NASA’s internal computer network is full of holes and is extremely vulnerable to an external cyberattack, an audit by the Office of the Inspector General has found. Even worse, it appears several of the vulnerabilities have been known for months, yet remained unpatched.
“Six computer servers associated with IT [information technology] assets that control spacecraft and contain critical data had vulnerabilities that would allow a remote attacker to take control of or render them unavailable,” the audit report released today (March 28) by Inspector General Paul K. Martin said.
“The attacker could use the compromised computers to exploit other weaknesses we identified, a situation that could severely degrade or cripple NASA’s operations,” the report continued. “We also found network servers that revealed encryption keys, encrypted passwords, and user account information to potential attackers.”
It is not unusual for previously unknown network security holes to be found in large organizations. In that light, Martin’s audit might have been seen as positive for revealing the vulnerabilities.
But it’s long been known that security on NASA networks is weak. Martin’s office released a previous audit report nearly a year ago, and since then nothing has been done to remedy the situation.
“In a May 2010 audit report, we recommended that NASA immediately establish an IT security oversight program for this key network,” today’s report reads. “However, even though the Agency concurred with the recommendation it remained unimplemented as of February 2011.”
“Until NASA addresses these critical deficiencies and improves its IT security practices,” it goes on to say, “the Agency is vulnerable to computer incidents that could have a severe to catastrophic effect on Agency assets, operations, and personnel.”
A Government Accountability Office report in October 2009 was similarly critical of the agency, finding that “NASA has not yet fully implemented key activities of its information security program to ensure that controls are appropriately designed and operating effectively.”
NASA’s servers have been broken into many times in the past. Martin’s new report mentions two serious breaches in 2009, during one of which intruders stole “22 gigabytes of export-restricted data from a Jet Propulsion Laboratory (JPL) computer system.”
British hacker Gary McKinnon is awaiting extradition to the U.S. for allegedly hacking into NASA’s networks, as well as those of the Department of Defense, in 2001 and 2002.
Martin’s office recommends that NASA “expedite implementation of our May 2010 recommendation to establish an IT security oversight program for NASA’s Agency-wide mission network.”
You can read the full report here.
This story was provided by SecurityNewsDaily, a sister site to SPACE.com.