a HacK tHat was more tHan a HiccUP
The recent hacking of the Domainz registry may have looked like a storm in a teacup, but the implications for the security of Web sites are much larger.
Sites with .nz domain names, including MSN, Sony, Coca-Cola and Xerox, were temporarily redirected, displaying the message: “Hacked by Peace Crew”, “STOP THE WAR ISRAEL” and an image of Microsoft chief Bill Gates being hit in the face with a cream pie.
The hackers responsible, the Peace Crew, are reportedly of Turkish origin and have defaced other Web sites in the past, including Microsoft and auto firms.
The attack was not on the individual sites, but on the database of Domainz, the sites’ registrar. Any individual or business setting up a Web site has to register it through a company like Domainz.
The hacking technique used is called an SQL injection, which exploits security vulnerabilities in Web sites caused by poor coding, allowing remote manipulation of the site’s database. In this case, the attack was carried out by modifying the registrar’s DNS records. DNS is the system which translates a Web site’s name (eg: www.microsoft.com) into an Internet protocol (IP) address. Changing the DNS means anyone entering the name of the affected Web site will be redirected to wherever the hacker chooses.
This particular hack was purely mischievous, but security consultant Nick von Dadelszen of Lateral Security, says criminal hackers could have done far more serious damage.
“They effectively could have gained control over Internet connections,” he told NetGuide. “That’s not just Web sites; it’s redirecting emails, any B2B-type business transaction that occurred.”
A criminal attack on DNS could have seen Internet users sent to malware sites, or emails containing confi dential information (eg: credit card details and passwords) redirected to ‘manin- the-middle’ locations where the information could be uplifted and misused. The compromising of well-known and trusted Web sites is a major technique used by cybercriminals today.
Domainz, which is owned by Melbourne IT, is the biggest single holder of .nz Web addresses. Melbourne IT’s Chief Strategy Officer, Bruce Tonkin, told NetGuide the number of domain names affected was very low and the number of customers was even lower.
Stopping the redirection of the affected sites took only a few minutes, and then Domainz itself was taken offl ine for several hours in order to stop any further such attacks and analyse what was done to its registry. Pages were checked, penetration tests were carried out, and software and hardware were upgraded.
SQL injections are not a new form of hacking; the technique has been known for about a decade. So the fact that a domain registry could be hacked in this way was rather embarrassing.
“Any Web site has hundreds of pages and has been maintained over a period of time, so in this case the [Domainz] Web site was developed over a 10-year period,” Tonkin said. “In fact most of these pages probably haven’t been touched in 10 years, and they found a flaw. Every company pretty much goes through that.”
Part of Melbourne IT’s cleanup job involved explaining to its customers what had happened and the steps taken to rectify the problem. Domainz doesn’t hold any credit card details, but the incident has served as a wake-up call to all Web administrators, particularly companies that accept credit card payments online. The level of security you have on a site generally depends on how much you’re prepared to spend. Any business that accepts credit card payments is required to follow payment card industry (PCI) standards – the banks insist on it. But Tonkin believes more vigilance is needed.
“The fact that somebody can change a DNS record is serious and I think these sorts of incidents mean the verall industry strengthens security, so we’re certainly doing that and I’m sure other companies like us would be looking at that as well.
“What this attack has shown is that we need to treat not just the credit card payment pages at a high level of security, but anywhere where a user can enter data in the system, as opposed to just read data.”
New Zealand’s Domain Name Commissioner, Debbie Monahan, is responsible for the day-to-day oversight of he .nz domain name registration and management system. She liaised closely with Melbourne IT over the Domainz hack, and information was shared with the domain registry community.
“I think Domainz themselves will admit it was a breach that shouldn’t have happened, and that registrars need to take a lot more care to check their sites,” Monahan told NetGuide.
The Domain Name Commission is also looking at whether it should impose minimum standards for registrars ho are holding any information about Web sites – not just credit card details. Without more regular and horough checks, a lot of Web sites may be vulnerable to much more serious attacks.
“If there’s one vulnerability that could cause significant cyber damage, DNS is it,” said Nick von Dadelszen. “It happens elsewhere and it’s starting to be highlighted more in security circles, but it’s [the IT] industry that needs to do something. Unless risk managers are aware of the risk, they can’t do something about it.
“Domainz may have fixed the immediate problem, but what about the others? What about the overall infrastructure, what about there gulatory environment? How do we know this isn’t going to happen nextyear?”
As this incident showed, Web site security is not static. Threats, vulnerabilities and risks continue to evolve over time. Anyone running a Web site should be reviewing security regularly.