NASA breach shows again that brute force password attacks work

It isn’t uncommon for hackers to boast about their exploits; it adds a bit of credibility to their work.

So infosec teams should pay attention to claims from a group called AnonSec, which says it brute-force cracked the password of an administrator at the U.S. National Aeronautics and Space Administration (NASA) in less than one second to help access hundreds of videos from aircraft and weather radars, thousands of flight logs as well as the names, email addresses and phone numbers of  over 2,000 NASA employees.

According to a report on Infowars, which has seen a paper AnonSec published describing its work, attackers first purchased an undescribed “foothold” into NASA from someone with knowledge of its servers, after which an administrator’s SSH password was broken because the default credentials hadn’t been changed. A Forbes.com columnist says he was told by someone claiming responsiblity for the attack that the access was purchased from a Chinese group, paying in Bitcoin, in 2013. Once inside, the attackers allege, they reconnoitered the network.

“After sniffing a password belonging to the system administrator, the hackers say they were eventually able to gain full root access to three network-attached storage (NAS) devices tasked with compiling backups of aircraft flight logs,” adds the Infowars report.

UPDATE: NASA has denied its drone systems have been breached. The agency also told SecurityWeek that many of the names and email addresses AnonSec claims to have are publicly available. SecurityWeek says it confirmed that personal information is on public NASA Web sites, although it isn’t clear that’s a denial there wasn’t a breach. “NASA has no evidence to indicate the alleged hacked data are anything other than already publicly available data,” it told the news site.

Finally, the attackers alleged they were able to take over a NASA drone through a man-in-the-middle attack. UPDATE: NASA denies that happened.

Brute force password attacks are still being used — and are still effective. Cisco Systems’ recent 2016 Security Report noted the SSHPsychos DDoS network uses a hosting provider in China with a database of 300,000 unique passwords to crack systems and create a botnet.

It’s been said before and bears repeating: Anything that touches the network and has an administrator console must have mandatory password control. Admittedly, the bigger the enterprise, the more complex the environment. But that only means security leaders have to crack down harder to enforce best practices. That means regularly checking what is on the network and ensuring default passwords are changed.

In particular administrator passwords need to be at least 25 characters (not that difficult if it’s a phrase) and use two-factor authentication.

Would you recommend this article?

0
0

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Related Tech News