Network Security Breaches Plague NASA

Repeated attacks from abroad on NASA computers and Web sites are causing consternation among officials and stirring national security concerns

By Keith Epstein and Ben Elgin

America's military and scientific institutions—along with the defense industry that serves them—are being robbed of secret information on satellites, rocket engines, launch systems, and even the Space Shuttle. The thieves operate via the Internet from Asia and Europe, penetrating U.S. computer networks. Some of the intruders are suspected of having ties to the governments of China and Russia, interviews and documents show. Of all the arms of the U.S. government, few are more vulnerable than NASA, the civilian space agency, which also works closely with the Pentagon and American intelligence services.

In April 2005, cyber-burglars slipped into the digital network of NASA's supposedly super-secure Kennedy Space Center east of Orlando, according to internal NASA documents reviewed by BusinessWeek and never before disclosed. While hundreds of government workers were preparing for a launch of the Space Shuttle Discovery that July, a malignant software program surreptitiously gathered data from computers in the vast Vehicle Assembly Building, where the Shuttle is maintained. The violated network is managed by a joint venture owned by NASA contractors Boeing (BA) and Lockheed Martin (LMT).

Undetected by the space agency or the companies, the program, called stame.exe, sent a still-undetermined amount of information about the Shuttle to a computer system in Taiwan. That nation is often used by the Chinese government as a digital way station, according to U.S. security specialists.

By December 2005, the rupture had spread to a NASA satellite control complex in suburban Maryland and to the Johnson Space Center in Houston, home of Mission Control. At least 20 gigabytes of compressed data—the equivalent of 30 million pages—were routed from the Johnson center to the system in Taiwan, NASA documents show. Much of the data came from a computer server connected to a network that tracks malfunctions that could threaten the International Space Station.

BEYOND HACKERS

Seven months after the initial April intrusion, NASA officials and employees at the Boeing-Lockheed venture finally discovered the flow of information to Taiwan. Investigators halted all work at the Vehicle Assembly Building for several days, combed hundreds of computer systems, and tallied the damage. NASA documents reviewed by BusinessWeek do not refer to any specific interference with operations of the Shuttle, which was aloft from July 26 to Aug. 9, or the Space Station, which orbits 250 miles above the earth.

The startling episode in 2005 added to a pattern of significant electronic intrusions dating at least to the late 1990s. These invasions went far beyond the vandalism of hackers who periodically deface government Web sites or sneak into computer systems just to show they can do it. One reason NASA is so vulnerable is that many of its thousands of computers and Web sites are built to be accessible to outside researchers and contractors. Another reason is that the agency at times seems more concerned about minimizing public embarrassment over data theft than preventing breaches in the first place.

In 1998 a U.S.-German satellite known as ROSAT, used for peering into deep space, was rendered useless after it turned suddenly toward the sun. NASA investigators later determined that the accident was linked to a cyber-intrusion at the Goddard Space Flight Center in the Maryland suburbs of Washington. The interloper sent information to computers in Moscow, NASA documents show. U.S. investigators fear the data ended up in the hands of a Russian spy agency.

Editor's note: Republican Leslie Sanchez was director of the Bush White House Initiative on Hispanic Education from 2001 to 2003 and is the author of "Los Republicanos: Why Hispanics and Republicans Need Each Other." She was not a paid consultant to any 2008 candidate. Sanchez is CEO of the Impacto Group, which specializes in market research about women and Hispanics for its corporate and nonprofit clients.

Ever since John McCain and Howard Dean in 2000 showed the Internet's potential for fundraising, the question was always whether the Web could be effective at "GOTV," or getting-out-the-vote.

Among young voters at least, Barack Obama has proven that it can -- and, in the process, he's uncovered a major flaw that cuts to the core of the Republicans' approach to party organization and discipline.

Obama poured many of his campaign's millions into his social networking operations on the Web, which his campaign rightly saw as critical to building grassroots support and enthusiasm.

A community organizer by training, occupation and nature, Obama saw his databases for the potential they represented -- an army of supportive voices, a legion of potential volunteers, and a division of precinct captains.

Such is the world not just of Chicago ward organizations, but of politics everywhere.

The McCain campaign, reflecting the broader skepticism I've seen in the GOP about the Web, doubted whether the Internet could get voters out of their Barcaloungers (or, in the case of younger voters, off their futons) and into the polling booth.

