Sophos Cloud Optix
Romanian police arrested Robert Butyka of Cluj Napoca for hacking into NASA servers beginning in December of 2010.
Butyka, who goes by the handle Iceman, is accused of unauthorized access to NASA systems, possession of hacking tools and causing the deletion, modification and restricting access to data.
The charges allege that the damages caused by his attack cost approximately $500,000.
Butyka is being held for 24 hours pending further review of the case and the computers seized from his residence.
This isn’t the first time NASA has been hacked, as many of our readers will recall this is what originally got British hacker Gary McKinnon in touch with the long arm of the law.
If NASA is repeatedly being hacked to the tune of half a million dollars plus each time, shouldn’t we be asking serious questions about the security of their systems?
While I agree that unauthorized access to a system is a punishable offense, isn’t there an even bigger problem lurking behind the firewalls at Cape Canaveral?
By my calculations $500,000 buys you a few top notch security experts with a fair bit of money left over for tools/software.
Of course this has happened multiple times, so perhaps we have a million or two to play with.
Wasting FBI and international law enforcement resources to continually track down attackers is a massive waste of money.
If Butyka is guilty he should be punished, but we should be asking some serious questions of the administrators at NASA.
I’m afraid the old expression “An ounce of prevention is worth a pound of cure” is something that should be discussed a little more often at NASA IT security.
Creative Commons photo of handcuffed suspect courtesy of Keith Allison’s Flickr photostream.
I'm not sure that hunting down criminals is a massive waste of money. The 2011 Verizon DBIR speculated that arrests and prosecutions following high profile intrusions may have deterred other hackers from going after large organizations, focusing on a plethora of less risky yet smaller targets instead. And we know that a lot of malware goes out of its way to not target machines in the nation the authors live in, probably in an attempt to avoid prosecution by local law enforcement. And spam traffic has dropped after botnet takedowns… at least for awhile. Deterrence is hard to measure and is unable to completely prevent crime, but I suspect it has a low-moderate effect.
But the real question was if it was more effective to hire $500,000 worth of security professionals or $500,000 worth of cybercrime investigations. The first option may possibly save your organization, but no guarantees. And then the criminals will still be out there, targeting the rest of the world that didn't have $500,000 to spend on security. Spend money on prosecuting, and if the black hat talent pool is small enough you've won a major victory. But if hackers grow like weeds, then yes, quite pointless other than the good feeling that comes from taking revenge.
The best solution seems to involve a mix of both prosecution and defense. I would like to know what this mix looks like.
Thank him for finding security holes and keep making the systems more secure for the future cyber wars, which will cause people to die and nations to fall.
Well yes it would seem that NASA doesn't have much in the department of network security. Either they don't have proper staff or the staff thats there isn't maintaining any consistent monitoring and upgrading of barriers they have in place. It shouldn't even get to computer media that "multiple" individuals have hacked in to a high security system. We should only be hearing that someone attempted.