Reporting Open System in the Wild: Like NASA JPL OPEN

gAtO sAy – we have a big problem for anyone that has cyber information and want to report it. This is not a US problem but an International one. We all know that companies do not want to report that their site is open, or they been hacked for a number of reasons. Their reputation will be damage, clients will not trust them and sad but companies sometimes even pay hackers to keep the information from being leaked. You have hacktivist, commercial criminals and state actors. But a few security researcher find information about a company and want to report it and get the problem fixed the reasons vary but the intentions are good. Were do we go to report this. The FBI, our Senators or maybe Homeland security nah they don’t care.

gAtO and other researcher like ntiSec have found a number of SCADA systems open in the wild and from all the shouting from the powers that be you would think they would want to help. SCADA system control pump, elevators, nuclear power plants and if someone plays with these systems it could have a very bad effect on physical infrastructure of a country. Political people yell their going to hack out electric system but when we find one and try to tell the company they don’t listen.

One reason is ego – let say you contact a webmaster and tell them hay your system is open and has this problem – well that webmaster may just think “oh shit if my boss finds out it’s gonna be my ass”and he/she does not report it. Maybe they will try to fix it but admitting to anyone in the IT department could make them tell the boss and with the job market the way it is people are afraid that they may get fired.

gAtOmAlO sAy's

Next if you go to the C-Suite folks you know the executives well they say “oh shit this could have an effect on my bonus” or profits or they may lose clients if people find out that maybe their client information has not been encrypted or maybe compliance and regulatory reports and they get a heavy fines, this will effect the bottom line. So as you can see these people have a vested interest not to tell anyone how bad their systems are or fix them. But their sites are still open.

Then you have governments which are responsible to protect the people but these folks have so many rules and regulations that actually prevent them from doing the right thing and fixing the problems. Example:

You all heard that NASA has been hacked by the Chinese and yet gAtO tried to report that there systems were wide open:

http://starbase.jpl.nasa.gov/

http://starbase.jpl.nasa.gov/mgn-v-rdrs-5-dim-v1.0/mg_1193/fl06s186/

http://starbase.jpl.nasa.gov/mgn-v-rdrs-5-dim-v1.0/mg_1193/

http://starbase.jpl.nasa.gov/mgn-v-rdrs-5-dim-v1.0/

You would think that this would get top priority. I could not get anyone to listen. I tried the FBI, Senator Reed, Senator Whitehouse, even Homeland Security they could not or would not help. Here is NASA . Jet Propulsion Laboratory (JPL) the people that control our satellite and still they did not close up the sites for over a week.  A hacktivist or a foreign state actor like China, Iran, North Korea could access these systems and bring down a satellite and kill millions of people. They still don’t care.

When gAtO tried to report this to his representatives he got hung up by his office, they took no action. Here is our government doing nothing when something goes wrong. Email them or call them and ask them why they don’t want to help -gAtO oUt

Steven_Usler@reed.senate.gov  (401) 943-3100

james.langevin@mail.house.gov (401) 732-9400

jim@jimlangevin.com

sheldon_whitehouse@whitehouse.senate.gov (401) 453-5294

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: