From: anon
http://www.fcw.com/pubs/fcw/1999/0524/fcw-newsnasa-5-24-99.html
MAY 24, 1999
GAO: NASA systems full of holes
BY DIANE FRANK (diane_frank@fcw.com)
Out-of-date information security policies have left significant
vulnerabilities in NASA's mission-critical systems that could allow
unauthorized users to steal, modify or delete important operational data,
according to a General Accounting Office report released last week.
GAO, working over the past year with experts from the National Security
Agency and using nothing more than public Internet access, was able to
gain access to several unclassified mission-critical systems, including
those supporting the command and control of spacecraft.
According to GAO, NASA has not created enough awareness among its
employees about common security mistakes and vulnerabilities, such as
easily guessed passwords. NSA initially breached some systems using
passwords such as "guest" for guest accounts and "adm" for system
administrators, opening the door for broader access to agency systems.
"The way we got in was through commonly known security faults," said John
de Ferrari, assistant director of the Accounting and Information
Management Division at GAO.
GAO concluded that it was able to penetrate systems because NASA does not
have a consistent information security management policy that the entire
agency follows. "A lot of what needs to be done is awareness-related; you
never seem to get enough awareness of computer security," de Ferrari said.
GAO found that NASA did not have many policies regarding Internet and
network security, and some policies the agency did have were out of date
or were not followed.
"We Had Become Quite Lax" "The fact of the matter is, we had become quite
lax in the agency in terms of passwords," said Lee Holcomb, NASA's chief
information officer. NASA now is scanning user passwords for ones that
could be easily cracked and to check new passwords for vulnerabilities.
"We take very seriously our responsibility for safeguarding our IT assets,
and after Y2K, security is our No. 1 priority," Holcomb said. "They
acknowledge that they did not succeed in penetrating several systems, but
the fact that they did succeed is troubling to us. It is a wake-up call to
the agency."
This report is an important addition to the work already occurring
throughout government to raise awareness of security needs, said Paul
Rodgers, senior executive at the Critical Infrastructure Assurance Office,
which is leading the national effort to protect critical systems. "The
dangers are increasing, and we think the GAO report delivers an important
message to NASA and other agencies," Rodgers said.
The GAO/NSA team could not penetrate certain pockets of NASA's systems
because network administrators either carefully controlled system access
privileges or used patches for known operating system flaws. If expanded
to the whole agency, such simple fixes could protect systems better
because hackers usually will move on to systems with easily exploitable
weaknesses, de Ferrari said.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: OSAll [www.aviary-mag.com]
Received on Sun May 30 14:14:56 1999