The actual OIG report: https://oig.nasa.gov/docs/IG-19-022.pdf I only did the briefest of scans, but the recommendations seem pretty basic best practices stuff.
In my experience, research labs tend to be creative spaces with a focus on collaboration and information security is not foremost on peoples mind. I guess that will have to change.
Recommendations suck, they just write couple of times that administrators should update "Information Technology Security Database" and that they failed to do that. That should be automated. They have all those "CISO", "SAISO", "OCIO" and "CIO" but there is no one who knows how to setup automated nmap scan for a network range? Then trigger someone and add it to some inventory like "hey there is some new raspberry pi in network" should you maybe check it?
It's not like you can easily detect a rogue RPi with just nmap. It's trivial not to respond to anything sent to you. You have to start looking at ARP, but that's not iron-clad either.
But that is not the point, point is they make admins do stuff manually. Getting kids to brush teeth every morning and evening is hard, getting bunch of IT admins to do something, what seems pointless, every day is close to impossible. Setting up something that scans network every day is trivial by comparison.
It's kind of interesting to read in the report how the JPL was not compliant with several NIST guidelines (800-53 and others) what it does not mention is how this situation persisted despite the required audits for federal organizations..
>5,406 unresolved SPLs—about
86 percent of which were rated high or critical
>JPL did not effectively address a known software vulnerability, first identified in 2017, with a critical
score of 10. This software flaw can be used by cyberattackers to remotely execute malicious code
>one of the projects has a waiver of JPL IT security requirements to change passwords
every 90 days. Instead, the project relies on a designated application and team accounts to share
password files, group files, host tables, and other files over the network
There seems to be a fair amount of filler in the report (review access logs, out of date inventory, etc) but these points seem pretty damning.
If I was a betting man, I'd bet that there are some old dusty areas of NASA facilities where there are open NFS exports, NIS providing security, and Sun workstations doing work.
I bet someone could fire up a SATAN scanning instance with a Mosaic browser and find some open stuff on some of those old and crusty computers. :)
The article mentions that the hackers stole 500MB? The number seems small given the scale of storage in modern computers but I guess 500MB could account for a large number of documents that contain confidential info.
There is no RPi vulnerability(in this article). The RPi was just used as a bastion into the internal network. It could have been any SBC. Once your already inside the internal network things get stupid lax.
EG. I can't see your Windows shared folders from the internet, but the PC in the next room can. Someone sneaked an RPi into JPL to be that PC in the next room.
See Also; Season 1 Mr Robot had this exact scenario as a plot point.
> The comprehensive federal review of JPL’s systems stemmed from an April 2018 incident when someone at JPL attached the Raspberry Pi to the network there for an unknown purpose
Basically, someone plugged in a computer to the corporate network that happened to be a Raspberry Pi. Might as well have been a Beaglebone, a Banana Pi or an Intel NUC for that matter.
Probably just ssh enabled with the default credentials. IIRC, raspberry pis have their own MAC address prefix, so it's pretty obvious when you find one.
Not impossible to imagine the credentials were the unchanged default pi/raspberry... (I imagine quite a few people who haven't done much w/ a Pi don't even run raspi-config) I assume you can scan for similar exposed RPis with Shodan etc.
The articles says if the hackers were some jokers on the internet then the data isn’t terribly useful, but if it was an adversarial nation then it is very useful. Why? Can’t the jokers sell it to other nations?
In my experience, research labs tend to be creative spaces with a focus on collaboration and information security is not foremost on peoples mind. I guess that will have to change.