Cyber Defense Review

The Number One Vulnerability in the Future of Cyber Security: A Critical Lesson for all Organizations

By Mark Soldo | June 28, 2016

Since 1958, NASA has been the foremost symbol of American excellence in science and exploration, inspiring generations of engineers around the globe to achieve the impossible through advanced technology. With each of its defining events, NASA pushes humanity further into the future, bringing scientists more information about our universe than ever dreamt possible. But while NASA was reaching for the stars, other forces were secretly at work. In the dark recesses of the agency’s computers and network servers, intruders were lurking. After months of covert access, a hacktivist group called AnonSec obtained 276GB of sensitive data including flight logs, videos, and personal information from thousands of employees (Thalen 2016). This post examines how such an established institution of advanced technology could fall prey to cyber hacking, the glaring warning signs, and the one key lesson all organizations should learn from this historical event.

The Back Story

What sets the 2014 NASA data breach apart from other hacking events is the unprecedented insight provided by the hackers themselves. AnonSec, a hacktivist group claiming responsibility for compromising over 720 websites and networks, claimed the NASA breach. To support their claim they posted large quantities of supporting evidence. AnonSec also publically-posted paper called “Zine”, detailing on how they gained access to NASA’s networks and computer systems, the content they obtained, and why.

Although their writings appear to focus on exposing drone and “chemtrail” technology, this was not their primary objective. When AnonSec initially hacked NASA they were looking for “interesting/profitable” data on the NASA networks (AnonSec 2015). But as they dug deeper into the systems, they discovered more than they were originally expecting. Though cyber-news outlets have hyped the story by focusing on the brow-raising NASA content released by AnonSec, there is a much greater value in focusing on how this breach occurred.

Breaking into the Network

The initial “foot-hold”, as AnonSec characterized it, was actually purchased from an individual that had prior-knowledge of the Content Management Systems (CMS) used by NASA along with other vulnerabilities in their network (AnonSec 2015). One of those vulnerabilities was a sophisticated strain of malicious code known as the Gozi Trojan, which the NASA computer systems were already infected with. This virus was developed by individuals not associated with AnonSec, but rather seeking to profit from cyber thieves. Although Gozi targeted financial institutions, it also infected over a million computers (Krebs 2016).  Gozi injects code into operating systems and browsers, allowing the activities of a victim to be monitored including form-grabbing and web-injections (Safran 2016). The information AnonSec purchased, coupled with the powerful hacking tools provided by Gozi, provided the opening they needed. However, this opening was just the beginning of the challenges they would face as the moved through NASA’s network.

AnonSec’s first shell into NASA’s network had only user account privileges. This came with significant limitations and prevented access to the various directories they needed and to the commands they wanted to run. Their attempts to spear-phish the root password also failed, so once again they needed the help of a fellow hacker known as MA, or the “Mauritania Attacker”. With MA’s 2014 bypass and symlink exploits, they were finally able to simulate root in the network’s Linux system, and this ultimately gave them the access they needed and the ability to “run any command they desired” (AnonSec 2015).

After their initial penetration AnonSec began to map the network. In their Zine publication, AnonSec describes a process of scanning for active nodes on the network, investigating all IP addresses and domain names, scanning ports, and running passive OS/BIOS fingerprinting. Once they had an understanding of operating systems and other applications running on the network, they researched the Common Vulnerabilities and Exposures (CVEs) for additional advantage.  For example, for applications such as MYSQL, they simply ran a password-cracking utility called Bruteforce to gain entry. But even as AnonSec (2015) notes, these utilities are only effective when administrators do not change the default passwords to something long and complex. Unfortunately for NASA, this was indeed the case.

As AnonSec accessed more and more systems they left sniffer software to retrieve more accounts and passwords until finally they had open access to NASA’s networks at the Glenn Research Center, Goddard Space Flight Center, and Dryden Flight Research Center. At this point, members of AnonSec began aggressively accessing data and reviewing it. From here AnonSec’s objective evolved to exposing NASA drone activity and more prominently, their atmospheric aerosol experiments commonly referred to as chemtrails.

