[ISN] GAO: NASA systems full of holes.

From: cult hero (jerichoat_private)
Date: Thu May 27 1999 - 01:56:28 PDT

  • Next message: cult hero: "[ISN] CFP: DISC 99 Computer Security 99"

    From: anon
    
    http://www.fcw.com/pubs/fcw/1999/0524/fcw-newsnasa-5-24-99.html
    
    MAY 24, 1999 
    GAO: NASA systems full of holes 
    BY DIANE FRANK (diane_frankat_private)
    
    Out-of-date information security policies have left significant
    vulnerabilities in NASA's mission-critical systems that could allow
    unauthorized users to steal, modify or delete important operational data,
    according to a General Accounting Office report released last week. 
    
    GAO, working over the past year with experts from the National Security
    Agency and using nothing more than public Internet access, was able to
    gain access to several unclassified mission-critical systems, including
    those supporting the command and control of spacecraft.
    
    According to GAO, NASA has not created enough awareness among its
    employees about common security mistakes and vulnerabilities, such as
    easily guessed passwords. NSA initially breached some systems using
    passwords such as "guest" for guest accounts and "adm" for system
    administrators, opening the door for broader access to agency systems.
    
    "The way we got in was through commonly known security faults," said John
    de Ferrari, assistant director of the Accounting and Information
    Management Division at GAO.
    
    GAO concluded that it was able to penetrate systems because NASA does not
    have a consistent information security management policy that the entire
    agency follows. "A lot of what needs to be done is awareness-related; you
    never seem to get enough awareness of computer security," de Ferrari said.
    
    GAO found that NASA did not have many policies regarding Internet and
    network security, and some policies the agency did have were out of date
    or were not followed. 
    
    "We Had Become Quite Lax"  "The fact of the matter is, we had become quite
    lax in the agency in terms of passwords," said Lee Holcomb, NASA's chief
    information officer. NASA now is scanning user passwords for ones that
    could be easily cracked and to check new passwords for vulnerabilities.
    
    "We take very seriously our responsibility for safeguarding our IT assets,
    and after Y2K, security is our No. 1 priority," Holcomb said. "They
    acknowledge that they did not succeed in penetrating several systems, but
    the fact that they did succeed is troubling to us. It is a wake-up call to
    the agency."
    
    This report is an important addition to the work already occurring
    throughout government to raise awareness of security needs, said Paul
    Rodgers, senior executive at the Critical Infrastructure Assurance Office,
    which is leading the national effort to protect critical systems. "The
    dangers are increasing, and we think the GAO report delivers an important
    message to NASA and other agencies," Rodgers said.
    
    The GAO/NSA team could not penetrate certain pockets of NASA's systems
    because network administrators either carefully controlled system access
    privileges or used patches for known operating system flaws. If expanded
    to the whole agency, such simple fixes could protect systems better
    because hackers usually will move on to systems with easily exploitable
    weaknesses, de Ferrari said. 
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: OSAll [www.aviary-mag.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:23:51 PDT