Security News

In an audit [PDF] published Tuesday, the OIG found NASA has a "Comprehensive privacy program that includes processes for determining whether information systems collect, store, and transmit PII; publishing System of Records Notices; and providing general privacy training to its workforce." That's a welcome assessment, given NASA employs around 16,000 people and - as with all government agencies - collects PII about them and the contractors, partners, and members of the public it engages.

The NASA Office of Inspector General has published its annual audit of the aerospace agency's infosec capabilities and practices, which earned an overall rating of "Not Effective." We could go on, but you get the idea: NASA infosec isn't great.

A vulnerability in network technology widely used in space and aircraft could, if successfully exploited, have disastrous effects on those critical systems, according to academics. In a study published today, boffins at the University of Michigan in the US, with some help from NASA, detailed the flaw and a technique to exploit it, which they dubbed PCspooF. Exploiting PCspooF can cause critical systems on a network to malfunction by disrupting their timing.

While NASA has a fully operational insider threat program for its classified systems, the vast majority of the Agency's information technology systems - including many containing high-value assets or critical infrastructure - are unclassified and are therefore not covered by its current insider threat program. While NASA's exclusion of unclassified systems from its insider threat program is common among federal agencies, adding those systems to a multi-faceted security program could provide an additional level of maturity to the program and better protect agency resources.

An audit of NASA's infosec preparedness against insider threats has warned it faces "Serious jeopardy to operations" due to lack of protection for Unclassified information. A Monday report [PDF] found that NASA has done well, as required, in its efforts to defend and prevent insider threats to Classified information - stuff that NASA defines as "Official information regarding the national security that has been designated Confidential, Secret, or Top Secret."

The U.S. National Aeronautics and Space Administration identified more than 6,000 cyber-related incidents in the last four years, according to a report published this month by NASA's Office of Inspector General. NASA has institutional systems, which are used for the day-to-day work of employees - these include data centers, web services, computers and networks.

NASA has fired up the avionics of the Artemis I core stage ahead of tomorrow's planned redo of the prematurely terminated hotfire test. Those boosters are missing a key ingredient: the SLS core stage, which continues to languish on the B-2 test stand at NASA's Stennis Space Center near Bay St. Louis, Mississippi.

NASA and the US Federal Aviation Administration have also been compromised by the nation-state hackers behind the SolarWinds supply-chain attack, according to a Washington Post report. NASA is an independent U.S. federal agency coordinating its civilian space program.

While the agency experienced 1,468 incidents, its budget was decreased last year, according to a report by Atlas VPN. There were 1,468 cyber incidents at NASA in 2019-an increase of a staggering 366%, according to data extracted and analyzed by Atlas VPN, which released the findings in a new report. Cyber incidents at NASA can affect national security, intellectual property, and individuals whose data could be lost due to data breaches.

That spike in users also exposed a growing list of security flaws: Zoom bombing trolls have emerged, user email addresses and photos have leaked, calls aren't being end-to-end encrypted, and flaws found in the Zoom installer allow an attacker to gain root access to computers that run a malicious version of it. These security flaws have prompted some organizations, companies, governments, government agencies, and schools to ban Zoom or restrict its use.