Forgot your password?
typodupeerror
Security NASA

Romanian Accused of Breaking Into NASA 169

Posted by Unknown Lamer
from the zero-cool-strikes-again dept.
alphadogg writes "Romanian authorities have arrested a 26-year old hacker who is accused of breaking into multiple NASA servers and causing $500,000 in damages to the U.S. space agency's systems. Robert Butyka, 26, was arrested on Tuesday in Western Romania following an investigation by the Romanian Directorate for Investigating Organized Crime and Terrorism. According to local reports, the hacker used the online moniker of 'Iceman.' He does not have a higher education or an occupation, a DIICOT spokeswoman said."
This discussion has been archived. No new comments can be posted.

Romanian Accused of Breaking Into NASA

Comments Filter:
  • by Anonymous Coward on Wednesday November 16, 2011 @11:24AM (#38073506)

    ...but why aren't IT admins being held accountable for the lax security on their servers? And no, I don't buy the "if I leave my door unlocked, it's not an invitation to break in", since it's a paid position. If a cop fails to prevent a crime due to neglicence, the city can be sued. Most of these break-ins are due to IT negligence, not hacker genius.

    • by bberens (965711) on Wednesday November 16, 2011 @11:44AM (#38073758)
      Where do you live that a cop failing to prevent a crime can lead to the city getting sued?
      • by tehcyder (746570)
        Oh look, it's a slight variation on the ever-popular libertarian anti-government line "the police can't be sued if they don't prevent a crime, therefore crime prevention is impossible, therefore all we should do is arm everyone so they can shoot criminals after the event". Twat.
    • Not in DC (Score:5, Informative)

      by srussia (884021) on Wednesday November 16, 2011 @11:58AM (#38073940)

      If a cop fails to prevent a crime due to neglicence, the city can be sued.

      http://en.wikipedia.org/wiki/Warren_v._District_of_Columbia [wikipedia.org]

      • Re: (Score:2, Offtopic)

        If a cop fails to prevent a crime due to neglicence, the city can be sued.

        http://en.wikipedia.org/wiki/Warren_v._District_of_Columbia [wikipedia.org]

        From that wikipedia page:

        DC's highest court ruled that the police do not have a legal responsibility to provide personal protection to individuals, and absolved the police and the city of any liability

        If the police have no responsibility to provide personal protection to individuals what the hell are they for?

    • by Anrego (830717) *

      Probably money.

      As a programmer, while I like to think I'm diligent when it comes to security, if I could find myself in prison for introducing a security bug .. I'd be wanting a hell of a lot more money for accepting that risk.

      Ultimately you'd probably just end up with the equivilant of medical malpractice insurance .. occasional screwups would be spread out and become a "cost of business", and we'd just be back to square one.

    • by timeOday (582209) on Wednesday November 16, 2011 @12:04PM (#38074032)

      Most of these break-ins are due to IT negligence, not hacker genius.

      I think negligence would be *very* hard to establish. First, most computer bugs, including vulnerabilities, are very obvious - in retrospect. Finding the needle in the haystack is easy after somebody points it out to you. That's entirely different than integrating hundreds of software components without creating any "obvious" holes.

      Second, how many sysadmins are given all the resources they would like to do their jobs? Security is cost/benefit, like anything else, you devote enough resources to make the pain tolerable, and no more. That means most admins have far more responsibilities than they can cover 100%.

      • by mikael (484)

        Usually it seems to be the configuration scripts of the system that is the problem. There isn't any need to bury bugs in source code. Think of every network based application a system may have and how many configuration files each of these has; ssh, sftp, mail-servers/clients, file-sharers, networked file systems. It only takes one to have an easy to guess password and user account or open permissions.

        You just need to sugarspeak dangerous safety options in the official (or unofficial) webpage.

        "If you want t

    • by bws111 (1216812) on Wednesday November 16, 2011 @12:13PM (#38074164)

      How do you know the admin was not held responsible? He could have been fired, demoted, etc.

      If you mean why isn't the admin held responsible by the legal system, what law would allow him to be held responsible? IT admins are not sworn to duty (like police) or licensed (like professional engineers).

      Your example of the city being sued does not work here. The person suing the city would be the person who was harmed by the negligence. Who, other than NASA, would have standing to sue in this case? Who would they sue, themselves?

    • We have the head the of SEC replying when asked "why can't we fire failed regulators" respond by saying that that would harm the agency.

      http://www.washingtonpost.com/business/economy/seven-sec-employees-disciplined-on-failure-to-stop-madoff-fraud/2011/11/10/gIQA3kYYCN_story.html [washingtonpost.com]

      We just had a recent story about how the IRS can't get its act together and I betcha they are not in worry about losing their jobs. We have more government workers making over 100k a year and 900+ over 170k a year. Do you think any a

  • Damages (Score:4, Interesting)

    by AdamJS (2466928) on Wednesday November 16, 2011 @11:24AM (#38073518)

    I'm betting the damages are formulated entirely from the cost of them having to do PR (they got hacked by a NEET after all) and 'fix' the security hole (because face it, they'll probably introduce 10 more flaws when fixing one).

