NASA Hacked Because of Unauthorized Raspberry Pi Connected To Its Network 134
An anonymous reader quotes a report from ZDNet: A report published this week by the NASA Office of Inspector General reveals that in April 2018 hackers breached the agency's network and stole approximately 500 MB of data related to Mars missions. The point of entry was a Raspberry Pi device that was connected to the IT network of the NASA Jet Propulsion Laboratory (JPL) without authorization or going through the proper security review. NASA described the hackers as an "advanced persistent threat," a term generally used for nation-state hacking groups.
Inside job (Score:2)
Iâ(TM)m sure it was t an accident.
Re: (Score:2)
What a coincidence, me too!
Totally off-topic, you recently moved a potted plant in front of a wall power socket in your bedroom. Can you move it back about 15cm to the left? Thank you.
Re: (Score:3)
The new Pi's are PoE capable. And there are various other pluggable SoC which can be entirely hidden from sight, you can buy an ESP32 with PoE which gives you enough power to run a web server or a tunnel into any organization and you can hide them pretty much anywhere you can reach without risking electrocution.
Re: (Score:2)
The new Pi's are PoE capable.
Most networks aren't PoE. You'd still need an injector. Might as well just use an innocuous and convenient wall wart. It's less likely to get unplugged if it doesn't interfere with other stuff that's plugged in.
Re: (Score:2)
Actually many large organizational networks with the big names like Cisco are PoE enabled, if you have any PoE cameras, at least one of the switches needs to be PoE and Cisco doesn't let you stack a switch across models so your entire stack becomes PoE enabled and for homogeneity, many organizations opt for a single platform rather than have a closet full of half-empty stacks.
Re: (Score:2)
Actually many large organizational networks with the big names like Cisco are PoE enabled, if you have any PoE cameras, at least one of the switches needs to be PoE and Cisco doesn't let you stack a switch across models so your entire stack becomes PoE enabled and for homogeneity, many organizations opt for a single platform rather than have a closet full of half-empty stacks.
Forget PoE cameras, how about phones? Way more ubiquitous and most are PoE enabled. We have thousands of them and, as such, all our switches are PoE.
Granted, if you're an enterprise environment and don't have network access control implemented...you're just asking for trouble.
Re: (Score:2)
What's surprising is why this hasn't happened more often, or maybe it has and we haven't seen it.
20 years ago the company I worked for had a field office in California. It had a limited IT footprint, and I needed a remote accessible desktop on site. I used an old desktop in a corner, but it was constantly getting turned off or unplugged. I ended up taking a decommissioned laptop and stashed it in the supply closet on the top shelf behind some junk that wouldn't likely get moved. Ran an ethernet cable i
Re: (Score:1)
Your cell phone isn't much bigger. I even have an Ethernet port on my old DeX dock. Sounds more like a problem of development and production not being kept segregated. NASA has probably been infected by the DevOps nightmare. Oops, guess we better blame the little computer instead.
Why is this stuff even possible? (Score:3)
Shouldn't a major organization have configuration in place to prevent this sort of thing by now? Ye olde AH?
Re: (Score:2)
If they have that level of security needs, 802.1x would be the minimal requirement. Obviously they did not have that. And obviously styling the attackers as large, dangerous monsters is a transparent attempt to minimize their own screw-up.
And seeing that nothing of any value was stolen...
Re: (Score:2)
802.1X on the latest Cisco gear with multiple authentication sources (eg multiple AD domains and LDAP servers) doesn't work yet. You'd think that major organizations have figured this out but they haven't. Between relying on single sourced equipment and having to rely on both 30yo tech and the latest that Microsoft and Oracle are pushing as well as internal infighting, nothing ever gets done.
The DMV in my neighborhood literally put up a (very hackable and default-passworded) Netgear to provide WiFi which th
Re: (Score:3)
A Raspberry Pi setup could live in a space about as big as a cell phone, or credit card with the zero version. They're cheap, easy to hide and easy to deploy, except maybe electric power to the board. I'm just surprised it took until now for someone to do it.
Re:Why is this stuff even possible? (Score:5, Insightful)
The problem here is that the network admin clearly didn't have measures in place to stop unauthorized devices connecting to the network.
Re: (Score:1)
Yeah, MIcrosoft's advice to defend against this? IPSEC.
If everything on your network is IPSEC signed, and keys caerfully handed out, then physically plugging in a new device gets ignored by other devices.
