NASA Sells Space Shuttle PCs Without Wiping Secret Data
For sale, used computer packed full of secret NASA Space Shuttle data. As part of a plan to securely end the Space Shuttle program, NASA is getting rid of old computers. However, NASA officials failed to delete sensitive data on PCs and hard drives before selling the equipment. The Office of Inspector General found "serious" security breaches at NASA centers in Florida, Virginia, Texas and California.
NASA is full of very bright minds, so how did it manage to make such a noob mistake of selling PCs without wiping the hard drives? An audit [PDF] found 10 of 14 computers that failed tests to ascertain they'd been wiped properly. One computer that was to be sold still contained sensitive Space Shuttle data, which was subject to export control by the International Traffic in Arms Regulations.
All electronic storage media is supposed to be wiped of data "to the degree that there is reasonable assurance that the data cannot be retrieved or reconstructed," the audit stated. NASA approved software for sanitizing hard drives include DBAN (Darik's Boot and Nuke), Secure Erase, and WipeDrive/WipeDrive Pro. Contractors in charge of deleting sensitive information used DBAN and Active@KillDisk - which is not NASA approved at Johnson's disposition center. Ames used BCwipe, which is DOD compliant, but not NASA approved. USA used Symantec DateGone which is not approved by NASA, DOD or NSA.
At Kennedy, another contractor, Abacus Technology Corporation, attempts to recover data from digitally sanitized PCs. If data is recovered, the outside of the computer is marked in large red letters as FAIL. Auditors found that IT managers weren't notified when a drive failed or wasn't wiped free of data at all. Some officials at NASA facilities didn't account for or track hard drives. Additionally, the auditors were not at all pleased with the lack of verification testing that drives were properly sanitized of sensitive data.
Pallets, each filled with about 44 old PCs, were also found in the recycling facility with NASA stickers and IP addresses still attached to the cases. Auditors wrote, "Release of NASA Internet Protocol addresses is a potential security weakness because these addresses could provide a hacker a means to gain unauthorized access to NASA's internal network. Knowing a specific Internet Protocol address allows a hacker to target a particular computer, test the system for vulnerabilities, and possibly load malicious software programs or access information on the computer or network."
Hard drives were missing from Langley Research Center in Virginia and from Kennedy. Some of those hard drives from Kennedy were later found inside a dumpster that was accessible to the public, the audit says.
All in the all, the report determined that NASA protocols to correctly sanitize data were not being followed at Kennedy and Johnson space centers and at Ames and Langley research centers. The auditors were not happy with the CIO who "stated that NASA's policies would be updated and a new handbook created by the third quarter of fiscal year 2011." The audit, prepared by NASA's Inspector General, covered a 12-month period starting in June 2009.
With all the WikiLeaks drama and the government demanding the return of sensitive documents and information, this blunder is just pitiful. It would seem as if this failure to wipe sensitive data would leave NASA and the government red-faced.