NASA credentials leaked on Pastebin likely from old hacks
Email and password login credentials of NASA employees that were leaked on Pastebin came from vintage hacks.
CLARIFICATION/CORRECTION: After NASA contacted SCMagazine.com to say that the agency's tech staff noted the information posted to Pastebin was from an old hack, we used our internal resources to further research and analyze the data – and to give both Dominique Davis, the researcher who originally contacted SC to report the Pastebin findings, and NASA further chances to comment.
After additional vetting, including an more extensive investigation and analysis of referenced data by our Technology Editor Dr. Peter Stephenson, it seems the information provided and the statements made by Davis in the original piece published August 2nd were erroneous or factually incorrect. We apologize for the publication of this misinformation. The original story below has been edited to reflect corrections and clarifications as well as analysis by Stephenson.
Our revised editorial policy will dictate that any time anyone comes to us with claims of knowing about or having evidence of any kind of vulnerability, data compromise or other information security issue, we will not only apply our typical rigorous scrutiny – including researching the source, pursuing other sources for verification and contacting any other impacted parties – but, when our editors deem it necessary, engage Dr. Stephenson to undertake more in-depth technical research and analysis of any data or claims presented.
With this in mind, anyone with information on assumed unknown or unreported threats, vulnerabilities, data compromises/breaches or cybersecurity problems or attacks, should contact Peter, Executive Editor Teri Robinson or Vice President, Editorial, Illena Armstrong.
The email and password data was posted by a user called ‘PLASTYNE (Anarchy Ghost)' who appears to be associated with a hacktivist group known as ‘Brazil All Hack Team.'
The leaked login credentials were viewed by SCMagazine.com after being contacted by Red Cell Infosec CEO Dominique Davis. The paste site data included detailed information about NASA's multiple points of ingress, including shared network resources, internet-facing machines containing multiple unpatched operating system vulnerabilities, an unpassworded printer that an attacker could use to pivot into the network and cause further damage, and other instructions about how to log in to NASA's networks.
“It looks like somebody hit them with a vulnerability scanner,” Davis told SCMagazine.com. “They were leaking like a sieve.”
Davis said he alerted NASA to the flaws and the agency responded promptly and briefly - but with only an acknowledgement of his email, according to an email correspondence viewed by SCMagazine.com. The response was “faster than any government response team I've seen,” said Davis.
He attributed what he called a “direct massive attack” on NASA to flaws that included “pretty much every mistake you can make.” pegging the hackers as unsophisticated and calling NASA's security practices into question.
“This place badly needed a penetration test. These guys were not sophisticated hackers.” he added, “Due to government budget constraints and politics, there's a ‘If it's not broke, don't fix it' mentality.”
When contacted by SCMagazine.com, a NASA representative said they were not aware of the breach but a NASA spokeswoman later said that members of the agency's tech team had determined that the information referenced by Davis as being posted on Pastebin was from an old breach.
Further research by SC Technology Editor Peter Stephenson, a threat hunter who works with law enforcement and other organizations, and, in his lab, relies on multiple open and closed resources,over a dozen different tools, as well as public sites/databases, a honeynet, a deception network and a sinkhole to hunt and analyze threats, proved “that it was likely that NASA's view that these were old news was accurate,” Stephenson said.
After Davis provided the threat hunter with additional specifics, a list of allegedly leaked email credentials and “a couple of servers that he had found when scraping various intelligence sites,” Stephenson said his analysis showed that the credentials “were leaked recently but that they were old - 2013-2015 - vintage.”
During his research, Stephenson did find that Anonymous had released a very large set of files - many tens of gigabytes - of information stolen from NASA on drones, vapor trails,and more, which alsocontained a file that included a long list of NASA employees. “The employee list was extensive - many hundreds - but had only name, email and phone. No credentials,” he said. “The server(s) Anonymous hacked were mentioned and logs of the hack were shown, but they specifically avoided publishing any passwords.”
While the hack was made possible by a careless system administrator, the “files were related to hacks at least two years old and in some cases older,” said Stephenson.“There was nothing current.”
"The researcher provided us with a list of 43 ‘compromised' systems, 42 of which were web sites," Stephenson said. "We saw no evidence of these servers being hit with ‘... a vulnerability scanner.'”
Instead, what Stephenson “did see was that someone had done a banner-grabbing scan of the web servers resulting in the viewing of the type of web server and its revision level. From that the researcher appears to have matched the rev levels on the various servers to known vulnerabilities, all of which were quite old.”
He noted that “while it is not impossible that these servers still are running these old versions, there is no mention of exactly when the banner-grabbing was done or whether the servers had been patched.”
Since Davis originally had claimed to our reporter that he'd "observed the hack in progress,” Stephenson reached out again to the researcher for clarification, noting that he'd “found no evidence” that backed that assertion or one that said NASA was leaking like a sieve “either in my open source research or perusing the underground.”
Davis's original observations, Stephenson said, “likely were of the data being posted for sale in an underground forum rather than the actual hacking and subsequent leaking of the data” and were of “the underground merchant equivalent of script kiddies who, in an attempt to make some quick money, [recycle] old compromises.”
Indeed, the underground is not talking about a NASA hack in any of the likely forums such as exploit.in or alphabay, Stephenson said. “There is not even chatter about the reposting of old data which tells me that even the underground isn't wasting its time with this. When I verify something such as this I need to see the original sources. In this case we were not able to find definitive original sources for much of the information provided.”
He said he welcomed further detail from Davis and would be “perfectly happy to check other sources” the researcher might have.