Nasa audit finds PCs for sale without proper data cleaning

The space agency's auditors have found computers up for sale that still contained restricted data and had failed verification testing
Written by Tom Espiner, Contributor

Nasa auditors have found computers from the space shuttle programme that the agency failed to properly sanitise before putting the PCs up for sale.

Kennedy Space Center put 10 computers up for sale that had failed data cleaning verification testing, and contained Nasa data, the auditors said in a report on Wednesday. The computers had failed verification testing, and yet nine were sold anyway. The auditors blamed deficient management processes.

"During our audit, we discovered significant weaknesses in the sanitisation and disposal processes for IT equipment at four Nasa centers — Kennedy and Johnson Space Centers and Ames and Langley Research Centers," said the report (PDF).

The auditors confiscated four other computers and found that one contained shuttle technology data, which is subject to arms control export restrictions.

Between June 2009 and June 2010, an independent contractor tested a sample of 730 pieces of IT equipment that Nasa was getting rid of and found 14 computers still contained data. The computers, though clearly marked, were put up for sale without the data being removed.

In addition, the audit found several pallets of computers, containing around 44 PCs per pallet, at Kennedy's property disposal facility, prepared for sale. These computers had IP addresses marked on the cases, which could have enabled a hacker to target specific points of Nasa's network.

"Releasing an internet protocol [IP] address outside of Nasa's custody is a potential IT security weakness that could enable unauthorised access to Nasa's internal computer network," said the report.

Linda Cureton, Nasa's chief information officer, told the auditors that Nasa's information disposal policy would be updated and new guidance produced by the third quarter of the fiscal year of 2011. The auditors said the deadline for this action was not timely enough.

"We are troubled that management's response does not reflect the sense of urgency we believe is required to address the serious security issues uncovered by our audit," said the report. "Accordingly, we consider the recommendations to be unresolved." Kennedy Space Center took "swift actions" to remedy its procedures, the auditors noted.

Editorial standards