back to article Satellite weather forecast: Cloudy with a chance of p0wnage

Weather predictions could be thrown into chaos if miscreants exploited a litany of dangerous and years-old holes reported in ground control for the Joint Polar Satellite System (JPSS). The flaws, of which 12,703 are considered high risk, have been detailed in a US Government audit report that examined the state of security of …

  1. Marketing Hack Silver badge
    Unhappy

    You see, this is the kind of stuff that discredits government-led initiatives...

    Fair or not, this kind of news (which should definitely be reported) leads to the drip-drip-drip of the credibility of U.S. government institutions to manage complex projects. Its just a shame that quality control and design is not more robust on these projects.

    1. Anonymous Coward
      Anonymous Coward

      Re: You see, this is the kind of stuff that discredits government-led initiatives...

      The problem is not specific to the US gov, they just tend to do it bigger than most.

      It is also worth remembering that the NPOESS project, for which the NPP satellite was intended a technology demonstrator before finalising the main design, was cancelled in 2010 after wasting several $ billions and NPP was finally launched in 2011, only 6 years late and thankfully seems to work quite well.

      JPSS picked up the working bits of NPOESS (basically NPP) with a view to having a series of satellites to operate in cooperation with Europe's METOP satellites.

    2. Wzrd1

      Re: You see, this is the kind of stuff that discredits government-led initiatives...

      What the story does not bother with, nor did the report bother with is, there are times that one is using highly specialized software, where a software patch breaks the piss out of the entire system.

      I'm an IA guy by trade, that is Information Assurance. Much of my work is and has been government related.

      I've had systems that drove me over the edge, as they *always* popped on vulnerability scans and I had to explain that fact in my reports.

      The NA/SA in me sought more data, to find to my horror, patches frequently broke those specialized systems. Things had to be tuned and some vulnerabilities left alone.

      Which lead me to see to it that those systems were placed onto a heavily protected VLAN.

      Now, you may still object, the reality of it is, it very well is likely that patching those vulnerabilities would create an inoperable control system.

      If it's all the same to you, I'd rather have operators able to control those rather expensive satellites.

      One can only hope that their IA guy or girl saw to it that said sensitive and vulnerable systems are protected by isolation from the big, bad network.

      Because, for such specialized systems, that isn't really that difficult.

      1. Anonymous Coward
        Anonymous Coward

        Re: You see, this is the kind of stuff that discredits government-led initiatives...

        There's a fair bit of truth to what you are saying. But there's also some foot dragging going on in some places.

        I don't think it was the JPSS group, but I know one of the groups still thought they could use their high security/high availability status as an excuse not to implement the HSPD-12 requirements which was issued back in 2004.

        Having also been on the periphery of discussions, I understand their desire to have 12 months on the POA&Ms. Sometimes the auditors run new reports and say it isn't closed because even though you fixed the ones from the last scans, there are now new ones. But you really do need to have actually fixed the 90 day ones before you can make that complaint.

        Thankfully I'm not directly part of implementing these things. I'd go nuts trying to keep up with it all. I just have to make sure the systems have been built out with our baseline and that the vulnerability scanning has been completed before I deploy the system. After that our patch manager with his automated system takes over and we just get the call if a pc stops talking to the patch management system. I am reasonably confident our systems are mostly (95%+) patched within 30 days of patches being released. Ironically we're only a moderate not high risk system. But maybe that actually makes patching easier.

        AC because I have supported or support at least three of the names that were CC'd on the OIG report.

  2. Anonymous Coward
    Anonymous Coward

    Swiss cheese?

    Managing to have so many vulnerabilities that 12,703 are considered "high risk" in quite an achievement. Did they just collect as many old and unpatched operating systems and software packages as possible?

    Now I know that updating a mission-critical system is not trivial, but come one this is rocket science and they normally have a complete standby system in place (often at a 2nd site "just in case") that can be patched and tested before going live.

    Several million on spare computers is nothing compared to the billion for the bird after all.

    1. Anonymous Coward
      Anonymous Coward

      Re: Swiss cheese?

      That suspiciously-specific number is probably generated by an automated scanning tool of some sort. Based on my experience with similar projects, these types of tools tend to generate a lot of false positives (especially if said tool is a static code analyzer.) There are most likely some real problems among those 12,000 "high risk issues", but also a lot of garbage.

      When it comes to security, the government tends to have an excessive focus on scanning, metrics and numbers at the expense of common sense.

      1. Wzrd1

        Re: Swiss cheese?

        True, but when one has *standards*, one has to have a gauge against those standards.

        The problem comes when someone takes the scan results at face value, rather than what was verified as a false positive and documented as such, then runs with it to the press.

        What goes unremarked is, are these systems network isolated, hence the common vulnerabilities would be non-exploitable? Are these systems on an isolated VLAN, where they can only access their peers and reporting servers?

        Then, there are a thousand other questions along similar lines, any of which turns the report into bird cage liner.

        1. Anonymous Coward
          Anonymous Coward

          Re: What goes unremarked is

          For security reasons the report is too vague to be certain, but given what I know about the office, for most of them that answer would be 'no'. I expect it's mostly Windows PCs running on a LAN with internet access on the other side of a firewall. Probably Windows 7, but at the time of the report it could have included XP. IIRC they finished their conversion just ahead of the MS EOL for XP. Probably some isolation from VLANs, but still no good excuses for not having the systems properly patched. But they are working on the issues and improving.

      2. Anonymous Coward
        Anonymous Coward

        Re: Swiss cheese?

        Yes, but in this instance there have also been some real issues as well.

        I do know they are working to resolve them. While not working on that one directly, I'm employed by one of the agencies on the contract so I hear cross-talk. They aren't yet where they should be, but they are in better shape than they were 12 months ago from a process perspective. Things are getting patched more rapidly.

  3. frank ly
    Facepalm

    All perfectly reasonable

    "Some flaws, including nasty ones, have persisted for years due in part to contractors having a four-year reprieve in 2010 from addressing any security flaws while the station was repurposed from a research project to the JPSS."

    The contractors who fitted my double glazing made a total mess of the window for the small bedroom, it leaks rain and the wind blows through it. I don't expect them to fix it for a while because I'm trying to repurpose that room for a personal study and storage room.

  4. Anonymous Coward
    Anonymous Coward

    Suomi NPP and exploitable flaws?

    Brings a whole new meaning to Finnfisher....

  5. Anonymous Coward
    Anonymous Coward

    Brewhahahaha!

    My orbital anvil delivery service can now proceed! Assuming that the satellite doesn't burn up on re-entry of course..

    Now - what where those coordinates again?

  6. Anonymous Coward
    Anonymous Coward

    Business as usual

    Target loses $400M, the CEO gets fired. NOAA puts $2 Billion at serious risk....business as usual...we'll revue policies with a view to expediting fixes.

    Give me a break!

    1. Gene Cash Silver badge

      Re: Business as usual

      And the CEO of Home Depot goes "eh, they'll get used to it [the hacks]"

  7. Jungleland

    Internet Access?

    How many of these "flawed" systems are exposed to the internet?

    1. 4ecks
      Joke

      Re: Internet Access?

      Only one - the Win98 box they use for e-mail, but it is networked to everything else with no firewall.

      I hope this is the right icon!

  8. Anonymous Coward
    Anonymous Coward

    Oh I see why...

    ...It uses Java!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020