Michael Palmer, McCain's Internet director during the primaries, told ABCNews.com last June that if Obama's online efforts "don't have an endgame political benefit, then they don't help you at the end of the day."

On Tuesday, Obama showed the Republicans the Internet's endgame.

On Facebook alone, Obama signed up 2.4 million users as supporters, compared with just 624,000 for McCain. A Facebook virtual ticker challenged users to actually go out to the polls, and clocked more than 1 million by noon on Election Day and 5 million by the time all the polls closed.

According to the Center for Information and Research on Civic Learning and Engagement (CIRCLE) at Tufts University, the number of voters under 30 rose by 3.4 million compared with 2004.

About 66 percent of those voters supported Obama, compared with 32 percent for McCain. By contrast, the overall voting population gave Obama a much narrower margin of victory -- 53 percent to 46 percent.

In previous elections since 1976, according to CIRCLE, the percentage of young voters supporting the winning candidate varied by an average of only about 2 percentage points from the overall voting population.

At the least, young voters contributed to Obama's wins in North Carolina, Indiana, and Virginia.

When Mark Penn, then Hillary Clinton's chief strategist, chided Obama's supporters as "look(ing) like Facebook," he was right. While some of us over the age of 29 are just now mastering Twitter and Facebook, a UCLA survey of 272,000 college freshmen found that 86 percent spend "some time" each week on social networking sites like Facebook and MySpace.

Obama realized that the 70 million Americans on Facebook (the vast majority of them under the age of 30) have become accustomed to a Web experience that's interactive.

Web-based political social networking requires empowerment -- introducing well-trained, highly motivated local supporters to one another and then turning the campaign over to them.

McCain's official site included a social networking area, McCainSpace, but it was mostly an afterthought, competing for attention with messages from the candidate, campaign ads, issues summaries, photo galleries -- and of course the obligatory online donations and volunteer signups.

The Obama social networking site invited each new user to post a blog right away upon signing up. To the Obama Web team (which included one of the founders of Facebook), putting users in touch with one another was almost as important as putting the user in contact with the campaign.

Team Obama posted nearly 2,000 videos on YouTube, and the campaign contracted to build a text-messaging campaign that reached millions of voters geographically on their mobile phones. All told, it was a hefty viral marketing combination.

During the primaries, volunteers could sign in online, download a list of phone numbers and make calls from home to voters in the target states -- a virtual phone bank that other campaigns had to pay for.

Joe Trippi, the Democratic operative behind the Web-savvy Howard Dean campaign, was quoted in the New York Times noting Obama's progress: "We were like the Wright brothers," he said. Obama, on the other hand, "skipped Boeing, Mercury, Gemini -- they're Apollo 11, only four years later."

A college student and editor-in-chief of www.scoop08.com, Alexander Heffner, believes young voters were serious about voting this time around. "So many young people invested in him [Obama], unlike with Bill Clinton," Heffner told me.

The Obama campaign's use of the Internet will change campaign politics just as much as the fax machine and the autodialer did. If the GOP is going to compete in this growing tech world, they'll have to do more than just reverse-engineer the bells and whistles on Obama's Web sites.

They'll have to analyze Obama's entire approach to social networking -- a bottom-up, unruly approach that turns first-time voters into activists. That'll be easier said than done for a hierarchical organization that values order and discipline over all else (except, perhaps, seniority).

Nevertheless, if the GOP wants to compete on an even footing with the tech-savvy, social networking Obama-crats, they've got a real revolution ahead.

updated 59 minutes ago

WASHINGTON (CNN) -- Barack Obama is not a Muslim, and John McCain did not tell the television show "60 Minutes" he was a war criminal who intentionally bombed women and children in Vietnam.

Joe Biden is not planning to step aside in favor of Hillary Clinton as vice president, and Sarah Palin did not order books banned from the library when she was mayor of Wasilla, Alaska.

But if you have spent any time browsing the Internet this year, you may have read rumors to the contrary.

All these stories -- and more -- are being e-mailed to friends and family and posted on blogs.

And they are all false.

Heard that Obama was really born in Kenya and thus not eligible to be president? Wrong.

Heard that Palin was a member of the Alaska Independence Party? Nope, she wasn't.

But these stories are potentially damaging to the presidential campaigns of Obama and McCain, Washington communications expert Ron Bonjean warned, so it is critical to rebut them as firmly as possible.

