Two recent stories tell about hackers taking control of the NASA network and of NASA laptops stolen with critical International Space Station control codes within them.
Although such security breaches commonly happen in all companies and government agencies, they don’t seem to get much attention unless embarrassing national (or international) news coverage occurs.
The Sydney Morning Herald’s article “NASA says laptop with space station control codes was stolen” talks about an “… unencrypted notebook computer [that] went missing in March 2011 and ‘resulted in the loss of the algorithms used to command and control the International Space Station’, NASA Inspector General Paul Martin told lawmakers this week.”
The March 3,2 012 SMH article continues with, “The theft was alerted to Congress on Wednesday along with 5408 computer security “incidents” that resulted in unauthorised access to NASA systems or installation of malicious software in the past two years, Martin said.”
Further, the March 5, 2012 Telegraph article “Hackers had ‘full control’ of hijacked Nasa network” states, “Hackers broke into Nasa computer systems 13 times last year and gained “full functional control” of systems in breaches that could have compromised US national security, the space agency has admitted.”
The Telegraph article went on to state that the hackers “… access allowed them to modify, copy, or delete sensitive files, create user accounts for mission-critical JPL systems and upload hacking tools to steal user credentials and compromise other Nasa systems. They were also able to modify system logs to conceal their actions, Mr Martin said.”
Read also: Hackers controlled Nasa computers
This reminds me when I worked at a NASA facility in the 1980s and 1990s. Yes, quite a few years ago, but it seems NASA still has problems with security at its facilities.
On the other hand, it is admittedly difficult to totally eliminate hackers from getting into secret government computer systems and to prevent government laptops from being stolen. However, the more it happens, the more a country’s security is compromised and the more it costs its citizens to correct such problems.
During my days as a NASA contractor employee we were issued security badges when first becoming employed. These were worn to access various government and contractor buildings that were labeled for employees with only secret security clearances.
These badges were also used to make sure co-workers knew you were supposed to be there. The main building that we worked at each day was one such facility that required a security badge.
However, in the mornings one employee would regularly swipe their card to gain entrance into the building, and whomever was behind this person also got in, too. All of this occurred without these other employees (maybe some weren’t really employees???) having to swipe their cards — or even showing their cards. (Does this situation look familiar in your work environment?)
Do you get the picture? Someone who knew of this morning ritual and wanted to gain access to a secured building without having a security badge, could easily get into the NASA-sponsored building — just by walking in behind one of the employees.
When I reported this to security, they just looked at me with a “what-am-I-supposed-to-do” look on their faces. Nothing was ever done to correct a potential breach of security. I wonder if this situation continues to occur years later? Probably!
I also reported another easy way to gain entrance to NASA buildings. Employees were not supposed to wear their badges in public (such as when they went out to eat during lunch-time). However, they usually did.
So, if someone wanted to gain entrance to a NASA building (say a spy from another country), then all they had to do was remember: the name printed on a badge (say, John Smith) and the company’s name (which was also on the badge).
Then, this person — wanting to illegally gain access to a building — could call the main telephone number of that NASA contractor company, asking the receptionist for “John Smith’s” telephone number.
With these two bits of information — only “name” and “telephone number” — you could then walk into the main entrance and say “I’ve forgotten my badge” and with two pieces of information (yes, name and telephone number) you could get a temporary badge to wear as you walked around this building.
Again, this information was not acted upon when I told this to security. Has this been resolved, now 20 years later? I don’t know. (I really doubt it.)
However, security is only as good as the people who use it every day. If you don’t take security serious, even at the most basic level, then holes (whether high- or low-tech) will continue to exist that negate the entire security system.