A computer analyst who retraced the attackers’ self-reported steps says the space agency’s login Web page likely was unprotected.
Recent claims that an Iranian student group compromised NASA researchers’ online accounts by redirecting users from a seemingly valid login page to a password-stealing website underscore the importance of digitally certifying internal agency sites, a cybersecurity analyst said.
The space agency has refuted the “man-in-the-middle” attack but acknowledged it is revalidating its computer systems, just in case.
The pro-regime Iranians, self-dubbed the Cyber Warriors Team, orchestrated the ruse by allegedly erecting a proxy Web page that brought visitors to their intended destinations, only after capturing their login details. The site might have been vulnerable to this kind of gambit because the digital certificate NASA used to avow the page’s authenticity either had expired or wasn’t signed by a trusted third party, analysts say. The hackers partially revealed their methods in broken English on an online bulletin board.
Whether or not the hit was real, the asserted ploy demonstrates why agencies should certify Web pages that transmit personal information, not just encrypt the information, said Johannes Ullrich, chief research officer at the SANS Institute. “They only protect the transmission of the information,” he said Thursday. “The page, the login form itself, is not protected.”
Ullrich said digital certificates are available for free and setup takes about five minutes, but managers often feel the time spent proving to a third party they are affiliated with their site is too much of an administrative burden.
“The lesson should be to stop using self-signed or invalid certificates for ‘obscure’ internal websites,” he wrote in a blog entry earlier in the day. “I have frequently seen the argument that for an internal website ‘it is not important,’ or ‘too expensive,’ or ‘too complex’ to setup a valid certificate. [Encryption] isn't doing much for you if the certificate is not valid. The encryption . . . only works if the authentication works as well. Otherwise, you never know if the key you negotiated was negotiated with the right party.”
The Cyber Warriors Team says it is “Organized and Formed Of Programmers and Hackers.( Independently and separately ).” and describes its stunt as follows: “We obtain User information for thousands of NASA researcher [sic] With Emails and Accounts of other users. Send For You [sic] soon Videos of Man in the middle attack and Stealing relationship ( Addressing security managers at NASA).”
NASA officials said in a statement that “an Iranian hacker group posted a message on a website claiming to have compromised a NASA Web-based computer system” on May 16, and the agency “discovered the message within hours of its initial post.”
Officials noted that false claims of intrusions into NASA information technology systems are common, citing two other bogus claims posted on the same site the same day the Iranian message appeared.
In the case of the Iranian hackers, “although the investigation is ongoing, all results thus far indicate that the claims are false,” officials stated. “However, to ensure that the subject systems are secure, NASA is revalidating its security profiles to ensure they are operating with minimal risk. IT security remains a critical function at NASA. At no point were any sensitive, mission or classified systems compromised.”
This is not the first time Iran supporters have targeted a U.S. government-funded website. On Feb. 20, 2011, the site of U.S.-backed broadcaster Voice of America Persian was defaced by an Iranian pro-government group, according to sister station Radio Free Europe Radio Liberty. The main VOA site also appeared to have been hacked later that day.