IT/Web: November 2012 Archives

Data-at-Rest (DAR) at NASA HQ

"This page contains important information for employees regarding the Data-at-Rest (DAR) Encryption project at Headquarters. As mandated by Federal law and Agency policy, all NASA-issued laptops must have Data-At-Rest (DAR) whole-disk encryption software. The NASA OCIO has directed that all Centers complete this activity by December 21, 2012. Per the Agency directive dated November 13, 2012, no NASA-issued laptops containing sensitive information may be removed from a NASA facility unless DAR encryption software is enabled OR any sensitive files are individually encrypted (using Entrust PKI)."

Recommendation to Fund and Deploy Agency Data-at-Rest (DAR) Solution, NASA CIO, 21 Feburary 2008

"Based on an evaluation of NASA's requirements for encryption of data at rest and of the solutions currently available, I recommend that your office fund the implementation and deployment of an integrated, interoperable NASA DAR solution in the amount of $2.0M for Fiscal Year 2008. Details of the recommended solution, based on McAfee's Safeboot product suite, and the evaluation that produced this recommendation are in the attached presentation."

Keith's note: Looks like there was direction executed within the CIO in early 2008 - before the current CIO even arrived on the job. Four years later and NASA is only getting around to taking its own decisions seriously. Note: there is no date on this PDF file but it was created on 21 Feb 2008.

JPL workers seek federal probe into stolen NASA laptop, Pasadena Star-News

"Rep. Schiff, who oversees NASA funding through the Appropriations Subcommittee and whose district includes JPL, issued a statement criticizing NASA security. "I will be calling on the agency to report on and accelerate its efforts to maintain data Advertisement security," he said. "The low-tech theft of a laptop is troubling enough, but it only scratches the surface of potentially greater data vulnerabilities." A NASA spokesman didn't return a call for comment Wednesday."

JPL employees demand probe of NASA's data security measures

"Rep. Judy Chu (D-Monterey Park) said in a statement she would push the agency to improve data security. "NASA has previously had security breaches of sensitive information," she said. "It has to stop."

Losing in Court, and to Laptop Thieves, in a Battle With NASA Over Private Data, NY Times

"In a 2009 report titled "NASA Needs to Remedy Vulnerabilities in Key Networks," the Government Accountability Office noted that the agency had reported 1,120 security incidents in fiscal 2007 and 2008 alone."

They're Clueless at NASA CIO

Keith's note: If you go to the NASA CIO webpage or the CIO's blog you will see absolutely no mention of this stolen laptop or the activities that followed. Some of the individuals affected by this event have not worked for NASA for more than a decade. As such, you would think that there would be somewhere at NASA.gov to get information as to what they should do. The CIO page is a logical place to look. Yet another example as to how the entire CIO organization is simply clueless and tone deaf when it comes to the interests of the agency's employees - past and present.

Media Advisory JPL Employees Call for Congressional Investigation into NASA Privacy Breech

"Employees at the National Aeronautics and Space Administration's Jet Propulsion Laboratory in Pasadena have called for an immediate Congressional investigation into NASA's behavior in handling their personal data following the October 31 theft of a NASA laptop computer left unattended in a parked car in Washington DC. NASA waited two weeks before informing its employees that their personal information had been compromised and that they have been placed at risk of identity theft. The data on the stolen NASA laptop was not encrypted."

Press Conference on NASA Data Breach JPL Employees Call for Congressional Investigation into NASA Privacy Breech

"We warned of this possibility five years ago when we filed our lawsuit. We were ignored by the courts. Now, unfortunately, by virtue of the cavalier behavior of a NASA bureaucrat our argument has been proven. Our nightmare of five years ago has become a reality. We therefore are asking Congress to conduct an investigation into NASA's behavior in this unsavory affair and to develop new standards which protect the privacy of federal employees."

- Questions Remain About Information on Stolen NASA Laptop, earlier post
- NASA IT Blunder Update, earlier post
- Yet Another NASA IT Blunder, earlier post

Keith's note: One NASA Watch reader writes: "I too received a letter warning of my PII being comprimised by the stolen laptop but there are two things that I find odd. 1) As was the case in the image of the letter posted on NASAWatch, the return address is a NASA emblem with the address of the retained security contractor's Portland address (since when can a contractor use an offical US gov emblem?); and 2) why does a NASA laptop have my PII considering I left the Agency in May 2009?"

