NASA’s unsanitized computers

From an article on MSNBC, it looks like NASA didn't manage to fully sanitize some computers that they recently disposed of. Although I haven't seem the full report that NASA's Office of the Inspector General did on this incident, this part of the MSNBC article made me wonder how serious this incident really was:

Investigators also found several pallets of computers being prepared for sale that were marked with NASA Internet Protocol addresses.

"Release of Internet Protocol information could lead to unauthorized access to NASA's internal computer network," the report said.

How useful is the security-through-obscurity that trying to keep your IP addresses secret gets you? Not very useful, is my best guess.

I've seen other IGs get upset about security non-issues. In one case I saw one IG claim that an agency had a data breach because the IG auditors couldn't find the FIPS 140-2 validation certificate for the product being used to encrypt sensitive information. In this particular case, the vendor's crypto toolkit had the certification instead of the shipping product having it (the approach that almost all vendors use) but the auditors didn't seem to understand this. This particular incident was somewhat understandable because IG auditors aren't security specialists, but incidents like it, along with the NASA IG's concern about IP addresses, makes me wonder exactly how bad the government agencies' security problems that we hear about so ofter really are.

Leave a Reply

Your email address will not be published. Required fields are marked *