NASA fears Web server compromised

NASA's Johnson Space Center (JSC) last week shut down all accounts on its primary World Wide Web server after officials discovered the system's password directory may have been stolen.

The possible security breach was detected this month by the space center's security team. According to an Oct. 9 e-mail message posted on the Internet by Christopher Ortiz Internet group leader in the information systems directorate at JSC the password file that JSC officials believe was compromised was stored on the space center's primary Web server called Krakatoa. The server also houses JSC's home page.

Contacted by phone last week Ortiz declined to provide further details of a possible security breach. "As a precaution we are resetting the passwords " Ortiz said. "We are taking a pro-active approach."

NASA spokesman Kelly Humphries said the agency had no comment.Although Krakatoa will remain in operation NASA disabled all user accounts on the server Oct. 14. All users who wish to reinstate their log-in identification number and password will be required to report in person to do so and they will be briefed on computer security policy and password selection according to Ortiz's electronic message. All accounts that are not reinstated within 30 days will be removed from the system. These measures are being taken to "re-secure the server " according to Ortiz's e-mail.

Christopher Klaus - the founder and chief technology officer of Atlanta-based Internet Security Systems Inc. a company that specializes in analyzing Internet security for government agencies - including NASA - said password files are often a popular target of intruders because most users choose passwords that are easy to guess such as the name of a spouse or pet.

Although password files are often encrypted an intruder can use the system's encryption method to encrypt possible passwords such as a name of a spouse or pet looking for matches within the password file. Or intruders can use an exhaustive search encrypting all possible passwords based on the length of the password. Many times this method is effective with short passwords that contain only letters. In addition an intruder can use a program that would encrypt each word in a dictionary to check if it matches an encrypted password.

"If you've done a good job making sure every user has a difficult-to-guess password stealing that file is not a big deal " Klaus said.

"Most systems that we see have passwords that are easy to guess. Once a password file gets stolen it becomes pretty hard to block out the hacker. Once someone has compromised a network it's very difficult to trust that network again " he said.

That is because intruders often install in a compromised system "backdoors" that replace many of the operating system programs such as the log-in program. These backdoors allow an intruder to access at will any account on a compromised system with a special keyword Klaus said.

An intruder also could install a "sniffer" program that would allow him to monitor network traffic and access new passwords designed to restore security to an account.