It isn’t uncommon for hackers to boast about their exploits; it adds a bit of credibility to their work.
So infosec teams should pay attention to claims from a group called AnonSec, which says it brute-force cracked the password of an administrator at the U.S. National Aeronautics and Space Administration (NASA) in less than one second to help access hundreds of videos from aircraft and weather radars, thousands of flight logs as well as the names, email addresses and phone numbers of over 2,000 NASA employees.
According to a report on Infowars, which has seen a paper AnonSec published describing its work, attackers first purchased an undescribed “foothold” into NASA from someone with knowledge of its servers, after which an administrator’s SSH password was broken because the default credentials hadn’t been changed. A Forbes.com columnist says he was told by someone claiming responsiblity for the attack that the access was purchased from a Chinese group, paying in Bitcoin, in 2013. Once inside, the attackers allege, they reconnoitered the network.
“After sniffing a password belonging to the system administrator, the hackers say they were eventually able to gain full root access to three network-attached storage (NAS) devices tasked with compiling backups of aircraft flight logs,” adds the Infowars report.
UPDATE: NASA has denied its drone systems have been breached. The agency also told SecurityWeek that many of the names and email addresses AnonSec claims to have are publicly available. SecurityWeek says it confirmed that personal information is on public NASA Web sites, although it isn’t clear that’s a denial there wasn’t a breach. “NASA has no evidence to indicate the alleged hacked data are anything other than already publicly available data,” it told the news site.
Finally, the attackers alleged they were able to take over a NASA drone through a man-in-the-middle attack. UPDATE: NASA denies that happened.
Brute force password attacks are still being used — and are still effective. Cisco Systems’ recent 2016 Security Report noted the SSHPsychos DDoS network uses a hosting provider in China with a database of 300,000 unique passwords to crack systems and create a botnet.
It’s been said before and bears repeating: Anything that touches the network and has an administrator console must have mandatory password control. Admittedly, the bigger the enterprise, the more complex the environment. But that only means security leaders have to crack down harder to enforce best practices. That means regularly checking what is on the network and ensuring default passwords are changed.
In particular administrator passwords need to be at least 25 characters (not that difficult if it’s a phrase) and use two-factor authentication.