Security News > 2000 > July > Analyst says break-ins reveal continued vulnerabilities at NASA

Analyst says break-ins reveal continued vulnerabilities at NASA
2000-07-17 16:40

http://www.computerworld.com/cwi/story/0,1199,NAV47_STO47186,00.html BY Ann Harrison (Jul. 14, 2000) The arrest of two New Yorkers accused of breaking into NASA computers points to ongoing security problems at the lab, a problem that one analyst said could be due to lack of funding for government security systems. "Public embarrassment is certainly a factor here and it casts a bad light on some of the security measures they are taking, said David Remnitz, CEO of the Manhattan security firm IFsec, LLC. "But there hasn't been that much money spent for [government] information assurance processes. Even though NASA might have tremendous talent in information security, they might not have enough people due to budget constraints." NASA as a whole has been trying to improve its security for the last three or four years, but it is not in reaction to any specific incident, said Steve Nesbitt, director of operations for the NASA office of the inspector general computer crimes division. "I don't know about the budget constraints that NASA has concerning their resources," he said. Nesbitt said NASA has not commented on any specific vulnerabilities that led to the password thefts or Web site hack. But he said that constant upgrades to operating systems often open holes that crackers can exploit. "Operating systems need to be tested and verified before they are released. That would improve everyone's security if they just basically leave a back door into the systems." Nesbitt says NASA uses a combination of operating systems, but given the number of incursions, it was difficult to track which operating system was running the compromised Web server. He added that NASA does have a security response mechanism in place but he said the speed of remediation is affected by the necessity of daily systems operation and maintenance. Raymond Torricelli, 20, of New Rochelle, N.Y., was arrested Wednesday for breaking into two computers at NASA's Jet Propulsion Laboratories in Pasadena, Calif., in 1998, according to the U.S. attorney's office. Investigators said the burglaries led to the theft of more than 100 credit-card numbers that were used in the theft of more than $10,000 worth of goods. He was released on $50,000 bail but faces up to 10 years in prison and a $250,000 fine. While court papers said NASA has since spent several thousand dollars strengthening security on the Pasadena machines, an unidentified 15-year-old high school student was arrested this week for breaking into two additional NASA computers in Hampton, Va., and a third machine in Bethpage, N.Y. The teenager surrendered Tuesday to Suffolk County police, who charged him with computer tampering. "There is no excuse. NASA should have had that system hardened in a more appropriate fashion," said Remnitz. The NASA Office of the Inspector General said that the teenager didn't gain access to sensitive or classified information, but that he caused about $5,000 in damage when he defaced the NASA Web site with the message, "SSH is coming," a reference to his hacker handle "Sesame Street Haxorz." According to police, the teen also replaced NASA system files with images, including that of Elmo, a character in the "Sesame Street" children's TV show. Police said they were investigating whether the teenager, who was released into the custody of his father, was being instructed online by another computer cracker. The five-count complaint against Torricelli alleges that he exploited a vulnerability in one NASA computer at the Jet Propulsion labs that allowed him to use the machine to hold chat-room discussions with a cracking group known as "#conflict," or "pound conflict." The computer was used by NASA to perform satellite design and mission analysis for future space missions. Court papers said data recovered from Torricelli's personal computer revealed that the discussions included hacking strategies and methods for stealing credit cards and altering the results of the MTV Movie Awards. Torricelli is then alleged to have broken into a second NASA computer used by the laboratory as an e-mail and internal Web server. Investigators say Torricelli exploited a security hole in the computer to install a sniffer program that intercepted user names and passwords as they traversed the networks of San Jose State University and Georgia Southern University. Remnitz said the network sniffing and password cracking that Torricelli allegedly pulled off in 1997 and 1998 are now considered unsophisticated by current standards. But despite the years that elapsed since the exploits occurred, NASA has provided little information about the vulnerabilities that could pinpoint the cause of the security breaches or help other users. "The problem with this whole incident is that there are so many rumors coming out about it, but no facts," he said. Nesbitt said NASA has not commented on any specific vulnerabilities that led to the password thefts or Web site hack. But he said that constant upgrades to operating systems often open holes that crackers can exploit. He said NASA uses a combination of operating systems, but given the number of incursions, it was difficult to track which operating system was running the compromised Web server. He added that NASA does have a security response mechanism in place, and that the speed of remediation is affected by the necessity of daily systems operation and maintenance. The complaint charged that Torricelli used a decrypting program called "John-the-Ripper" to seize more than 76,000 passwords. The passwords and user names were used to gain unauthorized access to more than 800 computers. American Express, Visa, MasterCard and Discover reported that more than 100 stolen-credit card numbers on Torricelli's PC led to more than $10,000 in fraud from cardholders. Torricelli also allegedly earned more than $5,200 from an unidentified company for using them to spam ads for a pornographic Web site. According to Remnitz, a directive handed down by President Clinton was intended to allocate more money to strengthening the national infrastructure and commercial networks that support government systems. But he said the NASA security failures show that they are still underfunded. "Technology is changing so fast, and security departments have to continuously be on top of security and devices in their systems . . . that if they don't have enough people, they are at a tremendous disadvantage," said Remnitz. *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".


News URL

http://www.computerworld.com/cwi/story/0,1199,NAV47_STO47186,00.html

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Nasa 6 0 9 6 0 15