The actual OIG report: <a href="https://oig.nasa.gov/docs/IG-19-022.pdf" rel="nofollow">https://oig.nasa.gov/docs/IG-19-022.pdf</a> I only did the briefest of scans, but the recommendations seem pretty basic best practices stuff.<p>In my experience, research labs tend to be creative spaces with a focus on collaboration and information security is not foremost on peoples mind. I guess that will have to change.
>5,406 unresolved SPLs—about
86 percent of which were rated high or critical
>JPL did not effectively address a known software vulnerability, first identified in 2017, with a critical
score of 10. This software flaw can be used by cyberattackers to remotely execute malicious code
>one of the projects has a waiver of JPL IT security requirements to change passwords
every 90 days. Instead, the project relies on a designated application and team accounts to share
password files, group files, host tables, and other files over the network<p>There seems to be a fair amount of filler in the report (review access logs, out of date inventory, etc) but these points seem pretty damning.
The article mentions that the hackers stole 500MB? The number seems small given the scale of storage in modern computers but I guess 500MB could account for a large number of documents that contain confidential info.
The articles says if the hackers were some jokers on the internet then the data isn’t terribly useful, but if it was an adversarial nation then it is very useful. Why? Can’t the jokers sell it to other nations?