Re:Why is this stuff even possible? (Score:4, Informative)
Reading the report it seems like they opted not to go that route because it would have been difficult to handle with various contractors and foreign space agencies needing to connect remotely (presumably via VPN) or when on-site. Instead they tried to segment everything, so that they could only access the data they needed and nothing else, but screwed that up.
Re: (Score:2)
IT is hard, but life is even harder when you lose your IT job because you didn't do the IT.
Of course, it's probably a union job [washingtonpost.com], so they can likely fail at it for years with no come-uppance.
Re: (Score:1)
NAC and other solutions are pretty simple to bypass. Look up 'pwnplug', their implementation kind of sucks for this but it's a good reference for using the pass through technique to get around pesky solutions. If they're decent they also hooked up a GSM dongle to it so they can C2 + exfil without traversing the target's normal egress which may be stringent or monitored... In my experience once you're this embedded into an internal network, it's pretty straight forward most times to get the data you want wit
Re: (Score:2)
Re: Why is this stuff even possible? (Score:2)
The Cylons left devices in plain sight on Battlestar Galactica. So, surely, nobody noticed this at JPL isnâ(TM)t that far of a stretch.
Re: (Score:2)
It's also possible someone just needed something to get work done and set up a reverse tunnel on an unmanaged VPS which then got abused. There are also services like LocalTunnel and similar that will do this work for you, so a simple Shodan search could easily have exposed a broken web server which a hacker simply found to connect to a NASA facility.
Re: (Score:2)
Well, I have seen some well-meaning people trying to do work in the face of the most draconian networking requirements ever resort to an LTE connected device, connected to a computer they had (which was authorized) connected to the network.
While all this sucks and should be strongly discouraged, IT departments need to also consider how they can provide a sane alternative. Too many IT departments fall into the trap of 'I just denied the request, my work here is done!' rather than actually helping such peopl
Re: What really happened? (Score:2)
I suspect/imagine it was as trivial as scanning the LAN for interesting files, copying them onto the Pi, then having the Pi send them to an outside destination.
Or, the responsible party could simply visit the machine, swap MicroSD cards, and carry the data out on the MicroSD card.
People have talked about these types of attacks for years, since back when the pogo plug was offered for sale (10 years ago?)... how is this surprising?
Re: (Score:2)
People have talked about these types of attacks for years, since back when the pogo plug was offered for sale (10 years ago?)... how is this surprising?
Pogoplug? Snerk. People used to card laptops, and hide them under other people's houses.
Re: (Score:1)
It isn't your network.
The network is there to get science done. The more IT does to impede that, the more work-arounds will be done. Your job should be to enable work getting done.
Re: (Score:2)
I was recently in situation were we installed hardware at a laboratory 1000 miles from our home laboratory as part of a collaborative project. We were told by IT that is was impossible for them to provide a mechanism for use to connect from our lab to our hardware at that lab. Unless a solution is found this could require multiple expensive trips for us to provide support. (at taxpayers expense, since both are federally funded labs).
Its easy to make a 100% secure network - just pull the plug. The goal of
Re: (Score:2)
No, we installed a the approved server type. It was a single server system attached (not network) to local experiments. We needed remote access to our (not otherwise networked) system to run experiments. We gave them about a month to find a solution. We just needed ssh access to this linux box. I don't directly blame the IT guys - I believe they were operating under some set of restrictions from above.
The same system is running at the South Pole, but there we were given access through as series of ssh h
Re: (Score:2)
If you basically had a room there full of equipment that was totally disconnected from their infrastructure other than AC and power, why not simply get a new connection from local phone/cable/etc company and be done?
Re: (Score:2)
Technically you are right (which is sort of the point) but its a government lab and IT has *rules*- which presumably came from higher up.
Re: (Score:2)
Organizations vary, but I've seen enough where no amount of escalation was available to enable a strategic goal. The more draconian I've seen, the more likely they have a big shadow IT problem on their hands which inevitably will be a worse risk than IT relenting to do *something* to help the user. It has to acknowledge, like it or not, they are in competition with workarounds (even if 'forbidden') and to factor that in to the risk assessment for saying 'no' in a real world.
Even assuming it is the case th
Re: (Score:2)
A similar period of time ago I was contracted to implement ssh-based encryption for remote sites of a community college that were regularly sending students' personal information including SSN (why is that even displayed normally? WTF?) across the open internet. Then later, they paid me again to reimplement it using IPSEC. The machine the clients were connecting to was running HP-SUX and the IPsec examples were literally backwards. Whee!
