Feeds

Stolen NASA laptop had Space Station control codes

And no encryption for supervillains to crack

Combat fraud and increase customer satisfaction

A NASA laptop stolen last year had not been encrypted, despite containing codes used to control and command the International Space Station, the agency's inspector general told a US House committee.

NASA IG Paul Martin said in written testimony (PDF) to the House Committee on Science, Space and Technology that a laptop was stolen in March 2011, which "resulted in the loss of the algorithms used to command and control the ISS".

Martin also admitted that 48 different agency laptops or mobile devices had been lost or stolen between April 2009 and April 2011 (that NASA knows of). The kit contained sensitive data including third-party intellectual property and social security numbers as well as data on NASA's Constellation and Orion programmes.

The actual number of missing machines could be much higher, because the agency relied on staff to 'fess up when their notebooks were lost or stolen and admit what information was on them.

"Until NASA fully implements an agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft," Martin told the Subcommittee on Investigations and Oversight.

The committee pointed out that it was all very well for Washington to be debating government involvement in private sector cybersecurity issues, but the government might want to remember that its own cybersecurity has had "mixed success".

"Many of the technologies developed and utilised by NASA are just as useful for military purposes as they are for civil space applications.  While our nation’s defense and intelligence communities guard the ‘front door’ and prevent network intrusions that could steal or corrupt sensitive information, NASA could essentially become an unlocked ‘back door’ without persistent vigilance," warned Subcommittee chairman Paul Broun.

As well as facing the continuous disappearance of unencrypted staff laptops, NASA is also subject to increasingly sophisticated cyber attacks, Martin told the hearing.

"In 2010 and 2011, NASA reported 5,408 computer security incidents that resulted in the installation of malicious software on or unauthorised access to its systems," he said.

"These incidents spanned a wide continuum: from individuals testing their skill to break into NASA systems, to well-organised criminal enterprises hacking for profit, to intrusions that may have been sponsored by foreign intelligence services seeking to further their countries’ objectives."

He said the intrusions had disrupted mission operations, had resulted in the theft of sensitive data and had cost the agency more than $7m.

Chairman Broun said that since the inspector general's last report on IT security at NASA, the agency had taken steps to follow the IG's recommendations, but said it still needed to do more.

“Despite this progress, the threat to NASA’s information security is persistent, and ever changing. Unless NASA is able to constantly adapt – their data, systems, and operations will continue to be endangered," he said. ®

SANS - Survey on application security programs

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.