"Fighting rumors on the Internet takes hypervigilance and a lot of caffeine. Left unchecked, these rumors can get out of control, because perception is fact," he said.

Obama and Palin are the subject of the largest number of e-mails, said Rich Buhler, founder of the fact-checking Web site, truthorfiction.com.

"The last two election cycles, there have been rumors about each of the candidates, but there has been nothing like this election," said Buhler, who has been running his nonpartisan site for 10 years.

"The number of Obama e-rumors has been huge, the stuff claiming that he was a Muslim. There are probably 15 or 20 Obama e-rumors. They have circulated massively," he said.

Buhler attributes the popularity of Obama e-mails to the fact that he is a "phenomenon."

"He is new, he is a threat" to some people, Buhler said. "When McCain named Sarah Palin, she became a phenomenon, so there were immediately a number of rumors about her, and now it's the Obama-Palin hit parade."

That's why both campaigns make pushback a priority.

Obama's Web site has a section called "Fight the Smears," run by the campaign's rapid-response team.

"Here's the general philosophy: vigilance, force, speed, and use the network we have created to spread the truth via every avenue," said Hari Sevugan, a spokesman for Obama's rapid-response effort.

"The idea of having such a large network of supporters is that they can reach an even larger network of friends, family and colleagues, and get the truth out," he said.

"If you look at 'Fight the Smears,' it also has an action center. It's not just facts -- it's making sure those facts get out," he explained.

The campaign does not underestimate the damage unsubstantiated rumors can do, especially ones that come directly from friends or family.

"These things take root if you let them sit too long," Sevugan cautioned.

The Obama rumors have spurred action both for and against the Illinois senator -- including a suit filed in Pennsylvania arguing that he is not eligible to be president because he is not a "natural-born U.S. citizen," and a Web site at isobamamuslim.com that contains a single word: "No."

Philip J. Berg illustrates how hard it is to quash rumors once they spread.

The Philadelphia-area lawyer, who filed the suit against Obama's candidacy, is aware that the Web site FactCheck.org has examined Obama's Hawaii birth certificate and ruled it kosher.

But he doesn't believe it.

"FactCheck.org is owned by Annenberg of Chicago, where Obama sat on the board," the lawyer said, dismissing the Web site's verdict.

FactCheck.org describes itself as a "nonpartisan, nonprofit 'consumer advocate' for voters." It is a project of the Annenberg Public Policy Center at the University of Pennsylvania.

And then there are the rumors that simply cannot be proven or disproved.

One e-mail suggests that McCain behaved obnoxiously at a resort in Fiji before his last run for the presidency in 2000. The University of California-Santa Cruz professor whose name is attached to some versions of the story denies writing it but says she did forward it after a friend sent it to her.

Truthorfiction.com describes it as "unproven," saying research has turned up no evidence to support it.

"So far, we haven't been able to find any substantive information about whether it ever happened and, if so, with whom. We've asked McCain's campaign whether he's ever been to Turtle Island, but they haven't responded," Buhler said.

"There are many e-rumors that are not able to be proven either because the e-rumor does not contain the kinds of facts that can be followed up -- such as name or location -- or because the information in it doesn't pan out," he added.

The McCain campaign does its best to push back against falsehoods about the Arizona Republican senator and his running mate, spokesman Michael Goldfarb said.

"We have set up a Web site, as Gov. Palin has been the victim of a lot of these smears," said Goldfarb, one of the main authors of the campaign's McCain Report blog.

But he said there was only so much a campaign could do to rebut false stories.

"We fight back, but there is a certain segment of the population that is never going to believe that Obama is a Christian, just as there is a certain segment of the population that is never going to believe that Trig Palin is Gov. Palin's son," he lamented.

But his frustration is not primarily with Internet rumors.

"Unfortunately, a lot of the smears against Gov. Palin have been echoed by mainstream media outlets," Goldbfarb said. He cited a September 2 New York Times article saying Palin had been a member of the Alaska Independence Party. The newspaper retracted the story the following day, blaming an AIP official's error.

"It's damaging when it appears on the front page of the New York Times," Goldfarb said.

But Washington public-relations expert Bonjean, for his part, recommended that campaigns try to use the media to help rebut smears.

"The best way to fight Internet rumors is to go straight to the news media and try to get a story published saying 'this is not true,'" he said. "For any site that is promoting this rumor, you want to counter-attack it with the facts."

If the rumor appears on a blog, he said, "flood it with comments from your team, or activate grassroots support. Ask your friends and campaign allies to do it."

