recommended reading

Possible Iranian hack of NASA stresses need for site certification

The Launch Control Center at NASA Kennedy Space Center in Cape Canaveral, Fla.

The Launch Control Center at NASA Kennedy Space Center in Cape Canaveral, Fla. // Bill Ingalls/AP

Recent claims that an Iranian student group compromised NASA researchers’ online accounts by redirecting users from a seemingly valid login page to a password-stealing website underscore the importance of digitally certifying internal agency sites, a cybersecurity analyst said.

The space agency has refuted the “man-in-the-middle” attack but acknowledged it is revalidating its computer systems, just in case.

The pro-regime Iranians, self-dubbed the Cyber Warriors Team, orchestrated the ruse by allegedly erecting a proxy Web page that brought visitors to their intended destinations, only after capturing their login details. The site might have been vulnerable to this kind of gambit because the digital certificate NASA used to avow the page’s authenticity either had expired or wasn’t signed by a trusted third party, analysts say. The hackers partially revealed their methods in broken English on an online bulletin board.

Whether or not the hit was real, the asserted ploy demonstrates why agencies should certify Web pages that transmit personal information, not just encrypt the information, said Johannes Ullrich, chief research officer at the SANS Institute. “They only protect the transmission of the information,” he said Thursday. “The page, the login form itself, is not protected.”

Ullrich said digital certificates are available for free and setup takes about five minutes, but managers often feel the time spent proving to a third party they are affiliated with their site is too much of an administrative burden.

“The lesson should be to stop using self-signed or invalid certificates for ‘obscure’ internal websites,” he wrote in a blog entry earlier in the day. “I have frequently seen the argument that for an internal website ‘it is not important,’ or ‘too expensive,’ or ‘too complex’ to setup a valid certificate. [Encryption] isn't doing much for you if the certificate is not valid. The encryption . . . only works if the authentication works as well. Otherwise, you never know if the key you negotiated was negotiated with the right party.”

The Cyber Warriors Team says it is “Organized and Formed Of Programmers and Hackers.( Independently and separately ).” and describes its stunt as follows: “We obtain User information for thousands of NASA researcher [sic] With Emails and Accounts of other users. Send For You [sic] soon Videos of Man in the middle attack and Stealing relationship ( Addressing security managers at NASA).”

NASA officials said in a statement that “an Iranian hacker group posted a message on a website claiming to have compromised a NASA Web-based computer system” on May 16, and the agency “discovered the message within hours of its initial post.”

Officials noted that false claims of intrusions into NASA information technology systems are common, citing two other bogus claims posted on the same site the same day the Iranian message appeared.

In the case of the Iranian hackers, “although the investigation is ongoing, all results thus far indicate that the claims are false,” officials stated. “However, to ensure that the subject systems are secure, NASA is revalidating its security profiles to ensure they are operating with minimal risk. IT security remains a critical function at NASA. At no point were any sensitive, mission or classified systems compromised.”

This is not the first time Iran supporters have targeted a U.S. government-funded website. On Feb. 20, 2011, the site of U.S.-backed broadcaster Voice of America Persian was defaced by an Iranian pro-government group, according to sister station Radio Free Europe Radio Liberty. The main VOA site also appeared to have been hacked later that day.

Threatwatch Alert

Network intrusion / Stolen credentials

85M User Accounts Compromised from Video-sharing Site Dailymotion

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.