recommended reading

Possible Iranian hack of NASA stresses need for site certification

The Launch Control Center at NASA Kennedy Space Center in Cape Canaveral, Fla.

The Launch Control Center at NASA Kennedy Space Center in Cape Canaveral, Fla. // Bill Ingalls/AP

Recent claims that an Iranian student group compromised NASA researchers’ online accounts by redirecting users from a seemingly valid login page to a password-stealing website underscore the importance of digitally certifying internal agency sites, a cybersecurity analyst said.

The space agency has refuted the “man-in-the-middle” attack but acknowledged it is revalidating its computer systems, just in case.

The pro-regime Iranians, self-dubbed the Cyber Warriors Team, orchestrated the ruse by allegedly erecting a proxy Web page that brought visitors to their intended destinations, only after capturing their login details. The site might have been vulnerable to this kind of gambit because the digital certificate NASA used to avow the page’s authenticity either had expired or wasn’t signed by a trusted third party, analysts say. The hackers partially revealed their methods in broken English on an online bulletin board.

Whether or not the hit was real, the asserted ploy demonstrates why agencies should certify Web pages that transmit personal information, not just encrypt the information, said Johannes Ullrich, chief research officer at the SANS Institute. “They only protect the transmission of the information,” he said Thursday. “The page, the login form itself, is not protected.”

Ullrich said digital certificates are available for free and setup takes about five minutes, but managers often feel the time spent proving to a third party they are affiliated with their site is too much of an administrative burden.

“The lesson should be to stop using self-signed or invalid certificates for ‘obscure’ internal websites,” he wrote in a blog entry earlier in the day. “I have frequently seen the argument that for an internal website ‘it is not important,’ or ‘too expensive,’ or ‘too complex’ to setup a valid certificate. [Encryption] isn't doing much for you if the certificate is not valid. The encryption . . . only works if the authentication works as well. Otherwise, you never know if the key you negotiated was negotiated with the right party.”

The Cyber Warriors Team says it is “Organized and Formed Of Programmers and Hackers.( Independently and separately ).” and describes its stunt as follows: “We obtain User information for thousands of NASA researcher [sic] With Emails and Accounts of other users. Send For You [sic] soon Videos of Man in the middle attack and Stealing relationship ( Addressing security managers at NASA).”

NASA officials said in a statement that “an Iranian hacker group posted a message on a website claiming to have compromised a NASA Web-based computer system” on May 16, and the agency “discovered the message within hours of its initial post.”

Officials noted that false claims of intrusions into NASA information technology systems are common, citing two other bogus claims posted on the same site the same day the Iranian message appeared.

In the case of the Iranian hackers, “although the investigation is ongoing, all results thus far indicate that the claims are false,” officials stated. “However, to ensure that the subject systems are secure, NASA is revalidating its security profiles to ensure they are operating with minimal risk. IT security remains a critical function at NASA. At no point were any sensitive, mission or classified systems compromised.”

This is not the first time Iran supporters have targeted a U.S. government-funded website. On Feb. 20, 2011, the site of U.S.-backed broadcaster Voice of America Persian was defaced by an Iranian pro-government group, according to sister station Radio Free Europe Radio Liberty. The main VOA site also appeared to have been hacked later that day.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

    View
  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    View
  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

    View
  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

    View
  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

    View
  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.

    View

When you download a report, your information may be shared with the underwriters of that document.