NASA's wrist slapped for security breach

Posted by Emma Woollacott

NASA's a little red-faced today, after an inspection showed that a sell-off of thousands of PCs in a fund-raising exercise left it wide open to hackers.

NASA has been flogging off equipment which is surplus to requirements since the scrapping of the space shuttle program earlier this year.

But the Office of Audits says it found significant weaknesses in the 'sanitization and disposition processes' at all four of the centers it reviewed - Kennedy, Ames, Johnson and Langley.

"For example, we found that Kennedy managers were not notified when computers failed sanitization verification testing; that no verification testing was being performed at Johnson or Ames; and that Kennedy, Johnson, and Ames were using unapproved sanitization software," says the report.

"We also found that while hard drives are destroyed at Langley before computers are released to the public, personnel did not properly account for or track the removed hard drives during the destruction process."

Even worse, says inspector general Paul K Martin in the report, some of this information would have been a godsend to hackers. Indeed, several pallets of computers which were being prepared for sale were discovered to have NASA's IP addresses written on the casing.

"Internet Protocol information could provide a hacker with the details needed to target specific NASA network assets and exploit weaknesses,
resulting in the compromise of sensitive information," he points out.

NASA accepts thethe criticisms, and says it agrees with most of the measures suggested in the report. It's critical, though, of the recommendation that it should develop a new policy more in line with ISO standards, saying it would create a bureaucratic nightmare.

"This burden would far outweigh any benefits, value, or recouped dollars that NASA would hope to obtain via reutilization, transfer, donation or federal sale of the sanitized computers," complains  NASA CIO Linda Cureton.

"The Agency would be better off by simply requiring that all media be destroyed by shredding, or by incineration, than to develop a sampling methodology for verification testing that meets or exceeds the minimum requirements of an industry or government standard."