A hacker who has a proven track record of targeting security holes and exposing vulnerabilities has struck again - this time at NASA and a server related to a satellite-based Earth Observation System which is used to assist in disaster relief. A Romanian hacker who goes by the online alias of TinKode published a screenshot from a server at NASA's Goddard Space Flight Center. The screen capture proof appears to be an FTP server of NASA's Goddard Center at servir.gsfc.nasa.gov. TinKode did send an email alert of the hack to NASA's webmaster.
A month ago, TinKode exposed a similar security hole at another space agency by hacking into a server operated by the European Space Agency at www.esa.int. He then leaked a list of FTP accounts, email addresses and passwords for administrators and editors. TinKode did not publicly disclose the method used to hack the ESA site.
Early this year, TinKode, another hacker called Ne0h, and another with the alias of Jackh4x0r, hacked into the Web servers hosting MySQL.com, proving it was vulnerable to SQL injection as well as XSS. MySQL.com is the main site for the open source database product and a sister site to the French, German, Italian and Japanese markets. The hackers posted proof again, this time account credentials for MySQL.com admins, including Robin Schumacher and Kaj Arnö, MySQL's Director of Product Management, and others from MySQL.
While TinKode did not publicly disclose the method of hacking NASA's server, the screenshot shows folders like RADARSAT, ASAR_Africa, and ASAR_Haiti. The acronym ASAR is short for Advanced Synthetic Aperture Radar.
Although NASA did not respond to a request for comment prior to publication, TinKode did.
Why do you make the breaches public? Does it make the companies fix the vulnerability faster?
It's only been a month since you exposed a similar hole in a server operated by the ESA, now NASA. Would you like for one of those space agencies to hire you as their digital security expert to overcome lax security practices?
TinKode: I don't know. I am doing this because finding security holes represents a hobby for me. If someone wants to hire me, we can discuss, isn't a problem.
Has there been any threats of legal actions after exposing web vulnerabilities such as at ESA, NASA or MySQL?
TinKode: Until now, no. I don't do bad things. I only find and make public the info. Afterwards I send an email to them to fix the holes. It's like an security audit, but for free.
Which of the vulnerabilities that you have found was your favorite?
TinKode: I don't have a favorite one.
According to a recent audit by the Office of Inspector General [PDF], NASA was not doing such a great job in regard to computers and security, especially when it came to wiping "secret" data off hard drives before disposing of them. So, NASA, ESA, are you interested in hiring TinKode? I'd be willing to bet it's not the last time he'll be checking if your servers are secure.
Like this? Here's more posts:
- State Police can suck data out of cell phones in under two minutes
- TSA Surveillance: Peep Show, Police State, Privacy Invasion or All Three?
- Michigan State Police reply to ACLU about cell phone data extraction devices
- Thanks to ID thieves, your child may have more debt than you
- Julian Assange: Facebook is a "spy machine" for US Intelligence
- FBI: Surveillance "going dark" or obsessed with porn and doing a poor job?
- Ridiculous DHS list: You might be a domestic terrorist if...
- Former FBI Agent Turned ACLU Attorney: Feds Routinely Spy on Citizens
- Patching Windows is a major time sink for IT departments
Follow me on Twitter @PrivacyFanatic
Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. Smith has a diverse background in information technology, programming, web development, IT consulting, and information security. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.
Smith is an independent contractor and is not affiliated with any vendor that makes or sells information technology.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited