Authorization

Another server security lapse at NASA exposed staff and project data

Two months ago, NASA quietly fixed a buggy internal server that was leaking sensitive information about the agencys staff and their work.
The leaking server was ironically a bug reporting server, running the popular Jira bug triaging and tracking software. In NASAs case, the software wasnt properly configured, allowing anyone to access the server without a password, Avinash Jain, an India-based security researcher who found the exposed server, told TechCrunch.
According to Jains writeup, some Jira instances can be misconfigured to allow everyone access without a password including anyone on the internet and not everyone within an organization, as some believe.
This was the case for NASAs leaking server.
Jain found the leaking server in October exposing NASA staff usernames and email addresses and the projects they were working on. Because Jira contains information about bugs and issues within an organization, including works in progress, the server was also gave up what agency staff are working on and their upcoming milestones.
Its not known if any classified information was on the Jira server, such as names or details of sensitive projects. Jain also said its not clear how how many NASA staff users were in the database as Jira limits searches to 1,000 queries at a time.
After he contacted NASA and CERT/CC, the vulnerability disclosure center at Carnegie Mellon University, the exposed server was fixed some three weeks later, he said.
NASA never responded to his private disclosure.
Although NASA has a page on HackerOne, a vulnerability reporting program, allowing researchers to email NASA of security issues, the agency doesnt have a dedicated bug bounty program.
I dropped [NASA] around five emails before it was fixed, and I was never informed that it was fixed, he told TechCrunch.
CERT/CC latest expressed its appreciation for Jain privately reporting the bug.
This latest server lapse is yet another bruise for the U.S. space agencys security posture the fourth known incident this decade, after over a dozen hacks in 2011 alone and another sensitive data breach in 2016.
The latest breach was just before Christmas, in which the agency reported a data compromise affecting current and former NASA employees between July 2006 to October 2018. But CERT/CC told Jain in an email that there was no evidence his finding was related to NASAs latest breach disclosure.
NASA was unable to comment during the government shutdown, according to an automated message on the agencys press line.

How Trumps government shutdown is harming cyber and national security
See also:
Leave a comment
News
  • Latest
  • Read
  • Commented
Calendar Content
«     2019    »
 123
45678910
11121314151617
18192021222324
25262728293031