Tuesday, March 17, 2015

US gov. computer devices not necessarily encrypted. Unencrypted NASA computers were continually breached through 2012, hacked 13 times in 2011 alone. 48 NASA laptops have been lost or stolen. Officials were warned in 2009 but failed to take necessary precautions on behalf of taxpayers-Reuters, BBC

3/2/12, NASA says it was hacked 13 times last year,” Reuters UK

NASA said hackers broke into its computer systems 13 times last year, stealing employee credentials and gaining access to mission-critical projects in breaches that could compromise U.S. national security.

The National Aeronautics and Space Administration spends only $58 million of its $1.5 billion annual IT budget on cyber security, Paul Martin, the agency's inspector general, told a Congressional panel on NASA security earlier this week.

"Some NASA systems house sensitive information which, if lost or stolen, could result in significant financial loss, adversely affect national security, or significantly impair our nation's competitive technological advantage," Martin said in testimony before the U.S. House Committee on Science, Space and Technology, released on Wednesday. (bit.ly/yQFSB8)

He said the agency discovered in November (2011) that hackers working through a Chinese-based IP address broke into the network of NASA's Jet Propulsion Laboratory. He said they gained full system access, which allowed them to modify, copy, or delete sensitive files, create user accounts for mission-critical JPL systems and upload hacking tools to steal user credentials and compromise other NASA systems. They were also able to modify system logs to conceal their actions, he said.

"Our review disclosed that the intruders had compromised the accounts of the most privileged JPL users, giving the intruders access to most of JPL's networks," he said. In another attack last year, intruders stole credentials for accessing NASA systems from more than 150 employees.   

Martin said the agency has moved too slowly to encrypt or scramble the data on its laptop computers to protect information from falling into the wrong hands. 

Unencrypted notebook computers that have been lost or stolen include ones containing codes for controlling the International Space Station as well as sensitive data on NASA's Constellation and Orion programs and Social Security numbers, Martin said." "(Reporting by Jim Finkle; editing by Gunna Dickson)"


BBC  frames "theft" of NASA laptop from locked car as merely a laptop "loss". NASA Chief Bolden promised in March 2012 to have laptops encrypted, but as of Nov. 2012 it still wasn't done:

11/15/12, “NASA to encrypt data after its latest laptop loss,” BBC

“US space agency Nasa has ordered that the data on all its laptops must be encrypted, after losing another one of its portable computers. Until the process is complete, it has forbidden staff from removing Nasa-issued laptops containing sensitive information from its facilities.

The order follows the loss of a device containing “sensitive personally identifiable information”There have been several similar incidents over recent years.

Nasa said the latest incident had occurred on 31 October, when a laptop and documents were stolen from a locked vehicle
of one of its employees at Nasa headquarters in Washington DC. The machine was password protected, but the agency acknowledged that the information might still be accessible to hackers since it was not encrypted.
Encryption would have scrambled the data, requiring a complicated code to make it understandable again. As a result, Nasa has warned its workers to watch out for bogus messages.

“All employees should be aware of any phone calls, emails, and other communications from individuals claiming to be from Nasa or other official sources that ask for personal information or verification of it,” an agency-wide email published by news site Spaceref stated.

“Because of the amount of information that must be reviewed and validated electronically and manually, it may take up to 60 days for all individuals impacted by this breach to be identified and contacted.”…

The NASA Watch blog, which comments on affairs at the agency, had previously criticised it for a series of other data losses.

It noted that the organisation had been warned in 2009 that it was not taking enough steps to sufficiently protect information 

and had reported the loss or theft of 48 of its mobile computing devices between April 2009 and April 2011.

This is not the first time Nasa has promised action to address the problem.

In March, Nasa administrator Charles Bolden told the House Appropriations Committee Subcommittee on Commerce that he was going to sign a directive ordering all portable devices to use encryption, after acknowledging the agency was “woefully deficient” when compared to other government departments.”

Image caption: "Nasa had promised in March that it would encrypt its mobile computers," Getty image via BBC 


11/14/12,NASA Suffers “Large” Data Breach Affecting Employees, Contractors, and Others, spectrum.ieee.org, R. Charette

Yesterday, NASA sent a message to all NASA employees informing them of a data breach involving an agency stolen laptop.

According to the NASA message posted at SpaceRef.com, “On October 31, 2012, a NASA laptop and official NASA documents issued to a Headquarters employee were stolen from the employee’s locked vehicle. The laptop contained records of sensitive personally identifiable information (PII) for a large number of NASA employees, contractors, and others. Although the laptop was password protected, it did not have whole disk encryption software, which means the information on the laptop could be accessible to unauthorized individuals.  

We are thoroughly assessing and investigating the incident, and taking every possible action to mitigate the risk of harm or inconvenience to affected employees.”

The message goes on to state that NASA will be sending letters to affected individuals, once the agency figures out who they are,
which may take up to 60 days. Those individuals receiving letters will be offered a free credit and ID monitoring service….

NASA plans to have all of its laptops running whole disk encryption software by 21 December 2012….

Why it has taken so long for NASA to finally decide to fully encrypt its laptops remains a mystery, given its long-time poor record on IT security. As noted at NASA Watch, NASA has a 

history of laptops with personally identifiable information being stolen, one as recently as March.

Maybe NASA decided to act this time because it involved a NASA Headquarters’ person who in all likelihood is very senior and  should have known better than to possess a laptop with no data encryption.” (Image above: NASA administrator Charles Bolden)



No comments: