• United States



Salted Hash: If NASA can’t handle its security, all is lost

Dec 09, 20104 mins
Data and Information Security


I’ve always been a fan of space exploration. But in recent years, NASA hasn’t made a lot of progress. This is mostly because the agency has suffered some serious mission setbacks and Congress would rather throw money at other things these days.

It doesn’t help when the agency shows us it can’t manage its own security.

The latest example is in a story from my colleague Anh Nguyen about how NASA sold PCs without wiping sensitive data.

From the article:

NASA has revealed that 10 computers used for its space shuttle program were sold to the public without being wiped of sensitive data.

Another computer that was confiscated before it could be sold contained information on space shuttle-related technology, which was subject to export control by the International Traffic in Arms Regulations.

In addition, computers that were being prepared for sale were found at the Kennedy Space Center’s disposal facility with NASA’s Internet Protocal information prominently displayed, which the investigators said could provide hackers with details they needed to target NASA network assets and exploit weaknesses.

NASA was selling the computers as it prepares to retire the shuttle programme after 38 years, with the final space shuttle flight scheduled for June 2011.

In an internal review, the space agency found that the Kennedy and Johnson Space Centers and the Ames Research Center use software to wipe equipment before disposing of them. Langley Research Center did not require this technology because it removed hard drives prior to disposal. However, the Kennedy centre was the only one that had a testing process in place to verify that disks were wiped, as required by NASA policy.

Nonetheless weaknesses were identified in all four centres’ “sanitisation” policies.

For instance, Kennedy, Johnson and Ames were using unapproved wiping software, Langley did not properly account for or track removed hard drives, and Kennedy managers were not notified when computers failed sanitisation verification testing.

It was flaws in the Kennedy centre’s verification process that resulted in the sale, and near sale, of the computers still containing sensitive data.

“This occurred because NASA managers are not adequately overseeing sanitisation and disposition processes,” the space agency’s office of inspector general said in its report, ‘Preparing for the space shuttle program’s retirement: A review of NASA’s disposition of information technology equipment.”

Accidents happen. Sometimes you suffer a data breach despite your best efforts to run an ironclad security program. We’re all human.

But that’s not what people are going to think in this particular case.

Instead, people will see this as just another in a long list of mistakes on NASA’s part.

This latest mistake is unfortunate because it shows that an agency that should be rigid in its security measures is far from it.

I really hope they get their act together, because I don’t want to be stuck on this rock forever.


When I see all this news about WikiLeaks and the related DDoS attacks, I’m reminded of the old worm stories I used to write. And all the data breaches I chased. And all the mergers and acquisitions.

There’s simply so much going on with this story that after awhile you start to become numb. We don’t chase every single data breach that happens anymore. We don’t write about every single vulnerability or every new piece of malware. There’s simply too much of it out there, 24 hours a day and seven days a week.

It’s such a normal fact of life that it stops being newsworthy.

The WikiLeaks saga isn’t there yet. It’s still too new and the debate has just begun over the guts of the matter.

But there have been so many twists and turns to this story in just two weeks that there’s a little bit of information overload going on.

The WikiLeaks case has been compared to that of the New York Times in the “Pentagon Papers” case. Some argue that WikiLeaks is providing a valuable service that’s exposing government wrongdoings around the world. Others, including the U.S. Department of State, say the site is a danger to national security.

Whatever you may feel about it, one thing is clear: Revenge-motivated DDoS attacks are going to continue for a long time to come.

Yesterday I mentioned the attacks against MasterCard and Paypal. Today there’s word that Visa is getting hit, too.

It’s very quickly becoming the new normal.

Settle in for a long ride.

–Bill Brenner