NASA Has Been Hacked

I highly recommend reading the actual audit[1]. There&#x27;s a lot of good details in there, similar to the Senate report on the Equifax breach a few days ago. There were several problems: the inventory tracking issue was particularly enlightening:<p>&gt;system administrators did not consistently update the inventory system when they added devices to the network. Specifically, we found that 8 of 11 system administrators responsible for managing the 13 systems in our sample maintain a separate inventory spreadsheet of their systems from which they periodically update the information manually in the ITSDB. One system administrator told us he does not regularly enter new devices into the ITSDB as required because the database’s updating function sometimes does not work and he later forgets to enter the asset information.<p>Other good notes<p>Lack of training:<p>&gt; NIST requires that organizations provide security-related technical training specifically tailored for their assigned duties... As of April 2019, JPL did not have a role-based training program, provide additional IT security training for system administrators, nor fund their IT security certifications.<p>Refusing to let Department of Homeland Security (DHS) complete a thorough post-intrusion assessment:<p>&gt;However, according to NASA SOC personnel, JPL was concerned with inadvertent access to its corporate network and feared disruption of mission operations. In addition, JPL was unfamiliar with DHS’s standard engagement procedures. Collectively, resolution of these issues resulted in DHS being unable to perform scans of the entire network until 4 months after the incident was detected.<p>[1]: <a href="https:&#x2F;&#x2F;oig.nasa.gov&#x2F;docs&#x2F;IG-19-022.pdf" rel="nofollow">https:&#x2F;&#x2F;oig.nasa.gov&#x2F;docs&#x2F;IG-19-022.pdf</a>

Reading the audit, this kind of confirms my base question when building infrastructure: If people don&#x27;t do the right thing the business needs, why is it too hard to do? Can&#x27;t we reduce the pain to do the right thing so doing the lazy &#x2F; wrong thing is harder? People not doing thing tends to be an indication of boundaries and responsibilities being drawn in bad ways.<p>Something like the log reviews are a classical thing. Training a sysadmin to know all the new hot attacks and patterns they cause in a log is hard, because that world moves fast. It&#x27;d be much more effective to task the admin with a well-defined, easily monitored task: &lt;Ship logs to splunk. Make sure logs are always shipped to splunk&gt;. Might need some definition about format and which logs, but all logs go to splunk. And then it&#x27;s the security guys job to look for malicious patterns in those logs, probably automatically. Ideally with something simple, like elastic-alert, logstash, you name it, from my own stack.<p>Similar, why do people have to manually enter systems into the host database? It depends on how far you want to automate that, but firewall all systems to access the central registry only, and widen the firewall after an authorized registration of the system. That way, the admins just have to rack systems with a usb stick with some credentials, and it goes or it doesn&#x27;t.<p>If basic things are so hard people don&#x27;t do them, something is structurally wrong.

Wow. Try to opt out of their data tracking, an option they&#x27;re required to add.<p>&quot;This may take up to a few minutes to process&quot;<p>They make you wait at this long ass loading screen while they &quot;process&quot; your request not to have cookies.<p>Here&#x27;s the outline for people who don&#x27;t want to wait minutes to read an article. <a href="https:&#x2F;&#x2F;outline.com&#x2F;TZSBv4" rel="nofollow">https:&#x2F;&#x2F;outline.com&#x2F;TZSBv4</a>

Hopefully, this doesn&#x27;t cause fear mongering around raspberry pi devices. It&#x27;s not a stretch to imagine a bureaucrat reading articles like this, seeing <i>&quot;a raspberry pi was plugged in&quot;</i>, and forming a negative opinion of the device and people that use them.

I usually roll my eyes at meta comments on HN about ads or tracking on web pages getting in the way, but good lord. This page first slams you with a nearly full page ad with no dismissal, and then after you read a few paragraphs hits you again with a modal sign up dialog.

Unfortunately this will just make it more difficult to get real work done, as security is tightened further. Maybe they just ought to physically isolate their networks.<p>Working at a large engineering organization, I have given up and now do all engineering work on a stand alone computer, with dongle licensed software. I feel bad about the piles of CDR I burn through to transfer files, but it’s the only solution to getting work done.

IT security people need to stop thinking in terms of disallowing “unauthorized” devices on physical (wired and WiFi) and recognize start designing for human nature.<p>Assume that the physical networks are compromised, and have all privileged resources only accept connections over VPN. Is it perfect? No, but it makes further compromise harder. The assumption of no trust also means acknowledging that you need gate incoming connections.

