Rascas wrote: ↑
Thu Jun 20, 2019 5:32 pm
Come on, everybody knows that if you plug any kind of computer to a network (SBC, PC or even a smartphone) there are risks, and that system should be auditored/studied before it was allowed to be on the network.
In a perfect world. In reality not everyone knows or understands the risk. Not everyone gets the memo as to how things should be done or abides by the rules. And the memo doesn't always cover everything it should.
That's why there should be mitigations in place to detect unauthorised access on a network and to limit harm when it inevitably does happen. Never rely on the weakest link holding strong; fallible individuals are prone to making huge mistakes.
I haven't studied the full sorry report but I get the impression this was a Pi external to the NASA / JPL network allowing an external user 'dial-in' access. It looks like the hacker got into that Pi and then had access to NASA / JPL.
I would guess it's a simple tale. User buys a Pi, plugs it in, sets it up, connects to NASA / JPL, gets on with whatever they do. Never realising along the way that they are open to being hacked, never imagining there could be the consequences there were.
Reading Page 16 of the report it seems the hacker did not attack "through a Pi" only that the hacker had extracted that user's NASA / JPL account details from that Pi.