Buhler of truthorfiction.com said there is no way to know where most Internet rumors originate.

"Most of these things, you'll never know how they started. They're brush fires," he said.

Bonjean, a former spokesman for House and Senate Republican leaders, said some rumors probably came from "random crazy folks out there who want to perpetuate rumors for the thrill of it."

But some, he suggested, did probably come from "rogue political operatives."

He doubted they were working hand-in-glove with the campaigns, though.

"I would find it highly unlikely they would be taking orders from the campaigns, because if it ever got traced back to headquarters, there would be a lot of trouble."

by Gina Trapani

You're at an open wireless hotspot, but you don't want to send your web browsing data over it in plain text. Or you want to visit a non-work-approved web page from the office computer without the IT team finding out.

Using a simple SSH command, you can encrypt all your web browsing traffic and redirect it through a trusted computer when you're on someone else's network. Today we'll set up a local proxy server that encrypts your online activity from your Mac, PC or Linux desktop. Here's how.

SS-wha? you ask. Proxy server? Huh? Don't let the intimidating words and acronyms scare you off. This IS an advanced technique, but I've got my pom-poms out, because you can totally do it.

Let's get crackin'.

What you'll need

• An SSH server to act as your proxy.
  "SSH server" sounds frightening, but it's just another computer off-site that allows you to login into it via SSH. Most web hosts allow SSH access to the server; or you can set one up at home with free software.
• An SSH client on the computer you're using.
  Mac and *nix machines have SSH built right in at the command line. Windows users can set up OpenSSH with Cygwin. Here's more on installing the free OpenSSH with Cygwin.

How proxies work

In a nutshell, what you're doing with a proxy is setting up a middle-person between you and the internet. Using the proxy, your browser hands off web page requests to the proxy server, which handles the request and fetches the page for you from the internet. The web site actually thinks the request is coming from the proxy server, not your computer, which is a good way to obscure your originating IP address.

Additionally, the connection between your computer and the proxy happens over SSH, an encrypted protocol. This prevents wifi sniffers at the coffee shop from seeing what you're doing online.

For the more visual readers in the house, a (quick and dirty) diagram:

Now let's get down to the nitty-gritty.

Start your SSH tunnel

You've got access to an SSH server and you want to start using it as your proxy. To do so, you're going to set up a "tunnel" which passes web traffic from your local machine to the proxy over SSH. The command to do so is:

ssh -ND 9999 you@example.com

Of course, you're going to replace the you with your username and example.com with your server domain name or IP address. What that command does is hand off requests to localhost, port 9999, to your server at example.com to handle.

When you execute that command, UPDATE: you'll get prompted to enter your password. Once you authenticate, nothing will happen. The -N tells ssh not to open an interactive prompt, so it will just hang there, waiting. That's exactly what you want.

Set Firefox to use SOCKS proxy

Once your proxy's up and running, configure Firefox to use it. From Firefox's Tools menu, choose Options, and from the Advanced section choose the Network tab. Next to "Configure how Firefox connects to the Internet" hit the "Settings" button and enter the SOCKS information, which is the server name (localhost) and the port you used (in the example above, 9999.)

Save those settings and hit up a web page. When it loads, it's actually coming from the proxy server over an encrypted connection. You're golden!

More tips on using a secure proxy

• To quickly start your proxy, set up a shortcut to a batch script that launches the SSH connection in a click.
• If there are only certain (NSFW) web sites you'd like to use your proxy for, the Foxy Proxy Firefox extension lets you switch between your proxy and direction connection on a per-site basis. [via Ubuntu blog]
• Alternately, you can set up a separate Firefox profile that uses your proxy for all web requests.
• Set your proxy server to resolve DNS requests instead of your computer; in Firefox's about:config area, set network.proxy.socks_remote_dns = true. [via codeblog]
• Will at Security.engine says:
  

  For those with slower connections, you can use the -C command line option to use SSH's compression (gzip).

This technique is as old as the hills and there are dozens of different ways and tools to get it set up. In fact, tons of Lifehacker readers have mentioned it in the comments of past posts already. What's your preferred method? Do share your proxy secrets in the comments.

Gina Trapani, the editor of Lifehacker, tunnels through a proxy whenever she thinks she's on a dodgy network. Her semi-weekly feature, Geek to Live, appears every Wednesday and Friday on Lifehacker.