IoT
IoT
Government // Cybersecurity
News
2/2/2016
03:16 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

NASA Denies Hackers Hijacked Its Drone

The space agency insists AnonSec didn't commandeer a NASA Global Hawk drone, but it's still looking into claims its network was hacked.

10 Signs You're Not Cut Out To Work At A Startup
10 Signs You're Not Cut Out To Work At A Startup
(Click image for larger view and slideshow.)

Hacking group AnonSec claims to have breached NASA's network and to have temporarily gained partial control of a NASA Global Hawk drone. The group says that two years ago it bought access to a NASA server from an individual identified as "Ghosts" (鬼佬) and, after months of network reconnaissance, managed to upload a .GPX file containing a pre-planned flight path -- for autopilot and connection failover -- to a NASA drone. The group speculates that its attempt to crash the drone failed because of pilot intervention.

To support its claim, AnonSec says it has posted 250GB of data exfiltrated from NASA servers.

Allard Beutel, acting director of NASA's news and multimedia division, in an email denied the group's assertions about the drone, and said the alleged breach is being investigated.

"Control of our Global Hawk aircraft was not compromised," said Beutel. "NASA has no evidence to indicate the alleged hacked data are anything other than already publicly available data. NASA takes cybersecurity very seriously and will continue to fully investigate all of these allegations."

Beutel added that NASA makes its scientific data publicly available, and that appears to be how the posted data was retrieved.

AnonSec acknowledges that at least some of the data posted is public, but the group claims it "wanted access to the raw data, straight from the backend servers, to see if they [NASA] were not publishing some of the data or possibly tampering with the data."

(Image: NASA Photo/Tom Miller)

(Image: NASA Photo/Tom Miller)

The group says one of the reasons it undertook its supposed infiltration was to bring awareness to government weather engineering research, which it considers sinister and related to efforts to promote corporate agribusiness and genetically modified organisms. The group stops short of proposing a specific conspiracy theory, noting that possible motives for geo-engineering range from "logical" to "a bit of a stretch."

NASA's claim that AnonSec posted purely public data also appears to be a bit of a stretch. For example, the hacking group posted a text dump of contract details for 2,414 NASA employees. NASA does offer an online directory but only to authorized NASA personnel. While it's plausible that AnonSec could have scraped websites for email addresses and phone numbers in order to present them as purloined data, a hack seems more likely, particularly in light of other details provided, like the use of weak passwords.

AnonSec claims to have identified several Ubuntu 3.8.0-29 systems on NASA's network that were vulnerable to a local root exploit, CVE-2014-0038. By exploiting this vulnerability, the hacking group claims it accessed a specific administrator's workstation and then was able to expand its access by exploiting the same vulnerability in other systems that had not been patched.

[Read OPM Breach Leads to New Systems, Procedures.]

AnonSec even offers some well-chosen words of advice to IT administrators. "People might find this lack of security surprising but its [sic] pretty standard from our experience," the group says in its post. "Once you get past the main lines of defence, its [sic] pretty much smooth sailing propagating through a network as long as you can maintain access. Too many corporations and governments focus 99% on preventing intruders instead of having viable solutions once there is a security breach, which is guaranteed to happen."

But it's not guaranteed to be proven.

Are you an IT Hero? Do you know someone who is? Submit your entry now for InformationWeek's IT Hero Award. Full details and a submission form can be found here.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
batye
50%
50%
batye,
User Rank: Ninja
2/3/2016 | 9:53:36 AM
Re: When it's necessary to read between the lines....
@Charlie Babcock - could not agree more, this days it interesting reading between the lines... but it sad reality of technology - as everything could be used for good or bad... even drones.... 
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Author
2/2/2016 | 9:47:38 PM
When it's necessary to read between the lines....
Good reading between the lines to estimate what actually happened in the NASA drone incident.
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of August 21, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.