Critical NASA network vulnerable to attack
According to a report published on 28 March by NASA's Office of Audits, a key NASA network is vulnerable to internet-based cyber attacks. Specifically, the report found that six servers on the agency-wide mission network "that control spacecraft and contain critical data had vulnerabilities that would allow a remote attacker to take control of or render them unavailable." The report also concluded that if one of these servers were to be compromised, the attacker could then exploit other vulnerabilities enabling them to penetrate further and "could severely degrade or cripple NASA’s operations." The investigation revealed that attackers would potentially be able to access encryption keys, encrypted passwords, and user account information.
The report stated that the office had released an earlier report (May 2010, not available on-line), in which it recommended the immediate establishment of an IT oversight program for the critical mission network. The present report criticises NASA for being "slow to assign responsibility" for this and for not ensuring that the network was adequately protected. It states that in response to a draft report the NASA CIO and Mission Direcorates "concurred with" the recommendations; essentially the same language as was used in an addendum to last year's report.
NASA has been subject to cyber attacks in the past, some of which are mentioned in the report. For example, in January 2009, 22 GB of restricted data was stolen from a JPL computer. This and earlier attacks were considered to have been sophisticated in their nature and were clearly "focused and sustained efforts to target assets on NASA’s mission computer networks."
The report identified 12 servers with high-risk vulnerabilities, six of which were internet-accessible. It describes one internet vulnerability in some detail: a file transfer protocol (FTP) bounce attack, which is "highly effective" and technique well-known since 1998. In such an attack, once accessed, the FTP server is used to scan computers on the internal network and relay information back to the attacker, thereby enabling the attacker to exploit other computers on the network.
In its conclusions, the report states that NASA does indeed conduct risk assessments of individual IT systems, but has failed ever to conduct an agency-wide assessment for its whole network, and that this is vital for protecting against the most important threats.
- “NASA Needs to Remedy Vulnerabilities in Key Networks”, an earlier report (October 2009) from the US Government Accountability Office.
- NASA Open Source Summit announced, a report from The H.