Hack Targets NASA's Earth Observation System 45
Gunkerty Jeb writes "A hacker is claiming that a security hole in a server at NASA's Goddard Space Flight Center has exposed data related to a satellite-based Earth observation system used to aid in disaster relief. The hacker, who uses the handle 'Tinkode,' has published a screen capture from what he claims is an FTP (File Transfer Protocol) server at NASA's Goddard Center. The hack comes exactly a month after the same hacker exposed a similar hole in a server operated by the European Space Agency."
Wait... (Score:2)
Re: (Score:3)
Re: (Score:2, Funny)
Jules Winnfield: What do NASA computers look like?
Brett: What?
Jules Winnfield: What OS do they run?!?
Brett: What?
Jules Winnfield: What ain't no OS I ever heard of!! They have SFTP on What?!?
Brett: What?
Jules Winnfield: SFTP Motherfucker! Do they use it?!?
Brett: Yes!
Jules Winnfield: Then you know what I'm transferring?!
Brett: Yes!
Jules Winnfield: Describe what NASA computers look like!!
Re: (Score:2)
This.
That link right there is some brilliant stuff!
Zed: "Bring out the Hack!"
Maynard: "The Hack's not online."
Zed: "Then I guess you'll just have to page him, won't you?"
---
Jules:
"FAQ 25.17: The righteous higher resolution modes require correspondingly more system memory in order to run..."
"Blessed are such modes that are not listed in the video modes menu, for they would only slow down the microprocessor."
---
Fabienne: Whose synthesizer?
Butch: It's not a synthesizer, it's a sampler.
Fabienne: Whose sampler?
B
Dumbing down (Score:3, Insightful)
When FTP needs to be explained on /. it's time to find another "News for Nerds" site.
Re:Dumbing down (Score:4, Insightful)
Re:Dumbing down (Score:4)
I would say defining FTP is just being polite - anyone can come here and browse, some might even want to stay a little while. What's the problem?
Re:Dumbing down (Score:4, Funny)
I, for one, am grateful they explained the acronym, because until I read the next words, I thought NASA had a fuck-the-police server, which didn't make much sense, but that's what the kids writing/spraying FTP around here mean. Unless, of course, this is a neighbourhood of poor geeks...
Re: (Score:2)
It's understandable that it needs to be explained. Nobody except the government and anonymous FTP sites use it anymore. And nobody including the government should be using it.
I've worked on unclassified DOD and NASA projects in the past, and FTP is the default for uploads and downloads. I've never been on a project where personnel would act on an upload without voice confirmation usually involving commands coded in the ICAO phonetic alphabet. I don't know this site, so I don't know if there's anything p
Re: (Score:1)
Houston, we have a serious security problem... (Score:3)
Hire people that can effectively put a system in place to secure their networks, data, and disposition of old equipment. Monitor your networks and data, put systems and people place that can predict and respond to security issues.
My assumption is that NASA is so budget-constrained, and has so many wasteful expenditures that security gets left to the wayside and then things like this happen (if it indeed DID happen.)
Time to abort the mission until we can verify the mission's security has not been compromised.
Hacking assholes. (Score:1)
Agreed. Although, someone hacking into the SERVIR computers has to be a real goddamn low-life sub-human sack of shit and should be ashamed to even post that they even attempted such a thing.
What next assholes? Breaking into the UNICEF servers or something to delay help to needy children? Do you fucks go around kicking puppies and kittens?
You're not "cool". You're not "l33t" or whatever the fuck you losers call yourselves.
You wanna be "l33t" and "cool"? Invent something that helps humanity, makes a billion,
Re: (Score:3)
This is nothing new: http://en.wikipedia.org/wiki/WANK_(computer_worm) [wikipedia.org]
For whatever reason, NASA is like flame for hacker's moths. They have interesting, groundbreaking research, a budget and lets be honest, they have things in orbit, but they aren't going to shoot you in the head like other agencies who may or may not have things up there. .
Re: (Score:3)
On the other hand, this data is on a server accessed by "scientists, educators, project managers and policy implementers to better respond to a range of issues including disaster management, agricultural development, biodiversity conservation and climate change"... with "a
Re: (Score:3)
Someone over at NASA, and government agencies in general, need to seriously step-up their security team.
To outsiders, NASA looks like a big monolithic Government agency. The reality is that NASA is schizophrenic. It is really a collection of entities that operate at different levels of control and coordination depending on what particular issue is at hand. When you quote "Houston, we have a serious security problem", I'm inclined to point out that it isn't Houston's problem.
Hire people that can effectively put a system in place to secure their networks, data, and disposition of old equipment. Monitor your networks and data, put systems and people place that can predict and respond to security issues.
Sounds so easy when you put it down on paper like that.
My assumption is that NASA is so budget-constrained, and has so many wasteful expenditures that security gets left to the wayside and then things like this happen (if it indeed DID happen.)
