GAO: NASA systems full of holes

Out-of-date information security policies have left significant vulnerabilities in NASA's mission-critical systems that could allow unauthorized users to steal, modify or delete important operational data, according to a General Accounting Office report released last week.

GAO, working over the past year with experts from the National Security Agency and using nothing more than public Internet access, was able to gain access to several unclassified mission-critical systems, including those supporting the command and control of spacecraft.

According to GAO, NASA has not created enough awareness among its employees about common security mistakes and vulnerabilities, such as easily guessed passwords. NSA initially breached some systems using passwords such as "guest" for guest accounts and "adm" for system administrators, opening the door for broader access to agency systems.

"The way we got in was through commonly known security faults," said John de Ferrari, assistant director of the Accounting and Information Management Division at GAO.

GAO concluded that it was able to penetrate systems because NASA does not have a consistent information security management policy that the entire agency follows. "A lot of what needs to be done is awareness-related; you never seem to get enough awareness of computer security," de Ferrari said.

GAO found that NASA did not have many policies regarding Internet and network security, and some policies the agency did have were out of date or were not followed.

"We Had Become Quite Lax"

"The fact of the matter is, we had become quite lax in the agency in terms of passwords," said Lee Holcomb, NASA's chief information officer. NASA now is scanning user passwords for ones that could be easily cracked and to check new passwords for vulnerabilities.

"We take very seriously our responsibility for safeguarding our IT assets, and after Y2K, security is our No. 1 priority," Holcomb said. "They acknowledge that they did not succeed in penetrating several systems, but the fact that they did succeed is troubling to us. It is a wake-up call to the agency."

This report is an important addition to the work already occurring throughout government to raise awareness of security needs, said Paul Rodgers, senior executive at the Critical Infrastructure Assurance Office, which is leading the national effort to protect critical systems. "The dangers are increasing, and we think the GAO report delivers an important message to NASA and other agencies," Rodgers said.

The GAO/NSA team could not penetrate certain pockets of NASA's systems because network administrators either carefully controlled system access privileges or used patches for known operating system flaws. If expanded to the whole agency, such simple fixes could protect systems better because hackers usually will move on to systems with easily exploitable weaknesses, de Ferrari said.