• United States



I’d like to believe NASA, but…

May 29, 20124 mins
CybercrimeData and Information Security

NASA has been quick to deny reports that its systems were attacked by Iranian hackers. But its track record of late makes it hard for me to believe the agency — even though I badly want to.

As we reported this morning, NASA denies its website was hacked and information stolen by a band of Iranian students that called themselves the “Cyber Warriors Team.” From the report:

The group bragged in a May 16 post on Pastebin that it had hacked a NASA site and stolen the personal information of thousands of NASA researchers. The site allegedly compromised is called the Solicitation and Proposal Integrated Review and Evaluation System.

NASA said it discovered the Pastebin post within hours and launched an investigation of the claims. “Although the investigation is ongoing, all results thus far indicate that the claims are false… At no point were any sensitive, mission, or classified systems compromised,” Beth Dickey, a NASA spokeswoman, said in an email.

Hackers often claim to have penetrated NASA’s IT systems, when in fact they haven’t, Dickey said. On the same day as the alleged Iranian hack, two other groups claimed on Pastebin to have broken into NASA systems. “They were also found to be false,” Dickey said.

Now, I really, really want to believe NASA. I’ve always loved the space agency and it saddens me deeply that its space exploration efforts have been marginalized in recent years. Sure, they’ve had much success in finding new planets with its orbital telescopes, and the Mars Rover missions are something to be proud of. But for now, at least — with the end of the space shuttle program and constant debate over the future of manned space missions — it would seem our reach to the stars has been cut off at the wrist. No return trip to the moon or boots on Martian soil. According to all those movies I saw as a kid, we should have been deep into space by now.

If anything, the hacking reports are salt in NASA’s gaping wounds.

But I don’t have sympathy for NASA on this issue the way I do on its budget cuts and current state of desolation. Its poor network security record is too well documented to make its current denials believable.

Exhibit A: This report from Melanie Pinola on 48 NASA laptops stolen in the last two years. In March she wrote:

It’s not only businesses that need to worry about laptop security. Even NASA laptops are vulnerable to theft and poor security practices: 48 NASA laptops or mobile devices were stolen from America’s space agency between April 2009 and April 2011, including one–unencrypted–laptop containing control codes for the International Space Station (ISS). Although ISS does not appear to be in jeopardy, according to a NASA public affairs officer who spoke to the Security News Daily, the NASA security breaches underscore how serious and difficult a problem laptop and mobile device theft is–whether you’re a government agency or a small business or an individual.

Before that, we had reports that six NASA servers were compromised. At the time, my colleague Tim Greene wrote:

Six NASA servers exposed to the Internet had critical vulnerabilities that could have endangered Space Shuttle, International Space Station and Hubble Telescope missions — flaws that would have been found by a security oversight program the agency agreed to last year but hasn’t yet implemented, according to a report by the agency’s inspector general. NASA’s CIO Linda Cureton says she has patched the vulnerabilities, but IG Paul Martin found that NASA still has no ongoing program for spotting and correcting similar problems as they arise and is giving itself until the end of September just to come up with a plan, according to the report titled “Inadequate Security Practices Expose Key NASA Network to Cyber Attack.” The deadline for the plan is Sept. 30.

There have been other reports of NASA getting hacked as well.

So despite NASA’s denials about the Iranian hack attacks, recent history has me inclined to believe it happened.

Even if it didn’t, there’s an abundance of proof that the agency has a long way to go in securing its systems.

Here’s hoping they learn to get security right as they keep trying to get back into space.