Endpoint Security

NASA's Hack Woes Continue

Hacker Enters 2 Sites to Expose Vulnerabilities; Claims No Damage
NASA's Hack Woes Continue
A "friendly" hacker called c0de.breaker claims to have broken into two secure internal sites at NASA's Instrument Systems and Technology and Software Engineering divisions, and snapped screen shots to prove the protected sites were intruded.

"I didn't want to make something bad!" c0de.breaker wrote in a web posting. "Only to show NASA (has) many vulnerable subdomains to SQLI (SQL injection), XSS (cross-site scripting), etc."

The hacker gained access through a combination of a SQL injection and poor access controls, said Gunter Ollmann, vice president of research at the IT security firm Damballa and former chief security strategist at IBM Internet Security Systems. He said c0de.breaker lifted 25 administration credentials off of both servers. "NASA needs to get these sites secure as soon as possible," Ollmann said. "Any script-kiddie can walk in there and start adding their favorite drive-by download exploits as it stands."

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application.

The National Aeronautics and Space Administration has had major problems securing its websites for years. In October, the Government Accountability Office issued a report that said the space agencies reported 1,120 security incidents that have resulted in the installation of malicious software on its systems and unauthorized access to sensitive information in fiscal years 2007 and 2008. And, GAO said, NASA systems remain vulnerable despite the establishment of a security operation center last year to deter such incidents.

A request has been made to NASA for a comment, and it will be posted when an agency official responds.

About the Author

Eric Chabrow

Eric Chabrow

Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow, who oversees ISMG's GovInfoSecurity and InfoRiskToday, is a veteran multimedia journalist who has covered information technology, government and business. He's the former top editor at the award-winning business journal CIO Insight and a long-time editor and writer at InformationWeek.

Around the Network