Space station control codes stolen with NASA laptop, unencrypted

Somewhere out there, a laptop thief may have access to the command codes used to control the International Space Station (ISS).

 

The scenario is not out of a sci-fi movie script, but from an actual investigation by the US National Aeronautics Space Administration (NASA) of the theft of one of its laptops last year.

 

Worse, NASA's inspector general told Congress the stolen laptop - one of several mobile devices lost or stolen in recent years - was not encrypted, tech site CNET reported.

 

"The March 2011 theft of an unencrypted NASA notebook computer resulted in the loss of the algorithms used to command and control the International Space Station," the CNET report quoted NASA Inspector General Paul Martin as saying in a written testimony.

 

He added another laptop contained sensitive information on the NASA's Constellation and Orion programs, as well as Social Security numbers.

 

The investigation also found some 48 agency devices were ether lost or stolen between April 2009 and April 2011.

 

This led to the unauthorized release of sensitive information such as personally identifiable information, third-party intellectual property, and export-controlled data.

 

In 2010 and 2011, NASA experienced 5,408 computer security incidents that resulted in unauthorized access to systems or the installation of unauthorized software, costing the agency an estimated $7 million.

 

Martin added that since the reporting system is voluntary, these numbers may not represent the full extent of the security threat.

 

"NASA cannot consistently measure the amount of sensitive data exposed when employee notebooks are lost or stolen because the agency relies on employees to self-report regarding the lost data rather than determining what was stored on the devices by reviewing backup files," he said.

 

Cyberattacks

 

In 2011, Martin said NASA was the target of 47 cyberattacks considered as advanced persistent threats (APTs).

 

Such attacks are executed by well-resourced individuals or groups intent on stealing or modifying information without being detected, CNET reported.

 

Martin said that of those attacks, 13 successful compromised agency computers, while one intrusion resulted in the theft of user credentials for more than 150 NASA employees that could have been used to gain access to agency computer systems.

 

Another such attack, which is being investigated, targeted the Jet Propulsion Laboratory in Pasadena, California.

 

In that attack, intruders using China-based IP addresses "gained full access to key JPL systems and sensitive user accounts," Martin said.

 

Martin added that while the government-wide rate of mandated encryption was 54 percent, only 1 percent of NASA portable devices have been encrypted.

 

"Until NASA fully implements an agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft," he said. — TJD, GMA News