recommended reading

Possible Iranian hack of NASA stresses need for site certification

The Launch Control Center at NASA Kennedy Space Center in Cape Canaveral, Fla.

The Launch Control Center at NASA Kennedy Space Center in Cape Canaveral, Fla. // Bill Ingalls/AP

Recent claims that an Iranian student group compromised NASA researchers’ online accounts by redirecting users from a seemingly valid login page to a password-stealing website underscore the importance of digitally certifying internal agency sites, a cybersecurity analyst said.

The space agency has refuted the “man-in-the-middle” attack but acknowledged it is revalidating its computer systems, just in case.

The pro-regime Iranians, self-dubbed the Cyber Warriors Team, orchestrated the ruse by allegedly erecting a proxy Web page that brought visitors to their intended destinations, only after capturing their login details. The site might have been vulnerable to this kind of gambit because the digital certificate NASA used to avow the page’s authenticity either had expired or wasn’t signed by a trusted third party, analysts say. The hackers partially revealed their methods in broken English on an online bulletin board.

Whether or not the hit was real, the asserted ploy demonstrates why agencies should certify Web pages that transmit personal information, not just encrypt the information, said Johannes Ullrich, chief research officer at the SANS Institute. “They only protect the transmission of the information,” he said Thursday. “The page, the login form itself, is not protected.”

Ullrich said digital certificates are available for free and setup takes about five minutes, but managers often feel the time spent proving to a third party they are affiliated with their site is too much of an administrative burden.

“The lesson should be to stop using self-signed or invalid certificates for ‘obscure’ internal websites,” he wrote in a blog entry earlier in the day. “I have frequently seen the argument that for an internal website ‘it is not important,’ or ‘too expensive,’ or ‘too complex’ to setup a valid certificate. [Encryption] isn't doing much for you if the certificate is not valid. The encryption . . . only works if the authentication works as well. Otherwise, you never know if the key you negotiated was negotiated with the right party.”

The Cyber Warriors Team says it is “Organized and Formed Of Programmers and Hackers.( Independently and separately ).” and describes its stunt as follows: “We obtain User information for thousands of NASA researcher [sic] With Emails and Accounts of other users. Send For You [sic] soon Videos of Man in the middle attack and Stealing relationship ( Addressing security managers at NASA).”

NASA officials said in a statement that “an Iranian hacker group posted a message on a website claiming to have compromised a NASA Web-based computer system” on May 16, and the agency “discovered the message within hours of its initial post.”

Officials noted that false claims of intrusions into NASA information technology systems are common, citing two other bogus claims posted on the same site the same day the Iranian message appeared.

In the case of the Iranian hackers, “although the investigation is ongoing, all results thus far indicate that the claims are false,” officials stated. “However, to ensure that the subject systems are secure, NASA is revalidating its security profiles to ensure they are operating with minimal risk. IT security remains a critical function at NASA. At no point were any sensitive, mission or classified systems compromised.”

This is not the first time Iran supporters have targeted a U.S. government-funded website. On Feb. 20, 2011, the site of U.S.-backed broadcaster Voice of America Persian was defaced by an Iranian pro-government group, according to sister station Radio Free Europe Radio Liberty. The main VOA site also appeared to have been hacked later that day.

Threatwatch Alert

Software vulnerability

Malware Has a New Hiding Place: Subtitles

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.