Link to the actual audit here: <a href="https:&#x2F;&#x2F;oig.nasa.gov&#x2F;docs&#x2F;IG-19-022.pdf" rel="nofollow">https:&#x2F;&#x2F;oig.nasa.gov&#x2F;docs&#x2F;IG-19-022.pdf</a>

I remember back in the late 80s telnetting out of the NYU Bobst library on their VAX 11(?) system to some pretty interesting systems. The Johnson Space Center in Houston (running VAX 11&#x2F;785s was one I particularly remember. Of course, back then things were not battened down as much as they are now; the spirit was an open network. A sysadmin would interrupt your session with quesitons like &quot;Who is this? You are unauthorized to access this system, etc.&quot;

Here&#x27;s food for thought: while a proper firewall and network segmentation is a well-established best practice, I&#x27;m not sure this is a winning battle.<p>There are probably a few dozen organizations out there that are properly implementing strong information security practices, and my hats go off to them. But they are the few, and I have never worked for one.<p>Despite best laid plans and policies, every place I have worked has always had some improperly secured services somewhere on their network. And every place that I&#x27;ve worked has had segmented networks that people end up relying on. And the people working for these organizations are often aware of the improperly secured resources, but they&#x27;re only in the DMZ, and there are many other things to worry about, so it lives on.<p>Especially now that we live in an IPv6 world, why not just run everything publicly. Push security all the way down to the applications themselves, and rely on the software development lifecycle process to catch security issues.<p>Every service has to be secure. And they can get an awful lot of help in this from things like a service mesh architecture, where you&#x27;re getting mutual TLS from something like Envoy, and the applications won&#x27;t accept a network connection unless they&#x27;re specifically authorized.<p>We need to stop relying on firewalls and network segmentation entirely, and just run everything on the public Internet, and make sure every service is secured.<p>I will say, when a zero day comes out in whatever proxy you&#x27;re using to secure your services, you are in for a world of hurt. But there are zero days in firewalls too.

The JPL has been hacked, not just the NASA.<p>The JPL does much more interesting stuff than just NASA, like engines for military and also secret SW programs for the NSA (we know that from Larry Wall who was sysadmin there). And they are just administered by Caltech staff. Whow.<p>Random hackers are only interested in confirmation of aliens, but NSA or DOD stuff is very, very interesting to the Chinese who hacked these systems last.

Wow what a horrible website - the entire article was nearly completely covered with popover ads

Don&#x27;t forget, CBP likely already compromised their security before.<p><a href="https:&#x2F;&#x2F;www.theatlantic.com&#x2F;technology&#x2F;archive&#x2F;2017&#x2F;02&#x2F;a-nasa-engineer-is-required-to-unlock-his-phone-at-the-border&#x2F;516489&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.theatlantic.com&#x2F;technology&#x2F;archive&#x2F;2017&#x2F;02&#x2F;a-nas...</a>

For further context, here’s another report on NASA’s security in 2012.<p><a href="https:&#x2F;&#x2F;oig.nasa.gov&#x2F;congressional&#x2F;FINAL_written_statement_for_%20IT_%20hearing_February_26_edit_v2.pdf" rel="nofollow">https:&#x2F;&#x2F;oig.nasa.gov&#x2F;congressional&#x2F;FINAL_written_statement_f...</a><p>Sadly, it doesn’t seem like things have changed.

And this is why you need to practice Defense in Depth. DO NOT assume your system is simply hardened and cannot be penetrated. You have to assume the opposite -- assume you will get fcked hard and apply separation among systems such that a wound is just a wound, and not a fatal death.

I was hoping there would be more info about how exactly the RPi was compromised, and the steps that were taken from there.

Raspberry Pi is all over HN today

CAUDIT is a potential mitigation tool that is extensible for data breaches. Ref: <a href="https:&#x2F;&#x2F;github.com&#x2F;pmcao&#x2F;caudit" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;pmcao&#x2F;caudit</a>

Finally ! Now send me the.megadownload-link for Bigfoot and e.t photos

Not: it is NASA, not NASA. I&#x27;ve only ever seen the BBC call it Nasa because of their typographic rules.

YTCracker did it first!

&gt; All in all it reads like a security basics 101 list that has been ignored. System administrators lacked security certifications, no role-based security training was in place and JPL, unlike the main NASA security operations center (SOC), didn&#x27;t even have a round-the-clock incident reporting capability.<p>That is not security 101, that&#x27;s CYA bullshit that corporations institute once they&#x27;ve been caught with their pants down. &quot;Training&quot; is worth jack. You have to actually <i>implement</i> security practices for them to be worthwhile. Sysadmins are not always the brightest bulbs in the box, but they definitely shouldn&#x27;t be expected to be doing a security team&#x27;s job of regularly auditing security policy to make sure it&#x27;s being enforced.