There are over 10,000 machines that are currently infected by malware in Nasa, showing that the US space agency definitely does not have the best possible cybersecurity practices and needs to completely overhaul how it secures its internal network, a leading security firm has warned.
On Monday 1 February, IBTimes UK broke the news that AnonSec hackers had succeeded in hacking into Nasa's internal network for several months without being detected, getting into the networks of three space centers and stealing a huge amount of data relating to Nasa employees, flight logs and videos taken from Nasa's research drones and weather radars, as well as attempting to crash a Global Hawk drone into the Pacific Ocean.
Nasa has responded to IBTimes UK and is completely denying that the attempted drone hijack ever took place.
"Control of our global hawk aircraft was not compromised. NASA has no evidence to indicate the alleged hacked data are anything other than already publicly available data. NASA takes cybersecurity very seriously and will continue to fully investigate all of these allegations," said Nasa spokesperson Allard Beutel.
"NASA strives to make our scientific data publicly available, including large data sets, which seems to be how the information in question was retrieved. Our Open Data websites Open.NASA.gov, Data.NASA.gov, API.NASA.gov, Code.NASA.gov and GitHub.com/NASA offer easier access and use of NASA data through tools and shared experiences using more than 30,000 datasets."
But 10,000 machines in Nasa's network are broadcasting malware signatures
However, the data dump of information uploaded by AnonSec, in its zipped format, is 250GB. In fact it is so big that the data is still being extracted at IBTimes UK's offices so that we can verify the claims made by the hackers.
But even without the actual files that the hackers stole in our hands, SecurityScorecard, a leading US security firm specialising in security intelligence and network protection says that AnonSec is right – Nasa's cybersecurity really isn't that great.
"We have a big data engine and a network of honey pots that non-invasively intercept and collect security signals from across the entire internet, including the public web, the deep web and the dark web. Nasa has a slew of network misconfigurations. Over the last year, we found over 10,000 malware signatures originating from Nasa's network, meaning that 10,000 machines have been affected by malware and are communicating back to the owners of that malware," SecurityScorecard COO and co-founder Sam Kassoumeh told IBTimes UK.
"To give you context, on average, if you put all the US government agencies' infrastructure together, we've seen only roughly 760 malware signatures per year."
The problem, Kassoumeh explains, is not that Nasa doesn't have a network perimeter defence to keep hackers out, but rather that the perimeter hasn't been properly configured, and the internal network hasn't been properly secured, so once a hacker gets in, they can easily access different parts of the network.
Over 30 critical Nasa databases are currently exposed to the public web
"We've seen at least 30 critical databases run by Nasa that are publicly exposed to the internet so that anybody can connect to them. Now, that's a big no-no. Databases are the central storage mechanism for the network," said Kassoumeh.
According to Thomas Fox-Brewster of Forbes, who spoke to the hackers over Jabber, AnonSec initially purchased initial access to the network from Chinese hackers using Bitcoin in 2013, then discovered that many of the administrator credentials for Nasa computers and servers were left on default, so they explored the network looking for systems to exploit until they found some.
"The method AnonSec described is highly credible and in line with hacker techniques. I think it is a very common pathway to a breach. If you look back to when RSA was hacked back in 2011, we saw the same pattern and behaviour from the hackers, where they penetrated the network and then, like a ninja, they spent weeks or months going undetected, performing reconnaissance before they struck. That's a sign of a very sophisticated, very skilled, very patient group of individuals," stressed Kassoumeh.
"What the hackers have described, of having a type of configuration where they have a wall around the perimeter, but no security inside – that is very common in a majority of enterprise companies today. Once a hacker is inside the network, the security control can be quite lax. In this case with Nasa, it appears they first, did not have proper segregation of their data, and second, it appears no one within Nasa is monitoring the behaviour of administrative accounts.
"These are really rudimentary mistakes Nasa is making, and since they're a mature organisation, this is really concerning."
Everyone needs to be closely monitoring root administrator accounts
Kassoumeh says that there were probably signs that the hackers had infiltrated Nasa's internal network during the months that the hackers were exploring and stealing data, but because no one was monitoring the key administration accounts, the infiltration was missed.
"I'm sure Nasa has a very complex technology ecosystem, so I imagine the management and maintenance is very challenging. What often happens is that the company has difficulties in enforcing security continuities across their entire organisation, so If the system administrator misconfigures a system in one location, it may not be detected by other administrators who are watching the network. This often leads to a breach," said Kassoumeh.
"Usually, administration accounts perform the same set of routine tasks. To prevent a breach, organisations can set up a rule whereby if they see a generic system account accessing a drone flight path at 3am, for example, you know that the system has been compromised."
If companies are interested in seeing how strong their network defences are, they can get a free diagnosis at Instant SecurityScorecard.