    • I was just about to ask, how do you quantify "damage" within software (or otherwise intangible things), when I guess what they mean is reputation damage.
      • Re:Damages (Score:5, Insightful)

        by bberens (965711) on Wednesday November 16, 2011 @11:45AM (#38073776)
        You get a few senior level IT people in a room and a single meeting can easily cost $1k. Total time to figure out what happened, track the guy down, etc. could easily cost $500k.
        • Isn't that their job anyway, though? Estimating the costs this way sounds a bit like Apple saying that Google cost them millions of dollars because they had to have meetings about competing with Android (for example).
          • by bberens (965711)
            Theoretically those people would've been doing productive work. Now, instead of completing productive work, they've spent probably thousands of hours dealing with this. So the nominal cost isn't very high, but the productivity cost is high.. and I presume that some other project(s) will be late due to it.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      As someone who worked at NASA during a hacker break-in, I am frankly surprised that the damages are that small. All of the machines were taken offline for a couple of days. All of the IT people worked round the clock to restore the servers to a previous state and try and fix the exploit. All kinds of onerous policies for the users are put in place that lasted for a month. Several new onerous policies persisted longer. Work productivity was definitely lost by all of the users (scientists) of all of th

  • I can maybe understand if a figure like that is reached via physical proximity and a sledgehammer.

    But an unauthorised intrusion?

    Even a complete restore from backup can't possibly cost that much in lost time for employees.

    • by jackbird (721605)

      I could see the audit process to determine what, if anything, was downloaded/altered costing a pretty good chunk of that. Especially when you start getting lawyers involved over possible ITAR issues if someone on the inside was negligent or actively aiding the intrusion.

    • Re:How much? (Score:4, Insightful)

      by moogied (1175879) on Wednesday November 16, 2011 @11:41AM (#38073724)
      Its not just a restore. There was an investigation, then an audit process for the proposed change, then you have the CAB meetings, the testing in dev, then in stage, then finally the push to production environment. Then you have possible hardware changes(depending on mode of access), and additionally you need to sanitize the environment to be 100% sure nothing was left behind. Thats easily a few hundred man hours . 500k may be a tad high(depending on a lot of things), but its not unreasonable.
      • by gl4ss (559668)

        actually all that work would have been necessary regardless of the intrusion.

    • by gl4ss (559668)

      the costs come from noticing and investigating.
      in other words, there would have been no monetary damages if they hadn't pursued the culprit.

      funny, eh? the damages are thus made up from thin air.

  • by roman_mir (125474) on Wednesday November 16, 2011 @11:27AM (#38073550) Homepage Journal

    According to local reports, the hacker used the online moniker of "Iceman." He does not have a higher education or an occupation, a DIICOT spokeswoman said.

    No education and no occupation, ha?

    So who is working for NASA then, that this 'no-education and no-occupation' individual is able to break into their systems?

    Butyka is accused of hacking into several NASA servers over a period of time that started on Dec. 12, 2010. The authorities claim that the hacker destroyed protected data and restricted access to it. The charges brought against Butyka include obtaining unauthorized access and causing severe disruptions to a computer system, modifying, damaging and restricting access to data without authorization and possession of hacking programs.

    He possess hacking programs, that means he is a terrorist. What kind of 'severe disruptions' did he cause that cost 500,000 USD?

    Romanian authorities have arrested a 26-year old hacker who is accused of breaking into multiple NASA servers and causing $500,000 in damages to the U.S. space agency's systems.

    - this is a bunch of nonsense.

    He cost an admin a few hours of time and maybe a reinstall and reconfigure. Even at 1000USD / hour no way somebody spent 500 hours on it (that's 20.8 24 hour days) or 12.5 40 hour weeks.

    This is more government nonsense.

    • by GameboyRMH (1153867) <gameboyrmhNO@SPAMgmail.com> on Wednesday November 16, 2011 @11:33AM (#38073628) Journal

      Possession of "hacking programs" is a crime? I think all my computers except my gaming PC have "hacking programs" on them, good thing I don't travel to the states these days.

      • by roman_mir (125474) on Wednesday November 16, 2011 @11:39AM (#38073698) Homepage Journal

        well, he also owns a computer, this is almost a 100% indication that he is a pedophile-terrorist, or a pedo-rist.

        This is what government is for - making sure that the right people are always punished for their transgressions. That's why Jon Corzine is in charge normally, of some government and/or economic function somehow and disgusting people like Ron Paul are blacked out by the media because they challenge the status-quo.

