NASA sells off shuttle program PCs with data intact

December 8, 2010 By Geoff Duncan

As cybersecurity concerns heighten in the U.S., NASA has embarrassingly been selling shuttle program PCs with sensitive data still on board.

In an age when groups of anonymous attackers are targeting credit card companies and confidential U.S. diplomatic cables are being posted to the public Internet, U.S. space agency NASA has managed an embarrassing gaffe: it’s been selling PCs from the space shuttle program without first confirming all data had been wiped from the systems. According to NASA’s report on the incidents (PDF), there’s no way to know what potentially sensitive data may have been on the systems, but data found on similar equipment raises “serious concerns” information subject to U.S. export control might have walked out the door.

A NASA internal investigation found 10 cases where agency PCs were sold even though they failed data removal procedures. Another four PCs that were on the verge of being sold were found to still contain data subject to export restrictions under arms control regulations, and dozens of other PCs at a disposal facility still had labels and other markings that revealed details of NASA’s internal network configuration—potentially valuable information to anyone looking to infiltrate NASA’s network. In other incidents, NASA found that technicians did not property keep track of removed hard drives during the agency’s teardown process.

The issues spanned four NASA facilities at Kennedy and Johnson space centers, as well as the Ames and Langley research centers.

NASA is currently winding down the space shuttle program, with only two scheduled shuttle flights remaining. The final shuttle flight is currently scheduled for June 2011. The agency says it is reviewing and updating its equipment disposal procedures.

Everyday computer users can take a lesson from NASA: if you decide to resell a PC, at the very least completely wipe the system’s hard drive before turning the system over to a new owner. To be reasonably secure from sophisticated prying, that means repeatedly overwriting every sector of the drive with garbage data—and, yes, the process can take a long time. With hard drives being comparatively inexpensive these days, it might be more time efficient to remove and destroy drives before selling a system.

Showing 6 comments

Yobee at 6:12pm 31st December 2010 People are so caught up in the age of high tech that some very basic principles get tossed aside. Hard Drive storage is still a magnetic medium; any bulk eraser for video tapes and cassettes will permanently destroy HD data in 5 seconds. Duh, folks.
IT Disposal at 4:19am 13th December 2010 Its very easy for data to be properly destroyed (there is even free software available on the net). It may take a while for the process to be done (up to 2 hours if your data is sensitive), however it's quite shocking that they didn't ensure this process was followed.
Winski at 9:57am 11th December 2010 No wonder they want to go back and use the Apollo program rockets and flight modules.... They don't have a clue how to build anything new because they are still using the 1950's technology... Talk about ass-backwards... Being in texas explains a lot of it....
dude at 3:58pm 9th December 2010 *grammar
John at 11:13am 8th December 2010 Is that all you came away with by reading this article? How to correct his grammer? I would say there is a more pressing matter at hand. By the way it's not the first line that has the typo, it's the first sentence of the second paragraph. Guess you need to be corrected also.
Marc at 10:50am 8th December 2010 Ironically, the first line in this article has a typo. :P I believe you meant to use "where" instead of "were".