Denison says:
        0
        0

        I understand that Keith and you are right to be upset that your data was compromised. However, I think you are blaming the wrong person. The NASA AA has no control over the cyber security of OPM. He kept the bargain from his end.

        Also since other agencies did request that level of info I don’t think you can blame NASA in particular for requiring it.

        • kcowing says:
          0
          0

          NASA did not need to do a full security check on news media so that they could sit in an auditorium. NASA created that requirement – not OPM. It was NASA’s fault.

    • Michael Spencer says:
      0
      0

      “I would hire you on day one to get the CASIS problem straightened out”

      Why? He’s just gonna fire the whole damn lot. Might as well do it yourself!

  2. mfwright says:
    0
    0

    Not sure how it fits into this thread but in another forum of people debating IT security hacks someone wrote: “It’s interesting from an employment perspective — as more and more companies outsource everything, they have less control over who sees their data, and potentially have more people with axes to grind, or who could just make a quick buck more easily than an insider could. So the question is, if this blackmail thing becomes a trend, will companies stop completely trusting their contractors?”

    • Spacetech says:
      0
      0

      This isn’t a matter of NASA outsourcing, OPM is the personnel office for all federal employees. OPM dropped the ball big time and many of us have been caught up in it.

      • mfwright says:
        0
        0

        Many activities including gathering info for SF86 was done by contractors.

      • sunman42 says:
        0
        0

        I believe it was actually the DoI, to whom OPM outsourced the database and payroll operation, who dropped the ball. And the federal managers who bought into the DoI system without considering its vulnerabilities.

  3. Spacetech says:
    0
    0

    Even though this is not directly NASA’s fault, I would have to agree that NASA security has made promises they couldn’t control or keep since this information was/is shared with OPM.

  4. Daniel Woodard says:
    0
    0

    NASA requires passwords of 12 characters, containing both capitals and punctuation marks. They have to be changed every 60 days. None of this is required by NIST, it is entirely a NASA requirement. Of course this does not improve NASA security since hackers don’t brute-force the crypt file anymore. Also poor human factors since rotating passwords cannot be memorized and must be simple progressions or kept on notes. But NASA IT believes it makes them secure. It might have been relevant twenty years ago.

    • sunman42 says:
      0
      0

      In fact, some crackers do still use brute-force password cracking packages, but the packages are clever enough to try common substitutions “0” for “o,” &c.). The longer the passphrase, the more degrees of freedom the cracking algorithm needs, and the more CPU resources. In an age where a thousand cores can be cheaply rented from AWS, however, Randall Munroe is probably right that the passphrases need to be 35 characters or more in length.

      At least give NASA credit for moving to two-factor authentication, where the physical factor is still difficult to hack.