Guest essay by Eric Worrall
A group of hackers, apparently part of a community of hackers who spend their time casually cruising poorly defended US government computers, have busted into and claim to have interfered with sensitive NASA systems, including climate monitoring projects.
Hackers have released online 250GB of data purloined from NASA systems – and claim to have diverted a multi-million-dollar drone the agency uses to run high-altitude sampling missions.
“So yeah, we know what you’re thinking, hacking NASA? How fucking cliche… If only I had a Dogecoin for every time someone claimed that, amiright?” the group wrote in an online posting.
“It’s like the boy who cried wolf but with hacking NASA instead lol. But you might be surprised how low govt security standards can be, especially with a limited budget and clueless boomers controlling the network.”
The swiped records include the names, numbers, and email addresses of 2,414 NASA staffers, as well as more than 2,000 flight logs and 600 video feeds from the agency’s fleet of aircraft. The hacker team, calling itself Anonsec, published the data on the web with an explanation of how the hack took place.
Read more: http://www.theregister.co.uk/2016/02/01/250gb_nasa_data_hacked/
None of the techniques the hackers used to break in sound remotely challenging in a technical sense. The hackers provided a detailed description of their escapade.
After gaining an initial foothold, by purchasing a hacked NASA account from a friend, they simply mapped the internal architecture of the NASA computer network using well known tools. Many of the systems they encountered were configured to use the default password (the well known initial vendor password, created when the system is installed), or had no password at all. They then leapfrogged from system to system, each leap opening yet more opportunities to widen their breach of NASA security.
These hackers were apparently interested in finding inside information about the Chemtrails conspiracy theory. I guess this puts their motives on a par with the last clown who broke into NASA and the Department of Defence, who was looking for evidence of imprisoned aliens, antigravity systems, and alleged government suppression of “free” energy technology.
The big question, is why do all systems have to be connected to the Internet? When I worked for the USGS, we had many instruments connected to our network (Gas Chromatographs, Mass Spectrometers, etc.) These instruments all required admin access to the PC to acquire data. Well, our IT Department wouldn’t have any of that, so they created a Local Area Network, that all the instruments were connected to, and that was that. Need the data on another PC. Use Sneakernet.
Many products require an internet connection for licensing, activation, support and updates. Back in the 90’s when the WWW kicked off, I said to my co-workers “This will become an issue.”
“Many products require an internet connection for licensing, activation, support and updates.”
True, however, corporate accounts usually cannot be logged into off site, and if for some reason someone is granted off site access, they are given multiple password layers AND the network sends an alert when that person logs onto, and off of, the corporate network. Some companies change the password often, sometimes daily, and it requires an actual phone call to whomever is monitoring the system at the time (day and night) and personal verification of multiple criteria before that person is allowed to connect to the network via internet connection.
(My husband does “internet security” work for a very large financial corporation. His favorite phrase is “90% sheer mind numbing boredom, 9% frustration and stress, and 1% complete and utter terror”. I’ve learned if/when he calls and says certain words to just say “I love you.” “I’ll miss you” and “Try not to kill anyone tonight”. ) grin
If loony hackers can do it, then China, Iran, and Russia have done it too. I bet the reason it was so easy is because everyone is installing the OS (linux?) on their desktop, instead of an IT guru setting up a secure system and cloning it to all desktops.
Who said it was “easy”? And easy for professional hackers does not mean easy for anyone else. And trust me, in organizations as large and important as NASA, NO ONE…and I mean NO ONE….gets to “install” anything on their desktop personally. Period. And if they DO manage to do it, the network alerts the IT department head and someone either gets fired, or gets a new desktop in which management has to “approve” all future log ins by the employee.
Trust me. In something that big, the IT department knows when ANYONE chats, skypes, plays a game, looks at porn, shops on Amazon, or sends a text message. No system is completely secure, but most of the important ones are “fool proof” because the fools only have limited access to certain things, and never everything at once.
As always, the first question is: True or False?
The second: Is it an outside job or an inside job?
There seem to be motives for an inside job. Destroy records and blame hackers.
Keep watching.
Ah, a fellow cynic. My first thoughts as well.
Shouldn’t NASA have put up some fake stuff in case they were hacked, such as the warehouse that had the aliens? Then they could just arrest the hackers on site.
They do Mike….we call it the satellite data….(couldn’t resist! lol)
NASA still uses punch cards. They don’t necessarily have the machines, but the software uses a file format that is made to look like punch cards, to maintain legacy code.
I was shocked circa 1999 when I received a Word macro virus from a document placed on a NASA server by an industry committee member. (I forget whether the member was a NASA employee or NASA had kindly given the committee some space on a server, likely an ARINC AEEC or RTCA committee.)
(Didn’t help that setup of my computer by my employer had somehow managed to turn some security checking off, and that I didn’t watch the boot progress display which flagged that but did not halt boot as some error messages do. My usual practice is to turn computer on first thing on arrival, then unpack anything I brought in, then get a cup of coffee, all to let Windows boot completely as I’ve found AV SW was McAfee which had its faults then, OS probably Win98SE which scrolled lines on the screen as later Windows versions do if booting in Safe Mode.)
Finishing a sentence:
let Windows boot completely as I’ve found functional problems if trying to use applications too early.
They didn’t get into the USCRN data, so we’re good to go. Just have to switch from poorly sited, collected, adjusted data to REAL data. Good time and motivation to make the switch.