Another reader writes: "I too received "the letter" about the stolen laptop and I retired from GSFC in mid-2003 - ten years ago! And it is my responsibility to take the necessary steps to protect myself?! Why after ten years would my PI be anywhere but at OPM let alone on someone's (NASA) unencrypted laptop?! Please keep their feet to the fire on this one Keith; NASA needs to be as well-steamed as I am."

NASA Personally Identifiable Information (PII) Update 20 Nov 2012

"The data analysis on the entire file has not yet been completed, but if data beyond SSN, date of birth and birthplace is found for individuals, we will send them another letter. Affected individuals identified to date include people who have applied for access to NASA information or facilities for which a background investigated is required."

NASA Internal Memo: Immediate Restriction on Laptops Leaving Ames

"Effective immediately, NO NASA LAPTOP may be taken off the Ames Research Center campus unless Whole Disk Encryption is enabled. I am fully aware that this is a more restrictive than the November 14, 2012 directive from the Agency Chief Information Office and Administrator, however, since that email, Ames has had two laptops stolen that we are now handling."

- NASA IT Blunder Update, earlier post
- Yet Another NASA IT Blunder, earlier post

How the government can turbocharge private-sector innovation, Gigaom

"Traditionally, NASA attempts to commercialize and otherwise transfer the good work done in its research labs to the public by two means: directly auctioning its patents to the private sector, or maintaining the patents but actively choosing not to enforce them if doing so would impede innovation. NASA claims over 1,200 success stories in this regard, and there's plenty to show for it. But arguably no single NASA patent has had the same kind of market-disrupting effect that OpenStack has had merely by opening the doors to the community and letting the market drive development and adoption. That's food for thought."

Keith's note: Of course, NASA's response to the potential of OpenStack? NASA CIO Linda Cureton walked away from OpenStack - while industry has embraced it. And you wonder why NASA cannot figure out how to keep sensitive data off of laptops that are continually stolen? Clearly some management changes are needed in this regard. Check out her blog - its full superficial treatment of important IT issues and pop management babble. Clueless.

- NASA CIO Dumps NASA-Developed Open Stack, earlier post
- Previous IT posts

Help Redesign NASA.gov

Welcome to the NASA.gov Forum

"We're starting on the next go-round of what NASA.gov looks like and want to know what you think. The digital universe has changed radically since we overhauled www.NASA.gov in 2007. Everyone's use of social media and smartphones has exploded. Visits to NASA's web sites dropped for a couple of years, then set records in 2011 and this year. How are you making sense of all this? How do you think we here can apply what you've learned? Do you like something you've seen? Is something missing? How do you interact with NASA online? Where else do you get your NASA news from? We've opened this forum to take your feedback. You can offer ideas of your own or comment and vote on others' suggestions. The forum will be open for new ideas until Dec. 19. We'll consider all the suggestions and do some prototyping, then see what you think."

- NASA Claim About MSL Internet Effects Called Into Question - By NASA, previous post
- Why does NASA need multiple websites for the same mission?, previous post
- NASA's Tangled Human Spaceflight Web Presence, previous post
- NASA's Baffling, Redirecting Links, previous post
- NASA's Inability To Speak With One Voice Online, previous post

Keith's 8:20 am EST note: Last evening, JSC PAO's Amiko Kauderer tweeted via @amikokauderer "Wonder about breaking bread for Thanksgiving in space? Talking to @NASA food scientist tomorrow. Got Qs? Tweet me w #askStation!" She claims that this is her personal account and replied "@NASAWatch This is my personal Twitter account. I tweet about my life & interests, which includes my work. Official tweets @NASA_Johnson".

OK, then why is this official NASA event only being made available to the 1,936 followers of the @amikokauderer personal account but not to the 89,640 followers of the official @NASA_Johnson account? This is a rather poor decision inasmuch as the potential audience of @amikokauderer is dwarfed by that of @NASA_Johnson which commands 46 times the number of followers across a much broader range than does @amikokauderer.

