Access: Curse and Blessing for Computer Networks : JPL Cracks Down After ‘Hacker’ Breaches System

A “hacker” was able to penetrate the Jet Propulsion Laboratory’s computer system by finding an employee who used his own name as a password, violating a well-established security regulation, officials said.

Moreover, JPL sources said, many laboratory employees regularly flouted the laboratory’s security regulations.

The invasion of JPL’s computer system has triggered a security crackdown at the space lab, forcing researchers to think up trickier passwords, according to researchers and administrators.

The “hacker” who gained access to the system for more than seven hours last month received unwitting help from someone at JPL who violated a basic security rule, JPL spokesman George Alexander said.

Those seeking access to the computer on a telephone line must type in a password identifying them as authorized users. A laboratory regulation requires that the passwords not be easy to guess or obtain and bars even high-ranking supervisors from learning passwords used by others.

The hacker, however, “searched through the directory of users and found someone who had used his own name as a password,” Alexander said.

“That’s a direct violation of standard operating procedures. You’re not supposed to use your own name, your wife’s name, your child’s name, anything like that. This whole embarrassing thing happened because someone didn’t follow the guidelines.”

He was not told the person’s identity, Alexander said.

High-Level Access

The intruder later gained access to the password files, which are ordinarily protected by encryption--numerical coding --from being read even by those with high-level access to the computer, said Peter Lyman, deputy directory of the laboratory.

However, Lyman said, the intruder was able to penetrate the coding “and see the passwords in clear text--it gave them everybody else’s password.”

Sources at JPL, who asked not to be identified, said that in the past, many laboratory employees ignored computer security rules. The rules required them to change passwords at least once a month and to make passwords difficult to guess at by simple expedients, such as inserting numerals into an uncommon word, for example changing “crepuscular” to “cre7puscu9lar.”

An investigation in the aftermath of the break-in found that some researchers rarely changed passwords, and some passwords were as simple as a single letter, the sources said, apparently because simple passwords are easier to use and remember.

The discovery of lax practices angered the laboratory’s administrators and led to a crackdown, the sources said.

“We have all been advised in very clear terms that we had better get with the program immediately,” one engineer commented.

Lyman described the change as “a heightened awareness factor.”

Military Safeguards

JPL does classified work for the Department of Defense, but there is no chance that the intruder gained access to those files because of safeguards mandated by federal regulations, Lyman said.

A key provision is the “air gap,” which requires that “no electrical or telephonic connections exist” between computers containing classified material and other systems, he said.

When information from both types of computers is needed for calculations, he said, “you can carry tapes between them,” but the computers may not be connected. Links between computers with classified tasks are made only by military telephone lines unconnected to the civilian system, he said.

Although JPL has tightened security discipline and substituted fresh software for the programming that was exposed to the hacker, more extensive security measures are in the planning stage, Lyman said. He has estimated that these will cost somewhere between “several hundred thousand” and $4 million.

Pentagon and Navy spokeswomen said military officials are investigating JPL’s report that the hacker left the JPL computer system by signing onto a Navy computer at the Patuxent River, Md., Naval Air Station.

JPL spokesmen said the intrusion was reported to the FBI. A spokesman for the FBI’s Los Angeles office said he had been forbidden to discuss the case.