March 2, 2012
Laptop With Space Station Codes Stolen From NASA
A laptop has been stolen from NASA that contains the control codes used to command the International Space Station.
An internal investigation determined that the laptop is among dozens of mobile devices containing sensitive information that have been reported missing from NASA.
The mobile devices contained personal data, intellectual property, and highly sensitive export-controlled data.
"The March 2011 theft of an unencrypted NASA notebook computer resulted in the loss of the algorithms used to command and control the International Space Station," Martin told Congress.
Another stolen laptop contained classified information on NASA's space exploration Constellation and Orion programs and employees´ social security information.
Martin said NASA was the victim of 47 cyberattacks by individuals or groups in 2011, all attempting to steal information or gain access to systems.
He said 13 of these advanced persistent threats or (APTs) were successful, including one attack in which system access codes for 150 NASA employees were stolen.
Hackers also gained full access to key Jet Propulsion Laboratory systems and sensitive user accounts, Martin said.
"Until NASA fully implements an agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft," he told Congress.
Martin said in a written statement that only 24 percent of applicable computers at the Goddard Space Flight Center were monitored for critical software patches, and only 62 percent were monitored for technical vulnerabilities.
"Monitoring computers for vulnerabilities and timely patching is widely recognized as critical to maintaining the security of IT systems," he said.
He said that they identified several high-risk technical vulnerabilities on the system that provides missions support to the ISS. If cyber-criminals were to exploit these vulnerabilities, it would allow them "to gain control of the system or render it unavailable."
He recommended the agency designate a NASA Directorate or Center to immediately establish an oversight process to include monitoring of systems for the presence of critical patches and technical vulnerabilities.
Also, Martin says NASA needs to review all other mission network IT security programs to determine which contains an effective oversight process.
On the Net: