AnonSec Attempts To Crash $222m Drone, Releases Secret Flight Videos

An anonymous reader writes with an excerpt from IBTimes that says it's not just governments that have proven themselves capable of hacking into drones: Hackers from the AnonSec group who spent several months hacking NASA have released a huge data dump and revealed they tried to bring down a $222m Global Hawk drone into the Pacific Ocean. The hack included employee personal details, flight logs and video footage collected from unmanned and manned aircraft. The 250GB data dump contained the names, email addresses and phone numbers of 2,414 NASA employees, 2,143 flight logs and 631 videos taken from Nasa aircraft and radar feeds, as well as a self-published paper (known as a 'zine') from the group explaining the extensive technical vulnerabilities that the hackers were able to breach. Among these: the group discovered that the flight paths uploaded into each drone could be replaced with their own.

Re:From the QC Dept

[smooth wombat]

More high quality products developed by private industry for the US Govt...

Re:From the QC Dept

[radiumsoup]

It wasn't the private-sector-built aircraft that was hacked - it was the government network that was hacked.

Re:

[oh_my_080980980]

LMOL and how built the network? What products are used for the network? And who maintains the network? Moron...

Re:From the QC Dept

[radiumsoup]

Who built it? Irrelevant. What products were used? Irrelevant. It was shown to be secured by simply changing the default passwords, and leaving default passwords intact was a failure of management. So what kind of network is it, anyway? Oh, yeah, it's a .gov network. Management is controlled by the .gov entity, even if contractors are used for the keypresses and network cable enplugginations. The .gov entity is responsible for regular security audits on their systems. They failed on that management aspect.

Re:From the QC Dept

[mspohr]

They contract all of this stuff out to the private sector (the network and the monitoring of the network).
Northrup Grumman runs many government networks. (Not just NASA, also Defense, CDC, etc.)

Re:

[tnk1]

I'm still going to point out that it is irrelevant. There are plenty of government employees. If they don't have enough employees to oversee the contractors, that is a fault of the government.

And if the government turned these functions over to contractors with no way of assuring that they were secure or manageable, that is still the government's fault.

Yes, if the contractors screwed up, they certainly share responsibility and if there was some sort of cover-up by the contractor, that would also mitigate

Re:

[Anonymous Coward]

Well, then by your logic, it's the entire US's fault. They're responsible for who's running the government. It's irrelevant how much PACs or corporations or such donate, it's ultimately the people who vote. They may be easily led morons, but I've yet to see a corporation actually walk in a check the boxes on a ballot.

Re:

[mspohr]

You could just blame it on Obama.

Re:

[radiumsoup]

additionally, there seems to be the assumption that there were contractors involved; while many government operations may and sometimes do employ contractors, not all government IT work is done by contractors, and there wasn't an indication in TFA that a contractor was to blame. I was unable to find a publicly available accounting of NASA's network, so I didn't point it out earlier, but I daresay that in my rather limited experience with government contractors, most of them are eager to do audits for govern

Re:

[Frosty Piss]

More high quality products developed by private industry for the US Govt...

You are taking these script kiddies at their word that this is what they have done to systems that are as they claim. Yet this is extremely unlikely.

Names, work email and phone numbers of government employees are not considered "personal information", and are generally available through published directories, and certainly FOIA requests (so says me, a former Records Custodian for the Air Force), and much of the other "data" is hardly "secret". As well, many are saying that all these idiots accessed were hon

Re:

[account_deleted]

Comment removed based on user account deletion

hmm ..

[invictusvoyd]

AnonSec found that the administrator credentials for securely controlling Nasa computers and servers remotely were left at default

Hmm ..

Re:

[Frosty Piss]

AnonSec found that the administrator credentials for securely controlling Nasa computers and servers remotely were left at default

AnonSec found that the administrator credentials for securely controlling Nasa's HONEYPOT computers and servers remotely were left at default...

Re:

[invictusvoyd]

Honeypot ? They almost managed to crash the drone.

Re:

[Frosty Piss]

Honeypot ? They almost managed to crash the drone.

Is that a fact ? Says who? A bunch of script kiddies that bought a hack into a honeypot and went on to disclose publically available information? A bunch of script kiddies that believe in "Chemtrails"?

Please adjust your tin-foil hat, it's not working.

Re:Best way to stop these criminals

[Dins]

They're not terrorists. They're criminals, yes, and idiots too, but their intent was not to cause terror. Yes they should be arrested, but let's stop labeling every extreme action "terrorism" when that's obviously not the intent.

It's a science mission

[nycsubway]

Why would anonsec be interested in hacking this? It's a scientific mission, not a military one. It may use the same drone platform as the predator drone, but its still for a purely scientific purpose.

Re:

[dpidcoe]

Er, TFA said it was a global hawk? The global hawk and the predator are two completely different aircraft made by two completely different companies. That's like saying the A320 and the 737 use the same platform.

Re:

[Anonymous Coward]

I don't know, but I'd say they crossed a line trying to crash that drone; everything before that was relatively non-destructive. I don't see why they didn't do something like modify the drone's flight path to spell out "AnonSec" or something rather than trying to crash it, I think people would be more impressed.

Re:Best way to stop these criminals

[bkr1_2k]

The problem is they couldn't actually do either action. This is a bunch of hype trying to claim greater "hacking" capability than they actually have. Hell, even the article says they gained access by purchasing it from someone else.

Having worked on those aircraft for the better part of 10 years, these guys didn't do a damn thing. The mission plans would have been noticed immediately as using the wrong waypoints and been corrected, manually or from known-good files. These guys didn't have a chance of actually crashing anything except maybe a couple of servers at NASA, which would have done nothing.

NASA clearly needs to update some of their Network security protocols and probably fire a couple of people, but this is a non-story with respect to the drones. It's FUD trying to drive site clicks.

Re:

[Anonymous Coward]

Your being naive if you think crashing NASA's servers and getting thousands of employees personal information was nothing. That's a crime potentially in the millions of dollars, perhaps not 200 million, but still serious enough. The story is not the drone, the story is the hack. Your perspective is just on the drone because you worked on them. Keep your eye on the ball man. They hack these things just because they can and release the info to show off these glaring security holes and how far they got into th

Re:Best way to stop these criminals

[Frosty Piss]

Your being naive if you think crashing NASA's servers and getting thousands of employees personal information was nothing

Names, work email and phone numbers of government employees are not considered "personal information", and are generally available through published directories, and certainly FOIA requests (so says me, a former Records Custodian for the Air Force). As well, many are saying that all these idiots accessed were honeypots.

Re:

[Coren22]

http://csrc.nist.gov/publicati... [nist.gov]

Name and phone number together are considered PII. (Page 2-2)

Re:

[crow_t_robot]

Then the phone book must be the work of a massive terrorist conspiracy..................

Re:

[Frosty Piss]

There is a difference between your work phone / email / address and your home phone / email / address. These script kiddies released work phone / email / address, which *IS* public information. The document you quote is talking about personal phone / email / address, and indeed also says "may", not "is".

SPLITTERS!

[Anonymous Coward]

You're not anonymous,
We're the real real anonymous.

Those "original real anonymous" guys are a bunch of posers.

Re:Best way to stop these criminals

[Anonymous Coward]

What an ignorant comment. NASA is using these drones for scientific missions. Among other things, they take measurements of the ozone layer, collect data on transport of aerosols and pollutants over the Pacific (which undoubtedly impacts the weather on the west coast), and collects data on developing Atlantic hurricanes. Just because something isn't particularly secure doesn't mean you should hack it. I'd bet that the signals sent to the Voyager spacecraft and probably the Mars rovers don't use strong encryption. I'd bet if someone put their mind to it, they could spoof the signals sent to them. It would also be a dick move to interfere with valuable scientific missions just because you want to hack something. I understand the concept of hacktivism but this isn't it. That you consider NASA's atmospheric research your enemy says more than enough about you.

Re:

[hey!]

Call them idiot criminals if you want. They should still be rounded up by law enforcement and executed.

Why execute them? Because they make you angry?

Re:

[JudgeFurious]

Well, they do make me angry but execution is kind of pointless and unnecessarily expensive. It takes ages to put one of these little assholes down even if it was legal to do so for this crime. People always want to jump to executing those who transgress but I think nobody gives long-term incarceration its due. Say one of these "scamps" was in his early 20's. 40 years without the possibility of parole would be a whole lot cheaper when you take into account all the money spent on appeals and he'd leave prison

Re:

[hey!]

And you're right to be angry. But being angry doesn't justify killing someone else, even if that other person is at fault for making you angry. Nor does it justify inflating the magnitude of punishment, especially to the point that the consequences of that punishment become a burden on society. That's just using the legal system as the instrument of an emotional temper tantrum.

Re:

[JudgeFurious]

Granted and I got into a level of detail that probably wasn't necessary. I really meant to make the point that incarceration is a damned awful thing to do to someone and that they have to live with the consequences of that for the rest of their lives. Thinking of how the government has reacted in the past I could honestly see a 30-40 years without parole sentence happening in a case like this. If they'd brought something down it would be nothing to get that. Death is easy to throw out there as a "Worst thi

Re:

[Coren22]

You won't like me when I'm hungry - Bruce Banner

https://www.youtube.com/watch?... [youtube.com]

Re:

[Rob MacDonald]

Not terrorists, just a bunch of asshats that couldn't actually hack anything of value so instead they directed their attention at NASA. Smacks of releasing credit card details to the internet to "protect us" from big corporate greed. Or something.

Re:

[Anonymous Coward]

You have anger issues, seek help.

Re: Best way to stop these criminals

[Anonymous Coward]

I know, right? What kind of a sick maniac holds that much anger toward dogs?

Re:

[SirSlud]

Excute them, and their families and friends and cats and dogs.
Same goes for spammers. Why should a spammer who causes more than a billion dollars in lost productivity NOT be called what he is? A terrorist.

I remember a time when /. was mostly filled with mentally stable people.

Re:

[iceaxe]

I remember a time when /. was mostly filled with mentally stable people.

That's funny, I don't.

There have always been a nice minority of saner folks, but madness has been par for the course as long as I've been around. Don't let them get to you, just gesture with your shotgun at the "off my lawn" notice.

Re:

[tigersha]

Well, the thing is, if this guy was a terrorist we (or rather, you, I am not in the USA) would be going after him with a drone. Which often does include blowing up his house and killing his wife, his children and his dogs. So what is different?

Re:

[kilfarsnar]

Same goes for spammers. Why should a spammer who causes more than a billion dollars in lost productivity NOT be called what he is? A terrorist.

Wait, now loss of productivity is terrorism? I think we are stretching that term just a wee bit.

Re:

[JudgeFurious]

Watch yourself there man. Questioning charges of terrorism is pretty darn close to terrorism itself. You trying to start up some kind of term-stretching-jihaad or something boy?

Re:

[tigersha]

Refer to it as "economic damage" and you will get the same result. Some of the spammers and virus writers DO cause more economic damage than Al Queda, unless you count the cost of the rather expensive War on Terror.

Re:

[lhowaf]

a bunch of immature losers living in their parents' basements

Yeah, that pretty much says "terrorist" to me.

Main purpose...

[Dins]

From TFA:

According to Infowars, which was alerted to the zine's existence by AnonSec, the hackers' main purpose in hacking Nasa was to highlight the fact that the US government is using climate engineering methods such as cloud seeding and geo-engineering to manipulate the climate and cause more rain to fall in order to combat the effects of carbon emissions.

Well...? Are they?

Re:

[Viol8]

"Well...? Are they?!"

No. But I've heard they might be selling US Govn branded tin foil hats to "special" people.

Re:

[kilfarsnar]

"Well...? Are they?!"

No. But I've heard they might be selling US Govn branded tin foil hats to "special" people.

How do you know? Cloud seeding has been used for decades to modify the weather. I'm not saying it is or isn't happening. But you seem very quick to dismiss such an idea when it's really not far fetched at all.

Re:

[Viol8]

Because the amount of rain needed to pull significant amounts of CO2 out of the atmosphere would cause biblical floods. And there probably isn't enough water vapour in the air to do it anyway. Anonsec shouldn't have skipped chemistry classes at school.

Re:

[doggo]

Cloud seeding has been used to attempt to modify weather for decades. It's just not that effective.

Re:

[Coren22]

It seemed pretty effective in the 2008 olympics.

http://www.independent.co.uk/s... [independent.co.uk]

Re:

[Anonymous Coward]

Of course they are....Look at California for the last 5-6 years. Constant rainfall. No wildfires at all

Re:Main purpose...

[OzPeter]

From TFA:

According to Infowars, which was alerted to the zine's existence by AnonSec, the hackers' main purpose in hacking Nasa was to highlight the fact that the US government is using climate engineering methods such as cloud seeding and geo-engineering to manipulate the climate and cause more rain to fall in order to combat the effects of carbon emissions.

Well...? Are they?

Given that Cloud seeding has been around for 70 years [wikipedia.org] why would it it be a surprise or controversial that NASA was experimenting with it?

Re:

[kilfarsnar]

From TFA:

According to Infowars, which was alerted to the zine's existence by AnonSec, the hackers' main purpose in hacking Nasa was to highlight the fact that the US government is using climate engineering methods such as cloud seeding and geo-engineering to manipulate the climate and cause more rain to fall in order to combat the effects of carbon emissions.

Well...? Are they?

Given that Cloud seeding has been around for 70 years [wikipedia.org] why would it it be a surprise or controversial that NASA was experimenting with it?

Because it's not reported on the evening news. And everyone knows that if it's not on the evening news it didn't happen, and anyone who thinks it might have is a tinfoil hat wearing conspiracy theorist.

Re:

[Anonymous Coward]

I wouldn't think this would be something you could hide easily, nor would you need to. That sounds like a BS reason to me. They are doing it for fun or for some other reason and that is just their idiotic cover.

If the US could fight climate change with clouds and NASA, we'd be plastering that all over the news. Maybe NASA did some experiments and some idiotic hacker found the data and assumed it was a global conspiracy rather than NASA just playing around with science as they often do.

Is the government secr

Re:

[iceaxe]

From TFA:

According to Infowars...

Mmmmhmm. Methinks we're seeding tempests in teacups, here.

Not much of a "hack"

[p51d007]

How much of a hack is it, when the basic understanding of their servers, is bought from someone from either within or a former member of the I.T. team? "AnonSec explains that it purchased an "initial foothold" from a hacker with knowledge of Nasa's servers in 2013"

Re:

[Frosty Piss]

In addition, many are suggesting that all they accessed was honeypots with essentially open doors. By the way, names, work email and office phones of most government employees are not classified in any way and available through published directories, and certainly FOIA requests (so says me, a former Records Custodian for the Air Force).

Re: Not much of a "hack"

[MarkH]

A good system ( not just code but process ) should have protection against credential exposure.

2414 names? Meh, try people.nasa.gov

[Anonymous Coward]

names, email and phone numbers of all NASA employees are public, and on the web at people.nasa.gov. tens of thousands of em, free for the taking. There's also an x.500 directory.

Re:2414 names? Meh, try people.nasa.gov

[jc42]

names, email and phone numbers of all NASA employees are public, and on the web at people.nasa.gov. tens of thousands of em, free for the taking. There's also an x.500 directory.

Perhaps, but the US "security" system doesn't consider the fact that info is openly published to be a reason not to classify the info as "secret".

There was a fun report some time back, about the US Dept of Defense funding a couple of academic researchers to study what could be learned about US military forces solely from publicly-available published sources. They spent some months collecting publications, wrote up their report, sent it to the DoD -- and within a couple of days it had a Secret classification. ;-)

Everyone who read the story got a good laugh, of course, but it does serve as an example of the logic behind the security classification system. It's also a useful counter-example of the old "If you've done nothing illegal, you have nothing to fear" mantra. In the US, it certainly can be illegal to be in possession of information that a government agency has published openly. It can even be illegal to know that it's illegal to have some information. (Google "FISA warrant" for some examples. ;-)

Re:

[Registered Coward v2]

There was a fun report some time back, about the US Dept of Defense funding a couple of academic researchers to study what could be learned about US military forces solely from publicly-available published sources. They spent some months collecting publications, wrote up their report, sent it to the DoD -- and within a couple of days it had a Secret classification. ;-)

That's not necessarily as odd as it sounds. A bunch of open source information, compiled and interpreted, can become classified. What's interesting is what is collected and what it is used for, not that all the sources were unclassified.

Re:

[AF_Cheddar_Head]

Umm, not illegal for a general citizen of the United States to obtain and possibly publish classified information, you might get a VISIT after the fact of publishing it asking you not to publish again and to withdraw the publication but not illegal unless you have signed a non-disclosure agreement when receiving a security clearance or you used illegal means to obtain the information. Settled pretty well during the '70s Pentagon Papers incident.

Re:

[crow_t_robot]

That's called "classification by aggregation." It's a thing. Like the letter "a" and the letter "b" are not classified by themselves but the string of characters you put together for an admin password for a system is classified. Think of it like that.

They must plan for this eventuality

[rmdingler]

We've have planned obsolescence. Why not planned corruption of data systems?

It seems clear the ability to keep nearly anything secure wanes exponentially with the amount of effort the infiltrator is willing to expend.

TFA mentions some of the Anonsec members had reservations about crashing the $222 million UAV, so there's no way we can know for certain that didn't play a role, but ground control was able to take control back manually through satellite connection. There is likely some additional redundancy

What To Do?

[Jim Sadler]

The circumstance appears to be that we can advance technology faster than we can advance technology to secure the products of progress. So how do we get security out front, instead of releasing devices and then trying to figure out how to secure them? I suggest that part of the problem rests in having that human link to the drones. If we used technology similar to what exists in the Cruise missiles it becomes a launch it and leave it alone type of device instead of needing humans to continue its miss

Re: What To Do?