The sophisticated methods used by AnonSec could have been mitigated. NASA had ample warning of their vulnerabilities yet did not adequately change course despite having plenty of time to do so. The failure to mitigate risk is constitutive of a cultural failure within NASA’s InfoSec leadership highlights a common problem facing multiple government agencies.

A Warning from the GAO

It is shocking to know that five years prior to the AnonSec breach, the Government Accountability Office (GAO) warned NASA about their weak cybersecurity practices, some of which specifically enabled the AnonSec breach. In a prophetic report to Congress, the GAO (2009) noted that NASA implemented various information security controls, but had weaknesses in the following critical areas:

  1. Electronic access controls were not effectively implemented, allowing potential unauthorized access. This included control of user accounts, passwords, access rights, encryption of sensitive data, and network monitoring practices.
  2. Other information systems controls were not effectively implemented, which left system vulnerabilities unaddressed. Included managing system configurations and installing current system patches.

The key reasons cited for these issues were NASA’s failure to implement information security programs in accordance with latest industry standards. For example, the National Institute of Standards and Technology (NIST) states that passwords should be long and complex enough to inhibit attackers. As noted by AnonSec, even system administrators failed to implement complex passwords and at times did not even change the default passwords that came with the various systems. NIST also calls for passwords to be encrypted, so password-cracking utilities such as those used by AnonSec will not be effective. Furthermore, the GAO noted that some administrators did not configure their systems to force long/complex passwords (GAO 2009).

The National Security Agency (NSA) advises administrators to encrypt their systems. Systems that are not encrypted are susceptible to eavesdropping software that can record user accounts and passwords. The GAO noted that although NASA implemented some forms of cryptology, they did not always employ a robust encryption algorithm for all their sensitive information as recommended by the NSA. Instead, network devices including routers and switches were managed with unencrypted protocols (GAO 2009).

The GAO also noted weaknesses in NASAs boundary protection between networks. Although NASA segregated sensitive data, the paths from one server to another were not adequately controlled. The risk of unauthorized access greatly increases the more connectivity there is, and the GAO report noted that NASA did not always control the logical and physical pathways between systems.

Finally, the GAO highlighted the human element of NASAs cyber security issues. From network users, to network administrators, to senior leadership, all play a critical role in the culture of security. Establishing security policies and procedures, creating accountability, monitoring networks for vulnerabilities and following up on non-compliances all support the people element of a security-minded culture. GAO (2009) noted that NASA had some weaknesses in this area. For example, password guidelines were not followed, administrators did not consistently and comprehensively scan systems for vulnerabilities, password management was generally poor, and leadership failed to ensure earlier security recommendations were addressed.

A Glaring Lesson Learned

As the sophistication of cyber-hacking advances, so too will the tools and techniques of the system administrator. This cold-war of the cyber realm will continually work against the hacker and the administrator, making both their lives much more complex with each passing day. From the hacker’s perspective, gaining access to a network will become dependent on the human factor as systems administrators layer security mechanisms and enhance the robustness of their security infrastructures.

Yet, behind all network protocols, firewalls, and encrypted passwords are human beings. And like everyone else, these humans have feelings, ambitions, and weaknesses that can be exploited. This will make them the greatest cyber-risk to any organization. Whether it is a network user falling prey to the ever present phishing attempts, a system administrator not establishing a rigorous set of cybersecurity protocols, or an individual giving-in to out-right bribery, the human factor is indeed the number one risk in the future of cybersecurity. As stated by the NASA hacker himself, “…people will ALWAYS be the biggest vulnerability in any networked system” (AnonSec 2009).

Whether rocket scientists or family businesses, impressing upon people and organizations the importance of good security practices remains vital. Just as NASA’s successes have advanced humankind into the future, so too can their failures.

 

Notes

AnonSec (2015) Zine. Retrieved from: http://scola.ca/zine.txt

GAO (2009) Information Security. NASA needs to remedy vulnerabilities in key networks. GAO 10-4. United States Government Accountability Office.

