In the movie “Space Station Terror” coming later this year, hackers steal an unencrypted NASA laptop computer that enables them to gain full command over the computers controlling the International Space Station, threatening to kill the astronauts aboard and destroy the station unless paid a $100 million ransom.
Oh, wait. That isn't a movie. Half of that already happened with the stolen NASA laptop. The space agency's inspector general testified before Congress last week that “the March 2011 theft of an unencrypted NASA notebook computer resulted in the loss of the algorithms used to command and control the International Space Station.”
NASA Inspector General Paul Martin said space agency computers were seriously compromised 13 times last year. In one incident, hackers stole log-in credentials for more than 150 NASA employees that could be used to gain access to space agency computers. In another incident, traced to China, hackers gained full access to computers at the space agency's Jet Propulsion Lab, allowing access to “key JPL systems and sensitive user accounts....In other words, the attackers had full functional control over these networks.”
When Defense Secretary Leon Panetta was asked following a speech last week in Louisville, KY, what keeps him up at night, he didn't hesitate: a major cyber attack.
“We are literally getting hundreds or thousands of attacks every day that try to exploit information in various [U.S.] agencies or departments,” Panetta said.
“There are, obviously, growing technology and growing expertise in the use of cyber warfare,” he said. “The danger is, I think, the capabilities are available in cyber to virtually cripple this nation: to bring down the power grid, to impact on our governmental systems, to impact on Wall Street and our financial system and to literally paralyze this country.”
At the same time last week, FBI Director Robert Mueller, speaking at the RSA Conference on computer security in San Francisco, said that while terrorism remained the FBI's top priority, “in the not too distant future, we anticipate that the cyber threat will pose the No. 1 threat to our country.”
“Today, terrorists have not used the Internet to launch a full-scale cyber attack, but we cannot underestimate their intent,” Mueller said.
NASA's Martin, in his testimony, underlined the growing sophistication of cyber attacks and that many appear to be well resourced and well funded, either through criminal networks or state sponsorship. While NASA computers are targeted thousands of times a year by hackers, the real concern are these super-sophisticated attacks, known as “advanced persistent threats,” which occurred 47 times last year.
“The individuals or nations behind these attacks are typically well organized and well funded and often target high-profile organizations like NASA,” he said. “Moreover, even after NASA fixes the vulnerability that permitted the attack to succeed, the attacker may covertly maintain a foothold inside NASA’s system for future exploits.”
The possibility of state-sponsored cyber attacks first made major headlines in August 2010 with the public discovery that a computer worm, dubbed the Stuxnet virus, had targeted control systems at Iranian nuclear facilities, causing the destruction of more than 1,000 centrifuges used in the production of high-grade nuclear fuel.
There has been much speculation that either the U.S. or Israel, or both countries, developed and deployed the worm. It was the first known use of a computer virus to attack infrastructure by taking over industrial control systems.
Former CIA Director Gen. Mike Hayden said in a 60 Minutes interview aired on CBS Sunday that he believed Stuxnet was a “good idea” despite the fact that cyber terrorists may one day use a variant of the same virus to attack U.S. infrastructure.
“This was a good idea, alright? But I also admit this was a big idea, too,” Hayden said. “The rest of the world is looking at this and saying, 'Clearly, someone has legitimated this kind of activity as acceptable.'”
Many types of attacks enlist the use of an army of computers hijacked from their unwitting owners. NASA's Martin referred to the takedown last November of a cyber criminal network operating under the cover of an Estonian company called Rove Digital. That network, whose goal was financial fraud, spanned more than 100 countries and 4 million computers, Martin said.
The FBI's Mueller is pessimistic.
“I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again,” he said.
The fight against cyber attacks starts at home. Keep your computer's web-browsing and operating system software up to date, as well as running firewall and anti-virus software. And be thoughtful about how you can protect your computer not only from identity theft and financial phishing schemes, but from being hijacked as part of a network of attacking computers.
The 2012 Global Security Report issued last week by computer security firm Trustweave found that 84 percent of businesses did not detect security breaches on their own computers, but only found out about them through law enforcement, regulators or the public. On average, it took almost six months before the breach was detected. And yet the same report found that 5 percent of all business computers were protected by a password that was some variant of the word “password.”
The next most common password: “welcome.” We need to make hackers feel the opposite.