More NASA Network Break-ins (Update)
Iranian ‘Cyber Warriors Team’ takes credit for NASA hack, MSNBC
“A group of Iranian student hackers known as the Cyber Warriors Team claims to have stolen the personal information of thousands of NASA researchers. The Cyber Warriors Team boasted in a May 16 Pastebin post that it exploited a secure sockets layer (or SSL) vulnerability in the space agency’s website to swipe “information for thousands of NASA researcher[s] with emails and accounts of other users.” In the hackers’ poorly worded English message, “How and reasons to Hack NASA SSL Certificate,” the group said the security glitch still exists, and leaves the agency open to more malicious attacks.”
NASA denies Iranian cyberattack, CSO Data Protection
“NASA said it discovered the Pastebin post within hours and launched an investigation of the claims. “Although the investigation is ongoing, all results thus far indicate that the claims are false… At no point were any sensitive, mission, or classified systems compromised,” Beth Dickey, a NASA spokeswoman, said in an email.”
I’m gonna guess this is a man-in-the-middle attack based on the fact that every time you connect to any NASA service requiring an SSL certificate, you have to approve the certificate because it’s self-signed. So we’ve all been trained to accept any certificate that gets shoved at us.
Or if that’s not what they did, then someone else will soon.
Thanks for telling the whole world…
Am I supposed to not make mention of this? MSNBC already did that – globally. Do you think that NASA researchers have no right to know that their data may have been compromised?
Keith, my comment was in reference to the comment made above, not your whole post.
Well, now NASA knows how to fix their problem. The fact that this sort of thing still happens makes me wonder if they truly understand how all of this IT stuff works.
Hmm, I can’t reply to you Keith … but I would be surprised if the SA for this system is a NASA employee. Almost certainly contracted out.
RIght, cause security by obscurity works so very well.
I’m sure they’ll study it carefully, present recommendations to a technical committee, and then some admin will make us add three more characters to our passwords. That’ll fix it.
I think they should just bite the bullet and put those eyeball scanners they have on Star Trek and be done with this.
Keith,
But what if the scanners require a functioning brain behind the eyeball? Will they work for all of the career CS’s?
Steve
Just kidding, of course.
You would think that NASA would have people use VPN to access the site. Unbelievable.