A laptop stolen from NASA last year was unencrypted and contained command and control codes for the International Space Station on it, the agency's inspector general told a House subcommittee Wednesday.
In his testimony before a House Science, Space and Technology subcommittee, NASA Inspector General Paul Martin said the notebook computer stolen in March 2011 "resulted in the loss of the algorithms" used to control the space station. This particular laptop, Martin said, was one of 48 NASA notebooks or mobile devices stolen between April 2009 and April 2011.
Some of these thefts resulted in the leak of sensitive data "including export-controlled, Personally Identifiable Information, and third-party intellectual property," as well as Social Security numbers and data on NASA's Constellation and Orion programs, Martin said. [NASA Computer Hacked, Satellite Data Accessed]
The actual number of stolen and compromised devices could be much higher because NASA relies on employees to self-report incidents.
In an email, NASA spokesman Trent Perrotto told SecurityNewsDaily that "at no point in time have operations of the International Space Station been in jeopardy due to a data breach."
"NASA has made significant progress to better protect the agency's IT systems and is in the process of implementing the recommendations made by the NASA Inspector General in this area," Perotto added.
In 2011, NASA, which Martin rightly called a "target-rich environment for cyberattacks," was the target of 47 advanced persistent threats, 13 of which successfully compromised NASA computers.
These attacks are part of the 5,408 cybersecurity incidents in 2010 and 2011 that resulted in unauthorized intrusions or malware being planted on its systems and cost the space agency an estimated $7 million.
"These incidents spanned a wide continuum from individuals testing their skill to break into NASA systems, to well-organized criminal enterprises hacking for profit, to intrusions that may have been sponsored by foreign intelligence services seeking to further their countries' objectives," Martin said.
Some attacks traced to China
In one case, intruders traced to Chinese-based Internet addresses gained full access to key computer systems and sensitive user accounts at NASA's Jet Propulsion Laboratory, Martin said. He said the level of access could have given the intruders the power to:
- Modify, copy or delete sensitive files.
- Add, modify or delete user accounts for mission-critical systems.
- Upload hacking tools to compromise other NASA systems.
- Modify system logs to cover their tracks.
"In other words, the attackers had full functional control over these networks," Martin said. He said the November 2011 incident was still under investigation.
Romanian hackers implicated
One example of a "skill-testing" hack was the attack perpetrated by "TinKode," a 20-year-old Romanian hacker (real name Razvan Manole Cernainu), who tapped into a computer server at NASA's Goddard Space Flight Center in April 2011.
Another case involves a 25-year-old Romanian national (Robert Butkya, a.k.a. "Iceman"). Last month, Butkya was indicted by a federal grand jury on allegations that he broke into 25 computers that were part of NASA's Atmospheric Infrared Sounder Program. "This series of intrusions resulted in losses of over $500,000," Martin said.
Overall, Martin said computer intrusions "have affected thousands of NASA computers, caused significant disruptions to mission operations and resulted in the theft of export-controlled and otherwise sensitive data."
Few devices use encryption
Martin's testimony highlights the difficulties NASA information technology officials face in securing the agency's laptops and mobile devices. As of Feb. 1, only 1 percent of NASA portable devices and laptops had been encrypted.
"Until NASA fully implements an agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft," he said.
Martin said software vulnerabilities in NASA computers are often left unpatched, a problem stemming from an IT chain of command in which the chief information officer "has limited ability" to fully implement mandated IT security programs across the agency.
- Cybercrime Blotter: The Biggest Hacks of 2012 — So Far
- Top 10 Identity Theft Protection Services
- Top 10 Best Encryption Software
This report was supplemented with information from msnbc.com.