        Also USA is sending troops to Australia [rt.com]. You know, in case pro-Chinese Kangaroos join Al-Qaeda.

      • ... good thing I don't travel to the states these days.

        Not sure what the laws are in the 'states' regarding hacking programs, but the article clearly states he was arrested in Romania... Does this mean residents of Romania are restricted from accessing BackTrack and BackBox linux distros?

      • by nigral (914777)

        good thing I don't travel to the states these days.

        Does it sound like he did?

      • by Creepy (93888)

        This easily falls under the CFAA [wikipedia.org] in the United States, but so does practically anything, like, say lying about your weight on a dating site (seriously - there was an article about it on the Register yesterday as of this writing). I'm sure hacking programs are also covered in an over broad way on that law.

        And of course United States laws apply to everyone... but I can see Romanian authorities bowing to the whims of the United States - if the US has a friend in Europe, it is Romania. When I was there about th

      • by sgt scrub (869860)

        You have vi on all but one of your machines? You damned criminal types! :P

      • ... good thing I don't travel to the states these days.

        Uhm, hello??? He was arrested in Romania by Romanian authorities and is being charged under Romanian laws in the Romanian court system. It's not illegal to have "hacking programs" in the States.

    • by Sarten-X (1102295)

      Reinstalling and reconfiguring every system the hacker may have touched is impractical, and would take far more time than NASA can spare. Calling in auditors to make sure there were no rootkits, backdoors, or other bad stuff on any other systems is expensive. Deleting the results (and backups) of the latest experiments means months or years of work has to be redone.

      $500,000 actually strikes me as a pretty reasonable estimate.

      • by roman_mir (125474)

        That's just nonsense. A large organization can re-image large numbers of machines automatically, but more importantly is that in large organizations the Internet connection is normally done through one or a few systems, not every computer has its own external IP address and ports are restricted on the exit nodes. Watching and restricting the Internet-to-internal machine traffic on ports is part of what admins are for in the first place.

        Fix the problem even if it means a reinstall of the exit nodes, patch t

        • by Sarten-X (1102295) on Wednesday November 16, 2011 @12:39PM (#38074548) Homepage

          I take it you've never actually worked on a high-security system. Here's what I remember of the procedure at the last high-security place I worked:

          In the event that a machine (including a gateway) is compromised, any machine it can access is considered threatened, and must be thoroughly checked. No, NAT does not help, because once someone has control over the bridge, they can send data to any machine they want, even those without an external IP address. If any router, switch, or machine shows any slightly-suspicious activity (even as benign as an unscheduled database login), that machine gets an even more thorough examination to find out whether the activity was actually related to the hack, and what resources the hacker may have gained access to. If there's any indication that the hacker had shell access or retrieved data, the machine is considered compromised. If the machine stored any sensitive data, that data is reviewed to see if it could allow access to other systems (such as challenge questions & answers for resetting passwords). This investigation, which often involves the use of outside consultants (because there may have been inside help) continues throughout the whole network until the full extent of the breach is known. Being a government agency, the breach will likely involve a several-hundred-page report covering every detail. Somebody has to write that.

          The cost is already in the hundreds of thousands of dollars, and only then can the repairs start. It's often not as simple as just restoring a backup, either. Sure, the operating system can usually be done quickly (including fixes for the responsible security holes), but if there's any indication of data being touched (which, in this case, there was), that has to be addressed, too. Backups are usually old. In an ideal world we'd be making hourly backups stored offsite in an everything-proof vault, but that's never really the case. If an admin's lucky, he has a backup that's less than a week old - or it was when the breach occurred. Somehow (best described as "magically"), the admin has to figure out what changes were intentional (like experiment results, or customer orders, or whatever) and what was the result of the breach, then piece together the data to get something reasonably complete and up-to-date. Finally, after days, weeks, or months of reconstruction (most vital systems first, of course), the system is declared clean. Until then, projects get postponed, and other employees are being paid to play solitaire until their real work can continue.

          Then there's the "let's not do this again" phase, where employees change passwords, get lectured on security practices, sit through seminars on how to properly encrypt data, and so forth, all of which costs even more money. There's probably still an ongoing investigation as to whether anyone inside the organization helped the hacker, likely being run by consultants.

          Then there's the damages caused by any delays, which may involve contractual obligations. That's more money.

          It's not as simple as just re-imaging and assuming that everything's fine. Sure, that works on workstations, but it's unlikely that a workstation was all that was damaged. Once a server gets touched, the costs rise dramatically.

    • by timeOday (582209) on Wednesday November 16, 2011 @12:06PM (#38074066)

      So who is working for NASA then, that this 'no-education and no-occupation' individual is able to break into their systems?

      So anybody who can smash a car window and steal a stereo is smarter than the guys who design cars? That is not a logical conclusion.

