Another NASA security server lapse exposed project and staff data
NASA smoothly fixed an internal buggy server two months ago that leaked sensitive information about the agency’s staff and their work.
Ironically, the leaking server was a bug reporting server running the popular Jira bug triage and tracking software. In the case of NASA, the software was not properly configured to allow anyone to access the server without a password, according to TechCrunch
Avinash Jain, a security researcher based in India who found the exposed server. According to Jain ‘s writing, some Jira instances may be configured incorrectly to allow ” all ” access without a password— including anyone on the Internet — and not ” all ” within an organization, as some believe.
This was the case for the leaking server of NASA.
In October, Jain found a leaking server showing NASA staff usernames and e-mail addresses and the projects on which they worked. Since Jira contains information about bugs and problems within an organization, including work in progress, the server has also abandoned the work of the agency staff and their next milestones. It is not known whether classified information, such as names or details of sensitive projects, was on the Jira server. Jain also said that it is unclear how many users of NASA staff in the database Jira limits searches to 1,000 queries at a time. After contacting NASA and CERT / CC, the Carnegie Mellon University vulnerability divulgation centre, the exposed server was fixed about three weeks later, he said.
NASA’s private disclosure never reacted. While NASA has a HackerOne page, a vulnerability reporting program that enables researchers to email NASA with security issues, the agency has no dedicated bug bounty program. ” I dropped[ NASA] five emails before it was fixed, and I was never told it was fixed, ” TechCrunch told him.
CERT / CC recently expressed their ” appreciation ” for Jain reporting the bug privately.
This latest lapse is another bruise for the United States. Security posture of the space agency— this decade’s fourth known incident, after more than a dozen hacks in 2011 alone and another sensitive data breach in 2016.
The latest violation occurred just before Christmas, when the agency reported a data compromise between July 2006 and October 2018 affecting current and former NASA employees. But CERT / CC told Jain in an email that “no evidence” was found to be related to NASA’s latest disclosure of breaches. According to an automated message on the agency’s press line, NASA was unable to comment during the government shutdown.