Re: (Score:2)
SSNs are still used as the "unique key" for colleges talking to each other, to federal financial aid, etc. 99.99% of institutions are using something other than SSN as their internal unique ID (ours are still numeric, but "random" and 8 digits, DB columns are still named "SSN" but contain the replacement, and a new "REAL_SSN" column was added to the appropriate table)
Re: (Score:2)
SSNs are still used as the "unique key" for colleges talking to each other, to federal financial aid, etc.
Yeah, but the school was set up to display the SSN even at times when you don't need to see it, which was IMO the second-biggest problem after login security. They should display the student ID number as a matter of course, so that you can differentiate between two students with the same name, and only display the SSN on a screen used for no other purpose, and with logging every time a SSN is displayed, let alone altered.
500 MB of information? (Score:3)
Seriously? What are we talking about? A couple hi-res renderings of proposed Mars rockets, rovers, and facilities?
A half a gigabyte? That's it?
Re: (Score:1)
Proof that the underlying technology is physically impossible and that every launch was a complete fabrication.
Re: (Score:2)
That's what they know about.
They stole data that NASA releases to the public?? (Score:2)
OMG WE'RE ALL GONNA DIE!!!!!
Re: (Score:2)
A half a gigabyte? That's it?
Depends on what it is. RAW data, simulation working sets, that could amount to nothing. Design documents? I guarantee the entire Saturn V down to the detail of individual electronics can fit in 500GB.
Re: 500 MB of information? (Score:2)
You turned 500 Megabytes into 500 Gigabytes - you inflated the number by 1,000x...
Re: (Score:2)
But once you're inside you're on the "secure network". Yes, that's how virtually all government facilities, healthcare facilities etc refer to it.
Re: (Score:2)
This is a good philosophy, *however* in practice you cannot rely upon all your employees not doing stuff to compromise the network.
So where possible keep the 'pretend everything is on the internet' but perhaps still make best effort to keep them off the network.
Physically connected for nefarious purposes? (Score:2)
Or was it connected for other reasons?
What is the solution here? Hardware Mac filtering?
Re: (Score:2)
Re: (Score:3)
What is the solution here? Hardware Mac filtering?
MAC filtering is useless by itself, because you can change MACs. All you have to do is insert yourself between a machine and the network using dual NICs and you can spoof the host. You need to use 802.1X, or IPsec AH. Then you can simply block all non-authenticated traffic, or at least funnel it over to a less-trusted network, depending on your use case, with no need for MAC filtering at all. That does mean having to manage certs (or at least PSKs, but use certs) but you don't have to manage MACs.
Interplanetary conflict! (Score:1)
stole or copied? (Score:1)
Are we talking "data loss" or "secrecy loss"?
THX (Score:2)
I guess (Score:2)
...the password was 3.14159
Re:I guess ; nope (Score:2)
knock knock.
who there.
china.
china who.
china here to Own your network and data.
and ppl wonder why CHinese goods look like others (Score:2)
This is why I continue to say that we are destroying our own-selves. Our security has become a joke. Trump is an ass, but I am hoping that the conservatives/neo-cons that are operating under him will tighten up security back to what we had in the 60s.
Why are you making things up WindBourne? (Score:2)
It was put on the network and left there.
Somebody knew it and moved it around.
Why contradict yourself WindBourne, which was it?
Re: (Score:3)
Except the very thing you are posting from wouldn't exist without NASA. https://www.jpl.nasa.gov/infog... [nasa.gov] A lot of technology is from NASA itself. PS: that's why USA is rich, everything from NASA is licensed for earnings. Defunding NASA would mean there would be a lot less of those earnings, eventually.
Re: DEFUND NASA NOW (Score:2)
PS: that's why USA is rich, everything from NASA is licensed for earnings.
What? Do we get royalties when others build Saturn V rockets? From every can of Tang?
Are you really claiming that NASA, contrary to all laws concerning discoveries made with public financing to the contrary, collects license fees in excess of their annual budget?
You MUST cite the source of your information.
Re: (Score:2)
https://www.ncbi.nlm.nih.gov/p... [nih.gov]
Re: (Score:2)
Comment removed (Score:5, Insightful)
JSF pilots doing better job than NASA (Score:2)
How about we defund the dumbass military. they spent more money on the JSF than all of NASAs entire budget
Those Navy pilots in the JSF are doing a better job at finding UFOs than NASA. :-)
Re: (Score:2)
To be fair, the military also spends more on space than all of NASAs entire budget.