Cyber Defense Review

The Number One Vulnerability in the Future of Cyber Security: A Critical Lesson for all Organizations

By Mark Soldo | June 28, 2016

Since 1958, NASA has been the foremost symbol of American excellence in science and exploration, inspiring generations of engineers around the globe to achieve the impossible through advanced technology. With each of its defining events, NASA pushes humanity further into the future, bringing scientists more information about our universe than ever dreamt possible. But while NASA was reaching for the stars, other forces were secretly at work. In the dark recesses of the agency’s computers and network servers, intruders were lurking. After months of covert access, a hacktivist group called AnonSec obtained 276GB of sensitive data including flight logs, videos, and personal information from thousands of employees (Thalen 2016). This post examines how such an established institution of advanced technology could fall prey to cyber hacking, the glaring warning signs, and the one key lesson all organizations should learn from this historical event.

The Back Story

What sets the 2014 NASA data breach apart from other hacking events is the unprecedented insight provided by the hackers themselves. AnonSec, a hacktivist group claiming responsibility for compromising over 720 websites and networks, claimed the NASA breach. To support their claim they posted large quantities of supporting evidence. AnonSec also publically-posted paper called “Zine”, detailing on how they gained access to NASA’s networks and computer systems, the content they obtained, and why.

Although their writings appear to focus on exposing drone and “chemtrail” technology, this was not their primary objective. When AnonSec initially hacked NASA they were looking for “interesting/profitable” data on the NASA networks (AnonSec 2015). But as they dug deeper into the systems, they discovered more than they were originally expecting. Though cyber-news outlets have hyped the story by focusing on the brow-raising NASA content released by AnonSec, there is a much greater value in focusing on how this breach occurred.

Breaking into the Network

The initial “foot-hold”, as AnonSec characterized it, was actually purchased from an individual that had prior-knowledge of the Content Management Systems (CMS) used by NASA along with other vulnerabilities in their network (AnonSec 2015). One of those vulnerabilities was a sophisticated strain of malicious code known as the Gozi Trojan, which the NASA computer systems were already infected with. This virus was developed by individuals not associated with AnonSec, but rather seeking to profit from cyber thieves. Although Gozi targeted financial institutions, it also infected over a million computers (Krebs 2016).  Gozi injects code into operating systems and browsers, allowing the activities of a victim to be monitored including form-grabbing and web-injections (Safran 2016). The information AnonSec purchased, coupled with the powerful hacking tools provided by Gozi, provided the opening they needed. However, this opening was just the beginning of the challenges they would face as the moved through NASA’s network.

AnonSec’s first shell into NASA’s network had only user account privileges. This came with significant limitations and prevented access to the various directories they needed and to the commands they wanted to run. Their attempts to spear-phish the root password also failed, so once again they needed the help of a fellow hacker known as MA, or the “Mauritania Attacker”. With MA’s 2014 bypass and symlink exploits, they were finally able to simulate root in the network’s Linux system, and this ultimately gave them the access they needed and the ability to “run any command they desired” (AnonSec 2015).

After their initial penetration AnonSec began to map the network. In their Zine publication, AnonSec describes a process of scanning for active nodes on the network, investigating all IP addresses and domain names, scanning ports, and running passive OS/BIOS fingerprinting. Once they had an understanding of operating systems and other applications running on the network, they researched the Common Vulnerabilities and Exposures (CVEs) for additional advantage.  For example, for applications such as MYSQL, they simply ran a password-cracking utility called Bruteforce to gain entry. But even as AnonSec (2015) notes, these utilities are only effective when administrators do not change the default passwords to something long and complex. Unfortunately for NASA, this was indeed the case.

As AnonSec accessed more and more systems they left sniffer software to retrieve more accounts and passwords until finally they had open access to NASA’s networks at the Glenn Research Center, Goddard Space Flight Center, and Dryden Flight Research Center. At this point, members of AnonSec began aggressively accessing data and reviewing it. From here AnonSec’s objective evolved to exposing NASA drone activity and more prominently, their atmospheric aerosol experiments commonly referred to as chemtrails.

The sophisticated methods used by AnonSec could have been mitigated. NASA had ample warning of their vulnerabilities yet did not adequately change course despite having plenty of time to do so. The failure to mitigate risk is constitutive of a cultural failure within NASA’s InfoSec leadership highlights a common problem facing multiple government agencies.

