What’s Wrong with NASA’s IT Department??

I don’t know if you have been following certain news items regarding NASA but I have and I really can’t work out what is going on.  It seems that someone somewhere in the chain of command really hasn’t got their eye on the ball … any ball in fact …

Firstly, in 2002 you may have heard about the case of Gary McKinnon who was caught ‘hacking’ (I’ll explain further why that’s in quotes later!) NASA computer systems.  He was attempting to find, or rather corroborate, some claims that he had found about the fact that NASA has teams of people that spend their time erasing details from official photos before general release.  These teams of people are apparently referred to as ‘Strippers’ due to their job of stripping details.

So why ‘hacking’.  I’m sure most peoples stereotypical idea of ‘computer hacking’ is some geekoid sat at a computer with streams of digits and characters flowing over their screens in order to ‘crack’ the security layer that protects the inner workings of a corporate or government computer network.  The reality is that Gary was using a tiny dial-up modem (likely running at 56kbps) which is miniscule in comparison to the now ubiquitous multi megabyte broadband connections that are popular today.  Anyone that was taking their ‘hacking’ seriously would not be using such technology.  Gary also didn’t make any attempt to hide the ‘paper trail’ of IP addresses leading back from NASA to him meaning that it was a trivial task to track him down.

However, the most important point about the hole deal is that Gary found that NASA had basically left all their machines wide open.  Computers have what are known as ‘User Accounts’.  If you use a computer at work and you have to log on, you will be logging on using a ‘User Account’.  Once you are logged on the rights and permissions associated with that account govern what you are allowed to do to that machine or the network you have logged on too.  For instance you may not be able to install software, change network settings etc … in order to perform these sorts of tasks there is a default ‘Local Administrator’ account.  These ‘Local Administrator’ accounts have full control over the machine and allow anyone logged on with this account to change any and all settings on that machine.  Gary found that the machines at the NASA facilities he ‘hacked’ HAD A BLANK ADMINISTRATORS PASSWORD … I can’t stress that enough, its amazing, its a school boy IT error to make.  At my place of work this is grounds for an internal investigation and heads would roll basically, its such a fundamental mistake that to my mind it makes NASA grossly negligent in terms of protecting its IT infrastructure.  So basically, Gary didn’t even need to ‘hack’ anything … it was left wide open … unprotected and asking for trouble.  The dictionary.com definition for hack is:

Computers. to devise or modify (a computer program), usually skillfully.

I argue that no skill is involved in order to obtain access to a computer system that is left with a blank administrator password, you don’t have to do any work at all in order to access that machine.  Bascially the person at NASA in charge of IT infrastructure security should be extremely embarrassed over this, if not sacked outright.

This isn’t all …

Yesterday I read in the news that a laptop aboard the International Space Station is infected with a W32.Gammima.AG worm!!!  And it was also admitted that this isn’t the first time!!  Our corporate network at my place of work has not had a virus infection problem in years … I personally have not had a virus infection problem in years either.  OK, its fair to say that NASA has a much higher profile that either of these examples but the virus is not targeting NASA specifically, its a well known 1 year old virus … on a laptop … floating in space … in the International Space Station.  Apparently its ‘OK’ since the laptop is not critical to any command and control operations.  I personally think that is a good thing but its also splitting hairs …

What is wrong with NASA’s IT Department??  What are they doing???

And they have the gall to extradite a UK citizen when in fact its their own utter lackadaisical excuse for IT security that is to blame …

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.