Analyst says break-ins reveal continued vulnerabilities at NASA

[William Knowles <wk () C4I ORG>]

http://www.computerworld.com/cwi/story/0,1199,NAV47_STO47186,00.html

BY Ann Harrison

(Jul. 14, 2000) The arrest of two New Yorkers accused of breaking into
NASA computers points to ongoing security problems at the lab, a
problem that one analyst said could be due to lack of funding for
government security systems.

"Public embarrassment is certainly a factor here and it casts a bad
light on some of the security measures they are taking, said David
Remnitz, CEO of the Manhattan security firm IFsec, LLC. "But there
hasn't been that much money spent for [government] information
assurance processes. Even though NASA might have tremendous talent in
information security, they might not have enough people due to budget
constraints."

NASA as a whole has been trying to improve its security for the last
three or four years, but it is not in reaction to any specific
incident, said Steve Nesbitt, director of operations for the NASA
office of the inspector general computer crimes division. "I don't
know about the budget constraints that NASA has concerning their
resources," he said.

Nesbitt said NASA has not commented on any specific vulnerabilities
that led to the password thefts or Web site hack. But he said that
constant upgrades to operating systems often open holes that crackers
can exploit. "Operating systems need to be tested and verified before
they are released. That would improve everyone's security if they just
basically leave a back door into the systems."

Nesbitt says NASA uses a combination of operating systems, but given
the number of incursions, it was difficult to track which operating
system was running the compromised Web server. He added that NASA does
have a security response mechanism in place but he said the speed of
remediation is affected by the necessity of daily systems operation
and maintenance.

Raymond Torricelli, 20, of New Rochelle, N.Y., was arrested Wednesday
for breaking into two computers at NASA's Jet Propulsion Laboratories
in Pasadena, Calif., in 1998, according to the U.S. attorney's office.
Investigators said the burglaries led to the theft of more than 100
credit-card numbers that were used in the theft of more than $10,000
worth of goods. He was released on $50,000 bail but faces up to 10
years in prison and a $250,000 fine.

While court papers said NASA has since spent several thousand dollars
strengthening security on the Pasadena machines, an unidentified
15-year-old high school student was arrested this week for breaking
into two additional NASA computers in Hampton, Va., and a third
machine in Bethpage, N.Y. The teenager surrendered Tuesday to Suffolk
County police, who charged him with computer tampering.

"There is no excuse. NASA should have had that system hardened in a
more appropriate fashion," said Remnitz.

The NASA Office of the Inspector General said that the teenager didn't
gain access to sensitive or classified information, but that he caused
about $5,000 in damage when he defaced the NASA Web site with the
message, "SSH is coming," a reference to his hacker handle "Sesame
Street Haxorz."

According to police, the teen also replaced NASA system files with
images, including that of Elmo, a character in the "Sesame Street"
children's TV show. Police said they were investigating whether the
teenager, who was released into the custody of his father, was being
instructed online by another computer cracker.

The five-count complaint against Torricelli alleges that he exploited
a vulnerability in one NASA computer at the Jet Propulsion labs that
allowed him to use the machine to hold chat-room discussions with a
cracking group known as "#conflict," or "pound conflict." The computer
was used by NASA to perform satellite design and mission analysis for
future space missions.

Court papers said data recovered from Torricelli's personal computer
revealed that the discussions included hacking strategies and methods
for stealing credit cards and altering the results of the MTV Movie
Awards.

Torricelli is then alleged to have broken into a second NASA computer
used by the laboratory as an e-mail and internal Web server.
Investigators say Torricelli exploited a security hole in the computer
to install a sniffer program that intercepted user names and passwords
as they traversed the networks of San Jose State University and
Georgia Southern University.

Remnitz said the network sniffing and password cracking that
Torricelli allegedly pulled off in 1997 and 1998 are now considered
unsophisticated by current standards. But despite the years that
elapsed since the exploits occurred, NASA has provided little
information about the vulnerabilities that could pinpoint the cause of
the security breaches or help other users.

"The problem with this whole incident is that there are so many rumors
coming out about it, but no facts," he said.

Nesbitt said NASA has not commented on any specific vulnerabilities
that led to the password thefts or Web site hack. But he said that
constant upgrades to operating systems often open holes that crackers
can exploit.

He said NASA uses a combination of operating systems, but given the
number of incursions, it was difficult to track which operating system
was running the compromised Web server. He added that NASA does have a
security response mechanism in place, and that the speed of
remediation is affected by the necessity of daily systems operation
and maintenance.

The complaint charged that Torricelli used a decrypting program called
"John-the-Ripper" to seize more than 76,000 passwords. The passwords
and user names were used to gain unauthorized access to more than 800
computers. American Express, Visa, MasterCard and Discover reported
that more than 100 stolen-credit card numbers on Torricelli's PC led
to more than $10,000 in fraud from cardholders.

Torricelli also allegedly earned more than $5,200 from an unidentified
company for using them to spam ads for a pornographic Web site.

According to Remnitz, a directive handed down by President Clinton was
intended to allocate more money to strengthening the national
infrastructure and commercial networks that support government
systems. But he said the NASA security failures show that they are
still underfunded.

"Technology is changing so fast, and security departments have to
continuously be on top of security and devices in their systems . . .
that if they don't have enough people, they are at a tremendous
disadvantage," said Remnitz.


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".