Weak security practices and critical holes in NASA's agency-wide network could allow an attack over the Internet that would disrupt missions and expose sensitive data, according to a government report.
"Until NASA addresses these critical deficiencies and improves its IT security practices, the Agency is vulnerable to computer incidents that could have a severe to catastrophic effect on Agency assets, operations, and personnel," said the Inspector General's report, titled "Inadequate Security Practices Expose Key NASA Network to Cyber Attack (PDF)," released yesterday.
NASA uses a series of networks to carry out its various missions, which include controlling spacecraft like the International Space Station and conducting science missions like the Hubble Telescope.
The Office of Inspector General (OIG) found that servers on the NASA network had "high-risk" vulnerabilities that were exploitable from the Internet and that specifically six servers containing critical data and used for controlling spacecraft were found to have holes that would allow a remote attacker to take control over them or render them inaccessible. Once inside the network, an attacker could exploit other weaknesses auditors identified, which could "severely degrade or cripple NASA's operations," the report said.
Poorly configured network servers revealed encryption keys and encrypted passwords and one server disclosed sensitive account data for all its authorized users. The information could be used to target NASA personnel with phishing attacks and e-mails containing malicious code designed to compromise the recipient's computer.
The OIG recommended last May that NASA immediately establish an IT (information technology) security oversight program for the key network. As of last month, such a program was not implemented despite the fact that NASA agreed with the recommendation, the report said.
The problems are not just theoretical; NASA's network has been breached. In January 2009, attackers stole 22 gigabytes of export-restricted data from a Jet Propulsion Laboratory computer system, according to the report. Later that year, a computer system that supports one of NASA's mission networks was infected and was causing the system to make more than 3,000 unauthorized connections to domestic and international Internet Protocol addresses including addresses in China, the Netherlands, Saudi Arabia and Estonia, the OIG said.
"The sophistication of both of these Internet-based intrusions confirms that they were focused and sustained efforts to target assets on NASA's mission computer networks," the report said.
NASA representatives could not be reached for comment late today.