Thalen, M. (2016) Hackers allegedly hijack drone after massive breach at NASA. Inforwars/ Full article retrieved from: http://www.infowars.com/hackers-allegedly-hijack-drone-after-massive-breach-at-nasa/

Krebs, B. (2016) Three charged in connection with “Gozi” trojan. Krebs on security. Retrieved from: http://krebsonsecurity.com/tag/gozi-trojan/

Russon, M. (2106) NASA hack, AnonSec attempts to crash $222M drone, releases secret flight videos and employee data. International Business Times. IBTimes Co., LTD. Article retrieved from: http://www.ibtimes.co.uk/nasa-hack-anonsec-attempts-crash-222m-drone-releases-secret-flight-videos-employee-data-1541254

Safran, O. (2016) Gozi banking trojan upgrades, build to inject into windows 10 edge browser. Security Intelligence, IBM. Article retrieved from: https://securityintelligence.com/gozi-banking-trojan-upgrades-build-to-inject-into-windows-10-edge-browser/



US Army Comments Policy
If you wish to comment, use the text box below. Army reserves the right to modify this policy at any time.

This is a moderated forum. That means all comments will be reviewed before posting. In addition, we expect that participants will treat each other, as well as our agency and our employees, with respect. We will not post comments that contain abusive or vulgar language, spam, hate speech, personal attacks, violate EEO policy, are offensive to other or similar content. We will not post comments that are spam, are clearly "off topic", promote services or products, infringe copyright protected material, or contain any links that don't contribute to the discussion. Comments that make unsupported accusations will also not be posted. The Army and the Army alone will make a determination as to which comments will be posted. Any references to commercial entities, products, services, or other non-governmental organizations or individuals that remain on the site are provided solely for the information of individuals using this page. These references are not intended to reflect the opinion of the Army, DoD, the United States, or its officers or employees concerning the significance, priority, or importance to be given the referenced entity, product, service, or organization. Such references are not an official or personal endorsement of any product, person, or service, and may not be quoted or reproduced for the purpose of stating or implying Army endorsement or approval of any product, person, or service.

Any comments that report criminal activity including: suicidal behaviour or sexual assault will be reported to appropriate authorities including OSI. This forum is not:

  • This forum is not to be used to report criminal activity. If you have information for law enforcement, please contact OSI or your local police agency.
  • Do not submit unsolicited proposals, or other business ideas or inquiries to this forum. This site is not to be used for contracting or commercial business.
  • This forum may not be used for the submission of any claim, demand, informal or formal complaint, or any other form of legal and/or administrative notice or process, or for the exhaustion of any legal and/or administrative remedy.

Army does not guarantee or warrant that any information posted by individuals on this forum is correct, and disclaims any liability for any loss or damage resulting from reliance on any such information. Army may not be able to verify, does not warrant or guarantee, and assumes no liability for anything posted on this website by any other person. Army does not endorse, support or otherwise promote any private or commercial entity or the information, products or services contained on those websites that may be reached through links on our website.

Members of the media are asked to send questions to the public affairs through their normal channels and to refrain from submitting questions here as comments. Reporter questions will not be posted. We recognize that the Web is a 24/7 medium, and your comments are welcome at any time. However, given the need to manage federal resources, moderating and posting of comments will occur during regular business hours Monday through Friday. Comments submitted after hours or on weekends will be read and posted as early as possible; in most cases, this means the next business day.

For the benefit of robust discussion, we ask that comments remain "on-topic." This means that comments will be posted only as it relates to the topic that is being discussed within the blog post. The views expressed on the site by non-federal commentators do not necessarily reflect the official views of the Army or the Federal Government.

To protect your own privacy and the privacy of others, please do not include personally identifiable information, such as name, Social Security number, DoD ID number, OSI Case number, phone numbers or email addresses in the body of your comment. If you do voluntarily include personally identifiable information in your comment, such as your name, that comment may or may not be posted on the page. If your comment is posted, your name will not be redacted or removed. In no circumstances will comments be posted that contain Social Security numbers, DoD ID numbers, OSI case numbers, addresses, email address or phone numbers. The default for the posting of comments is "anonymous", but if you opt not to, any information, including your login name, may be displayed on our site.

Thank you for taking the time to read this comment policy. We encourage your participation in our discussion and look forward to an active exchange of ideas.