July 8th, 2008
ICANN says hijacking attack due to breach at their registrar
As we commented on, ICANN, the group that manages top-level domain (TLD) naming systems for the web, recently had several of its domains hijacked by a Turkish hacking group. ICANN has now commented that the hijacking was due to a security breach at the registrar that manages those URLs. From ICANN’s site:
The DNS redirect was a result of an attack on ICANN’s registrar’s systems. A full, confidential, security report from that registrar has since been provided to ICANN with respect to this attack.
It would appear the attack was sophisticated, combining both social and technological techniques, but was also limited and focused. The redirect was noticed and corrected within 20 minutes; however it may have taken anywhere up to 48 hours for the redirect to be entirely removed from the Internet.
Hmm… I wonder how “sophisticated” this could’ve been. I think that this is like one of the stages of denial for security flaws:
- Deny the flaw exists
- Once the flaw exists, assume the attack must’ve been sophisticated
ICANN also stated on the site:
ICANN is confident that the lessons learned and new security measures since introduced will ensure there is not a repeat of this situation in future. ICANN’s Security and Stability Advisory Committee (SSAC) is considering the issue of access to domain names through registrars as a priority research topic. The results of that work will be made available through the usual channels.
In a separate and unrelated incident a few days later, attackers used a very recent exploit in popular blogging software Wordpress to target the ICANN blog. The attack was noticed immediately and the blog taken offline while an analysis was run. That analysis pointed to an automated attack. The blogging software has since been patched and no wider impact (except the disappearance of the blog while the analysis was carried out) was noted.
In response to the attacks, ICANN has started an internal review of its existing security procedures to see if there are any lessons that can be learnt and to make any improvements necessary. Full reports on both incidents have been provided to law enforcement agencies.
So not only did the people who run all the domains on the net get their domains hijacked, they also failed to update Wordpress and got their blog owned. Way to go. Really makes a person feel comfortable.
-Nate
Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. The views and opinions expressed in this article are his own and do not represent the views and opinions of Ernst & Young Advanced Security Center or Ernst & Young, LLP. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios. See his full profile and disclosure of his industry affiliations.
