
A Rogue Raspberry Pi Let Hackers Into JPL Network - workerthread
https://www.extremetech.com/internet/293563-a-rogue-raspberry-pi-let-hackers-into-nasas-jpl-network
======
jascii
The actual OIG report:
[https://oig.nasa.gov/docs/IG-19-022.pdf](https://oig.nasa.gov/docs/IG-19-022.pdf)
I only did the briefest of scans, but the recommendations seem pretty basic
best practices stuff.

In my experience, research labs tend to be creative spaces with a focus on
collaboration and information security is not foremost on peoples mind. I
guess that will have to change.

~~~
ozim
Recommendations suck, they just write couple of times that administrators
should update "Information Technology Security Database" and that they failed
to do that. That should be automated. They have all those "CISO", "SAISO",
"OCIO" and "CIO" but there is no one who knows how to setup automated nmap
scan for a network range? Then trigger someone and add it to some inventory
like "hey there is some new raspberry pi in network" should you maybe check
it?

~~~
Avamander
It's not like you can easily detect a rogue RPi with just nmap. It's trivial
not to respond to anything sent to you. You have to start looking at ARP, but
that's not iron-clad either.

~~~
emilburzo
arpwatch worked pretty flawlessly when I needed something like that

[https://en.wikipedia.org/wiki/Arpwatch](https://en.wikipedia.org/wiki/Arpwatch)

------
kryogen1c
>5,406 unresolved SPLs—about 86 percent of which were rated high or critical
>JPL did not effectively address a known software vulnerability, first
identified in 2017, with a critical score of 10. This software flaw can be
used by cyberattackers to remotely execute malicious code >one of the projects
has a waiver of JPL IT security requirements to change passwords every 90
days. Instead, the project relies on a designated application and team
accounts to share password files, group files, host tables, and other files
over the network

There seems to be a fair amount of filler in the report (review access logs,
out of date inventory, etc) but these points seem pretty damning.

~~~
blantonl
If I was a betting man, I'd bet that there are some old dusty areas of NASA
facilities where there are open NFS exports, NIS providing security, and Sun
workstations doing work.

I bet someone could fire up a SATAN scanning instance with a Mosaic browser
and find some open stuff on some of those old and crusty computers. :)

~~~
Something1234
Can we get more details about this Satan thing?

~~~
dredmorbius
Security Administrator Tool for Analyzing Networks

(Or, if you repent, SANTA.)

[https://en.wikipedia.org/wiki/Security_Administrator_Tool_fo...](https://en.wikipedia.org/wiki/Security_Administrator_Tool_for_Analyzing_Networks)

~~~
Something1234
So an early version of metasploit?

------
Canadauni
The article mentions that the hackers stole 500MB? The number seems small
given the scale of storage in modern computers but I guess 500MB could account
for a large number of documents that contain confidential info.

~~~
Kenji
500MB of leaked credit card information is a lot. 500MB of leaked video is
little. It all depends on the contents.

------
DataJunkie
I am surprised this doesn't happen more often.

------
kevin_b_er
It would be nice to know what this specific "Raspberry Pi" vulnerability is,
considering the software stack is almost entirely Debian.

~~~
syn0byte
There is no RPi vulnerability(in this article). The RPi was just used as a
bastion into the internal network. It could have been _any_ SBC. Once your
already _inside_ the internal network things get stupid lax.

EG. I can't see your Windows shared folders from the internet, but the PC in
the next room can. Someone sneaked an RPi into JPL to be that PC in the next
room.

See Also; Season 1 Mr Robot had this _exact_ scenario as a plot point.

~~~
jvanderbot
No, they infiltrated a Rpi already on the network (e.g. a research SBC) which
itself was also able to access other machines.

------
Mbaqanga
The articles says if the hackers were some jokers on the internet then the
data isn’t terribly useful, but if it was an adversarial nation then it is
very useful. Why? Can’t the jokers sell it to other nations?

------
noir-york
The report doesn't mention how the intrusion was discovered. Someone just
noticed the RPi one day? 500mb traffic to a Chinese IP?