[O('_')O_Bush]

The problem is that any automated system needs an 'oops... nevermind, don't do that' button, so there will always be a vector of attack.

Re:

[swb]

âoeCivilization is a hopeless race to discover remedies for the evils it produces.â

â Jean-Jacques Rousseau

You could probably extend that by saying that security is a hopeless race because it depends on a posteriori knowledge of the system in order to discover weaknesses.

You can ameliorate it by making security review an iterative process of design and not releasing the technology until after it has been refined, but you still don't know what new problems may emerge until after it has been ref

Re:

[Thud457]

Maybe because they're run by a secret cabal of Osiris worshipers. [enterprisemission.com]

HA HA...
heh...

Mod up

[tekrat]

Troll is right.
Why does a drone cost as much as a Boeing 747?

Re:

[AF_Cheddar_Head]

$220M per drone is not the fly-away cost that is the total cost of the project including R&D and ground equipment divided by the number of Global Hawk drones produced. Yes a real number of dollars spent but much of the R&D cost is applicable to follow on systems. Produce more Global Hawks and that $220M per Drone figure actually goes down. Not advocating for more Global Hawks but the fly-away cost is probably closer to $30M per drone.

The same cost calculation inflate the cost of a B-2 because wh

Re:

[xxxJonBoyxxx]

>> $220M per drone is not the fly-away cost that is the total cost of the project

So if someone downs one, we're not actually out $220M, right? (The replacement cost should be much, much less...)

AnonSec = Attempted Murderers

[mandark1967]

NASA uses their Globalhawk drones for Hurricane/Typhoon research which directly helps meteorologists refine hurricane tracks so people can GTFO of the way of the worst part of the storm damage via evacuations.

No Globalhawk = less accurate hurricane track, which results in more dead humans = Attempted Murder. Find 'em. Execute them. They admitted their crimes so no need for a trial

Re:AnonSec = Attempted Murderers

[Baron_Yam]

More or less. There is no acceptable or even pseudo-acceptable justification for this attack.

There's no secret conspiracy uncovered, no risk to national security the government won't admit to or fix, just NASA doing what they're supposed to be doing.

And these idiots deciding to try and fuck it up as best they can because they can. A lengthy stay in prison without access to electronics might just be what they need to smarten up. If not, at least they'll have less opportunity to cause trouble for a while.

Re:

[mandark1967]

You're so dense you're about 3 replies away from achieving fission.

Risk the lives of pilots to gather the same damn info that can be gathered without risk of life?

and

You refer to their research plane...you know...the one that was a former military plane just like the re-purposed Globalhawks

Re:

[dcw3]

They've admitted their crime. All that's needed is the sentencing.

Re:

[mandark1967]

At least have the balls to your real account.

Re:

[hey!]

If the standard is that people who do things that through several links of causality are guilty of murder, probably everyone is guilty of murder. Economic crimes cause excess deaths because of opportunity costs. Do any of the companies you invest in do financially dodgy stuff? How about companies invested in by your mutual funds? Loaned money by your bank?

Re:

[mandark1967]

You're AC. Who gives a damn what your opinion is if you're too scared to put your name next to it.

222 milli-dollars

[kheldan]

What's the big deal? The drone cost 22.2 cents? They probably have a closet full of them. Are they made of copier paper and office supplies? Dang, those guys at NASA sure are creative, making a working drone from office supplies for a little over twenty-two cents each? USA! USA! USA!

Re:

[tnk1]

Technically, this is possible. Land values in the US for tax purpose are in "mils" which are 1/1000th of a dollar. Even when this was created early on, a "mil" was never more than a unit of account.

If only the drone was actually priced in mils....

Nasa

[PinkyGigglebrain]

Why the fuck did they target NASA?? I mean NASA is a civilian organization with limited funding and mostly non military projects so why did they try to drop a research drone into the ocean?

If they wanted to make a point about how easy a drone was to hack why didn't they go after the DoD? Oh, that's right, the DoD actually has better security in place (not perfect I know, but better) and AnonSec probably couldn't even get a phone number to call.

I usually side with the Hackers and Hacktivists but this t

10,000 machines in NASA are infected by malware

[concertina226]

There's a follow-up to the NASA hack story - 10,000 machines in NASA's internal network are broadcasting malware signatures, and over 30 databases are exposed to the public web: http://www.ibtimes.co.uk/nasa-... [ibtimes.co.uk]

Re:

[vandamme]

It's time they switched to Linux.

Employee data?

[sentiblue]

I don't get it...

Why in the world would a drone carry employee data?