      • by roman_mir (125474)

        If that's your metaphor for an unpatched system or a system with some weak passwords in it, then I can't help you.

        The work of an admin is not to leave an 'unsecured car' without supervision. If the 'windows can be smashed', it means the admin is not doing his job.

        Actually it's more like having a tank with a hutch opened, and somebody throwing a hand grenade into it.

      • No, but a guy who figured out how to throw a pebble in *just* the right way to allow access to a locked car (and drive it) without setting off the car alarm or giving much evidence of intrusion is smarter than the guy who designed the car's security measures.

        • by timeOday (582209)
          Do we have some reason to think the intruder in this case built his own toolkit or devised his own methods?
    • by Hentes (2461350)

      No education and no occupation, ha?

      So who is working for NASA then, that this 'no-education and no-occupation' individual is able to break into their systems?

      This is Eastern Europe. He might have a job and just evading taxes.

      • by roman_mir (125474)

        Evading taxes? Oh crap, don't tell that to the prosecutors. Like the guy doesn't have enough problems on his plate already. Shush.

    • the DEA stating that each cannabis plant is equal to a lb of weed, Sure its possbile if you grew it outdoors in Calfornia but 99% of the time people get no where near that. With big plants (6 week veg) they might get 4oz dry off each plant.

    • No education and no occupation, ha?
      So who is working for NASA then, that this 'no-education and no-occupation' individual is able to break into their systems?

      A virus can break into your huge, complex and perfectly evolved human immune system, while being the simplest lifeform.

      Defending is a much harder problem than attacking.

    • by sgt scrub (869860)

      So who is working for NASA then, that this 'no-education and no-occupation' individual is able to break into their systems?

      So who was working for NASA then, that this 'no-education and no-occupation' individual is able to break into their systems? FTFY

      What kind of 'severe disruptions' did he cause that cost 500,000 USD?

      It costs money to replace your entire IT department.

    • He possess hacking programs, that means he is a terrorist. What kind of 'severe disruptions' did he cause that cost 500,000 USD?

      If he disrupted servers used by NASA to provide data to their employees, it could easily reach that. For example, the Planetary Data System servers are the normal point of access for thousands of researchers around the country working with raw data from NASA space probes. Take that off line for a day and you've disrupted quite a lot of work. Similar if you take down a technical data server that suppliers need to access detailed requirements or coordinated design data like CAD models of a system a supplier

    • by cusco (717999)
      He cost an admin a few hours of time and maybe a reinstall and reconfigure.

      This is not your home media server with your pirated music and downloaded porn, these are thousands of servers worldwide running one-of-a-kind custom written software and mission critical systems. After finding which exploits were used they need to find which systems could have been affected. The need to know which systems can be taken off the network in what time frame, and what needs to be done to each. Apply the wrong patc
  • by sl4shd0rk (755837) on Wednesday November 16, 2011 @11:29AM (#38073584)

    They are evidently no longer basing operations within the Beta Quadrant!

  • by Anonymous Coward

    I bet the embarrassment alone was worth $500K and then some.

  • by JustAnotherIdiot (1980292) on Wednesday November 16, 2011 @11:54AM (#38073876)
    This number bothers me, and I find it hard to believe.
    Even more so because TFA doesn't ever mention /what/ it was he did.
    Sure, he broke in, but what did he do with that access?
    Delete files? Rename them? Rearrange them? Simply just shut the servers down? Perhaps a virus or two?
    All I can think of that should be possible remotely would just cause an IT admin a headache for a few hours while he fixed the damages.
    Unless he found the "self destruct" button, and now NASA is without any equipment.
    • I'm guessing you're a hacker apologist? After an intrusion there are resources that have to be redirected to find out what access the intruder got; there's downtime hardware, there's the cost of the investigation e.g. flying inspectors out to Romania if needed.

      No harm-no foul rules only count on non-critical systems. Most admins don't take intrusions as an "academic act of altruism granted to them by white hats."

      • Not in the slightest. I was questioning the number, not his punishment.
      • by Anonymous Coward

        So why are not the people who's application had the hole he used not responsible at all.
        I bet there would be a lot fewer holes to exploit.
        And with all the billion NASA has or can earn if they wont stand behind a NASA used application then NASA should write it themselves. Not let something that critical connect to a public network.
        Not spend my tax dollar finding some guy with no education in Romania how much do you think that cost.

    • "Even more so because TFA doesn't ever mention /what/ it was he did."

      He found the Directors pr0n collection....

  • by DeltaVelocity (2509444) on Wednesday November 16, 2011 @01:32PM (#38075292)
    ...is not that a Romanian hacker got into NASA systems and caused an alleged $500k in damages/remediation expenses. The real story is that the Romanian authorities actually DID something about it.

Their idea of an offer you can't refuse is an offer... and you'd better not refuse.

Working...