As NASA upgrades its Internet presence, it needs to re-examine the use of personal employee Twitter accounts Vs official Twitter accounts to make certain that the most effective means (a combination thereof) is used to alert taxpayers as to what NASA is doing - and that taxpayers are not put in the position of trying to separate personal tweets from business tweets. Most people get separate Twitter accounts to solve this problem.

Keith's 11:30 am EST update: @NASA_Johnson just tweeted mention of this official event (at the last minute) some 12 hours after it first appeared - exclusively - on @amikokauderer - a personal Twitter account. As such only Amiko Kauderer's pals and followers knew about this event well in advance - as opposed to the 89,640 followers of @NASA_Johnson . I am not sure what sort of social media game plan she's following - this approach makes no sense whatsoever.

NASA IT Blunder Update

NASA Suffers "Large" Data Breach Affecting, IEEE Spectrum

"Why it has taken so long for NASA to finally decide to fully encrypt its laptops remains a mystery, given its long-time poor record on IT security. As noted at NASA Watch, NASA has a history of laptops with personally identifiable information being stolen, one as recently as March. Maybe NASA decided to act this time because it involved a NASA Headquarters' person who in all likelihood is very senior and should have known better than to possess a laptop with no data encryption."

NASA finally demands encryption on employee machines after another laptop is stolen, The Verge

"Why the concern? Well, the laptop's hard drive wasn't encrypted, and nor were any of its sensitive documents. The theft, which was revealed to employees in an agency-wide email obtained by SpaceRef, is being spun as a wake up call for NASA to beef up its security standards on employees' laptops."

NASA scrambles to encrypt laptops after major breach, Computer World

"Gant Redmon, general counsel and vice president of business development at Co3 Systems, an incident management company, said the issue is why NASA didn't take measures to encrypt all of its systems sooner. "I have two questions. Why didn't they have it before the [March] incident? Why didn't they have it after that first breach?"

NASA Says Staff Information Was on Stolen Laptop, New York Times

"This is not the first time NASA has suffered a serious breach. The agency has long been a target for cybercriminals looking to pilfer sensitive research."

Laptop with NASA workers' personal data is stolen, Reuters

"The laptop theft is the latest in a string of NASA security breaches over the past few years. In March, a Kennedy Space Center worker's laptop that contained personal information on about 2,300 employees and students was stolen."

Yet Another NASA IT Blunder, earlier post

Yet Another NASA IT Blunder

Agencywide Message to All NASA Employees: Breach of Personally Identifiable Information (PII)

"On October 31, 2012, a NASA laptop and official NASA documents issued to a Headquarters employee were stolen from the employee's locked vehicle. The laptop contained records of sensitive personally identifiable information (PII) for a large number of NASA employees, contractors, and others. Although the laptop was password protected, it did not have whole disk encryption software, which means the information on the laptop could be accessible to unauthorized individuals. We are thoroughly assessing and investigating the incident, and taking every possible action to mitigate the risk of harm or inconvenience to affected employees."

Keith's note: Look at the links below from the past several years. When things like this happen again and again you have to wonder whether the people entrusted with sensitive information - and/or the people who manage these individuals - are required to exhibit common sense in the performance of their duties. For that matter, you have to wonder if the people running NASA's IT security actually know what they are doing. This advisory contains "changes and clarifications in NASA policy". How many times do things like this have to happen before NASA finally figures out how to fix this obvious problem? Why was information like this on a laptop to begin with?

Lets just hope this laptop doesn't contain any inappropriate emails to U.S. Army soccer moms or socialites ...

- Stolen KSC Laptop Has Employee Personal Info On It (Update), earlier post
- NASA IT Security is a Mess - Stolen Laptops and Hacking JPL, earlier post
- OIG: NASA Information Security Does Not Fully Meet DHS Requirements, earlier post
- NASA OIG: Facilities and Spacecraft Vulnerable to Attack, earlier post
- OIG Finds Problems in NASA IT Management and Implementation, earlier post
- NASA OIG: Audit of Cybersecurity Oversight of [A NASA] System, earlier post
- GAO Cites Ongoing NASA IT Security Vulnerabilities, earlier post


Loading

 



Monthly Archives

About this Archive

This page is an archive of entries in the IT/Web category from November 2012.

IT/Web: October 2012 is the previous archive.

IT/Web: December 2012 is the next archive.

Find recent content on the main index or look in the archives to find all content.