Yet Another NASA Computer Break In. Employee Data May Be Affected
Potential Personally Identifiable Information (PII) Compromise of NASA Servers
“On Oct. 23, 2018, NASA cybersecurity personnel began investigating a possible compromise of NASA servers where personally identifiable information (PII) was stored. After initial analysis, NASA determined that information from one of the servers containing Social Security numbers and other PII data of current and former NASA employees may have been compromised. Upon discovery of the incidents, NASA cybersecurity personnel took immediate action to secure the servers and the data contained within. NASA and its Federal cybersecurity partners are continuing to examine the servers to determine the scope of the potential data exfiltration and identify potentially affected individuals. This process will take time. The ongoing investigation is a top agency priority, with senior leadership actively involved. NASA does not believe that any Agency missions were jeopardized by the cyber incidents.”
– NASA Internal Memo: Breach of Personally Identifiable Information Update (2013), earlier post
– NASA’s Stolen Laptop and Data Problem Just Got Worse (2012), earlier post
– NASA Still Has Big Unresolved Cybersecurity Issues , earlier post
– OIG: NASA Chief Information Officer Is Doing A Crappy Job , earlier post
– NASA Totally Flunks FITARA Scorecard 2 Years In A Row , earlier post
Earlier IT postings http://nasawatch.com/archives/itweb/
Look at the bright side. A (former) NASA employee is using his training to hit back on theft. I read today that a “former Nasa engineer spent six months building a glitter bomb trap to trick thieves after some parcels were stolen from his doorstep. The device, hidden in an Apple Homepod box, used four smartphones, a circuit board and 1lb (453g) of glitter.” He was quoted as saying that, if anyone was going to over-engineer a solution to a problem like this, he’s the right guy for the job.
Seriously, we complain a lot about poor teleconferencing support by NASA. Their software support for data analysis and even spacecraft operations is, in my option, far less than it could be. And we hear about security problems which compromise personal data and, as a result, can really hurt people. To paraphrase President Lincoln, I used to think we needed people who know how to fight these problems. Now I just want someone who _will_ fight. NASA spends too much time on talking about the issue and developing processes to deal with it. A bit more productive action would be nice.
Unfortunately there is action, but not focused productive action… the net result being increased bureaucracy and impediments to productivity with no apparent reduction in the issue the measures put in place are aiming to address.
I paraphrased Mr. Lincoln, from sometime in 1863, if memory serves. I believe the actual quote is that he used to want a general who could fight, but he now wanted a general who actually would fight. I don’t want to hear about actions which are not focused on productive results. I don’t want to hear about processes which interfere with results. Why can’t we hear about actions which actually help solve the problem?
Indeed…
I agree completely. This all started when some guy in Washington lost a laptop that contained the PII of all current and former NASA employees. Instead of investigating why that guy would be allowed to have all the info on his laptop and punishing those responsible, they decided to punish EVERYBODY by instituting draconian IT security measures that impact productivity, the latest being preventing checking NASA email and calendar events on cell phones.
Putting that data on a laptop someone carries around goes beyond foolish. Maybe a class action lawsuit will teach them some wisdom.
Yeah another year or two of credit/identity monitoring. No need to pay for lifelock when continued breaches at nasa means OPM will pay for the service for us.
If you don’t want the data stolen then keep it off the Internet. There are far too many data bases connected to the Internet that don’t need to be. And yes, I am also talking about the great Internet of Things, I don’t need my refrigerator, or automobile, hooked into the Internet for them to do their function.
Unfortunately, you probably don’t have a choice. There are services enabled by having you car and refrigerator (and, for all I know, your toothbrush) connected to the internet of things. If enough people want those services, they will be the default. And a custom version without connections to the IoT would almost certainly cost more. (Note that, for example, gmail accounts aren’t free. You just pay in bits which go into a database rather than in dollars.) And who, exactly, would pay extra for something with _fewer_ features? Potentially the two of us and very few others. We aren’t a big enough market share to support custom products. At least not on what I could afford to pay.
And I’ll also note that, when the Social Security Act was originally debated, advocates swore up and down that social security numbers would never, ever be used for anything other than social security. That sure worked out as promised, didn’t it?
True, until enough folks are “educated” by school of “hard knocks” about the consequences the hard way, then sanity will set in. As for the bright idea of having your car on the Internet, well this is why I still drive a 2002 Nissan (30+mpg). Not because I am not able to afford a better vehicle, but because I don’t want one hooked into the Internet. Just imagine when hackers decide to start hacking the robot cars folks are working on 🙂
https://www.youtube.com/wat…
Why is the CIO still in that position? NASA will never change until what you do is more important than who you know.
It’s as easy to say, “computer security is hard” as it is to say, “space is hard.” And, to be fair, quite a few companies with bigger IT budgets that NASA have had serious security issues. (Including companies who should have known better and who are much more lucrative targets.) But, at some point, you shouldn’t be able to justify a botched job by noting you aren’t the only one who can’t get it right.
Seems to me I don’t think anyone has an answer why these things happen. Probably the only solution is not connect a system to the Internet. Problem with systems not on the grid is most people just don’t get it. So they connect it to the internet with “a really good firewall guarenteed to not have security problems.” But if there is a breakdown then they get new contract at premium prices to fix the problem.