I would say your assumption is mostly incorrect. It is more about NASA's burea
Re: (Score:2)
I would also like to add that over the past ten years, "security" has gotten much much tighter at NASA. NASA has many roles that involve interfacing with the industrial community, the scientific community, and the public community at large. It is often difficult to reconcile those roles with the additional goal of "more security!" In fact, in the interests of blanket security, I would say that NASA's ability to interact with communities, and lead through good example, have been partially stifled in the n
Re: (Score:3)
I would also like to add that over the past ten years, "security" has gotten much much tighter at NASA. NASA has many roles that involve interfacing with the industrial community, the scientific community, and the public community at large. It is often difficult to reconcile those roles with the additional goal of "more security!" In fact, in the interests of blanket security, I would say that NASA's ability to interact with communities, and lead through good example, have been partially stifled in the name of security.
That's a fair point. Security has been an even bigger issue over the past 10 years. Although unfortunately a fair amount of that effort has been around feeding the bureaucracy of compliance rather than actual technical security practices. Which is boon and bane. At least the compliance drive is pushing technical issues that in the past would be entirely ignored by some organizations within NASA.
Another thing to mention is that often-times, large institutions like NASA are dealing with legacy systems that do not have the latest security. The common knee-jerk reaction is to say, "just upgrade it!" But the reality is that there can be knock-on effects that prevent upgrading or make it cost-prohibitive. Critical systems that have been running for years often do not have the funds or staff expertise to execute a major upgrade. But as I said, this is a problem with most large institutions, it's just that "NASA" in the title of an article makes it higher profile.
The problem is that security impacts productivity. So much of what is done in IT is done without security i
Re:Houston, we have a serious security problem... (Score:4, Insightful)
Hi all; I actually work for NASA as an IT Security guy.
While I can't answer specifics about this incident, you should remember that a great many things done by NASA are "General Science", and the data output from them is specifically and consciously made public.
It's possible that the FTP server is meant to be serving those files "to the public".
Why FTP instead of SFTP? Usually when you choose to make data public to the world, you don't bother implementing crypto on the data. And just because it's available via FTP for distribution, does not mean insecure FTP was used to *place* the data on the server.
Re: (Score:2)
And I work for a company that deals a great deal with NASA, and they are happy to lose satellite data while waiting for a replacement demodulator to pass their security scans on an internal network.
They do make an effort, but personally I think they strive to achieve perfect security and in the process people has to poke holes in it in order to make it work :)
Re: (Score:2)
+1
Thank you. This was my thought exactly. If it's read-only data, no problem.
sr
Choosing your targets (Score:2)
Hack Targets NASA's Earth Observation System [...] The hack comes exactly a month after the same hacker exposed a similar hole in a server operated by the European Space Agency.
Now _this_ is a hacker who knows how to aim high!
Hey /. (Score:2)
Could you please stop spamming facebook??
OMGWTFBBQ I FOUND ANOTHER ONE!!!!! (Score:2)
ALL I HAD TO DO WAS PUT IN MY EMAIL ADDRESS AS THE PASSWORD! MY GOD I COULD HAVE PUT IN ANYTHING!
bmo@owlcomm:~$ ftp ftp.linux.org.uk
Connected to ftp.linux.org.uk.
220 (vsFTPd 2.2.0)
Name (ftp.linux.org.uk:bmo): anonymous
331 Please specify the password.
Password:
230-Welcome to ZenIV
230-
230-The software on this site is made available for free without warranty or
230-other right of recourse implied or otherwise. No stateme
Re: (Score:2)
Holy crap! Anonymous has hacked the kernel servers and left a backdoor?
What FTP server will they hit next, sunsite?
Re: (Score:2)
I have to concur with this sentiment. NASA data policy states that they give quite a bit of their data away freely.
I appears that ASAR data is freely available. So this could be as simple as this hacker logging into the ftp server that distributes the data, which, as you've show is not exactly a "hack".
Hackers Blog (Score:1)
Sad day (Score:1)
It seems like a sad day when a Slashdot article find it necessary to spell out what FTP stands for.
Sexist summary! (Score:2)
Uhh Why is this a problem (Score:2)
So is disaster preparedness information now considered "classified" and only able to be disseminated to the highest bidder. Was Tinkode trying to show a dangerous lack of security on the part of NASA that would just allow anyone to log in and get the information needed to track tsunamis? Shouldn't this be what we want government to be doing?
I can not read the comments! (Score:2)
I see that there are 30 comments on this article, but I cannot see them! Pressing "Get More Comments" does nothing, and neither does the javascript slider! Slashpot, fix your website! It's been broken for a few months, since the last update!
Kubuntu 11.04, Firefox 4
Re: (Score:2)
And the UFO pictures? (Score:2)
What's the point of hacking NASA if you're not going to download their superTopSekreT UFO pictures? Anybody can modify an FTP login screenshot, but clear pictures of UFOs close up, now that's the money shot!
Summary: He got into an ftp server: big whooptedo: (Score:2)
Well, BFD.
This is hardly data that is soopersekret national security info.
The ftp server is now down on that machine, but who knows. For all I can see, it may have even been open for read only anonymous ftp access and he just didn't know it for what it was.
Otherwise he may have guessed an obscure login like "data" with password "data". Or, if it was running something unpatched from way long ago, used an existing hack. ftp buffer overflows were a dime a dozen at one point.
Not everything is worth heavily secu
RO or RW access? (Score:2)
Next BIG question is - did he have RO access, or RW access? TFS says nothing, so I RTFA - still nothing. Look at the screen shots, still nothing. Not even a claim of a RW access.
So far, the guy has found a FTP server that looks like it contains data which is likely public domain already. BFD.