A Warning from the GAO

It is shocking to know that five years prior to the AnonSec breach, the Government Accountability Office (GAO) warned NASA about their weak cybersecurity practices, some of which specifically enabled the AnonSec breach. In a prophetic report to Congress, the GAO (2009) noted that NASA implemented various information security controls, but had weaknesses in the following critical areas:

  1. Electronic access controls were not effectively implemented, allowing potential unauthorized access. This included control of user accounts, passwords, access rights, encryption of sensitive data, and network monitoring practices.
  2. Other information systems controls were not effectively implemented, which left system vulnerabilities unaddressed. Included managing system configurations and installing current system patches.

The key reasons cited for these issues were NASA’s failure to implement information security programs in accordance with latest industry standards. For example, the National Institute of Standards and Technology (NIST) states that passwords should be long and complex enough to inhibit attackers. As noted by AnonSec, even system administrators failed to implement complex passwords and at times did not even change the default passwords that came with the various systems. NIST also calls for passwords to be encrypted, so password-cracking utilities such as those used by AnonSec will not be effective. Furthermore, the GAO noted that some administrators did not configure their systems to force long/complex passwords (GAO 2009).

The National Security Agency (NSA) advises administrators to encrypt their systems. Systems that are not encrypted are susceptible to eavesdropping software that can record user accounts and passwords. The GAO noted that although NASA implemented some forms of cryptology, they did not always employ a robust encryption algorithm for all their sensitive information as recommended by the NSA. Instead, network devices including routers and switches were managed with unencrypted protocols (GAO 2009).

The GAO also noted weaknesses in NASAs boundary protection between networks. Although NASA segregated sensitive data, the paths from one server to another were not adequately controlled. The risk of unauthorized access greatly increases the more connectivity there is, and the GAO report noted that NASA did not always control the logical and physical pathways between systems.

Finally, the GAO highlighted the human element of NASAs cyber security issues. From network users, to network administrators, to senior leadership, all play a critical role in the culture of security. Establishing security policies and procedures, creating accountability, monitoring networks for vulnerabilities and following up on non-compliances all support the people element of a security-minded culture. GAO (2009) noted that NASA had some weaknesses in this area. For example, password guidelines were not followed, administrators did not consistently and comprehensively scan systems for vulnerabilities, password management was generally poor, and leadership failed to ensure earlier security recommendations were addressed.

A Glaring Lesson Learned

As the sophistication of cyber-hacking advances, so too will the tools and techniques of the system administrator. This cold-war of the cyber realm will continually work against the hacker and the administrator, making both their lives much more complex with each passing day. From the hacker’s perspective, gaining access to a network will become dependent on the human factor as systems administrators layer security mechanisms and enhance the robustness of their security infrastructures.

Yet, behind all network protocols, firewalls, and encrypted passwords are human beings. And like everyone else, these humans have feelings, ambitions, and weaknesses that can be exploited. This will make them the greatest cyber-risk to any organization. Whether it is a network user falling prey to the ever present phishing attempts, a system administrator not establishing a rigorous set of cybersecurity protocols, or an individual giving-in to out-right bribery, the human factor is indeed the number one risk in the future of cybersecurity. As stated by the NASA hacker himself, “…people will ALWAYS be the biggest vulnerability in any networked system” (AnonSec 2009).

Whether rocket scientists or family businesses, impressing upon people and organizations the importance of good security practices remains vital. Just as NASA’s successes have advanced humankind into the future, so too can their failures.

 

Notes

AnonSec (2015) Zine. Retrieved from: http://scola.ca/zine.txt

GAO (2009) Information Security. NASA needs to remedy vulnerabilities in key networks. GAO 10-4. United States Government Accountability Office.

Thalen, M. (2016) Hackers allegedly hijack drone after massive breach at NASA. Inforwars/ Full article retrieved from: http://www.infowars.com/hackers-allegedly-hijack-drone-after-massive-breach-at-nasa/

Krebs, B. (2016) Three charged in connection with “Gozi” trojan. Krebs on security. Retrieved from: http://krebsonsecurity.com/tag/gozi-trojan/

Russon, M. (2106) NASA hack, AnonSec attempts to crash $222M drone, releases secret flight videos and employee data. International Business Times. IBTimes Co., LTD. Article retrieved from: http://www.ibtimes.co.uk/nasa-hack-anonsec-attempts-crash-222m-drone-releases-secret-flight-videos-employee-data-1541254

Safran, O. (2016) Gozi banking trojan upgrades, build to inject into windows 10 edge browser. Security Intelligence, IBM. Article retrieved from: https://securityintelligence.com/gozi-banking-trojan-upgrades-build-to-inject-into-windows-10-edge-browser/