Security at registrars may be weak link.
A hacktivist group has managed to redirect the traffic of two popular websites by hijacking their DNS settings, researchers at
Internet Identity
report.
The sites belong to
UFC
, a mixed martial arts promotion company, and
Coach
, which produces luxury goods. Both companies had expressed their support for the controversial SOPA and PIPA bills, which were withdrawn last week following widespread campaigning against them, including a 24-hour blackout of
Wikipedia
.
Apart from lost revenues, redirecting website traffic by hijacking DNS is mostly embarrassing for the victims; by hijacking the DNS attackers do not gain access to the company’s servers. However, if the attackers redirect email traffic (the mail servers used by a domain are also set in its DNS), or set up a spoof or phishing site, the damage could be much worse. In fact,
Internet Identity
suggests that the damage could have been worse if the attackers had been less inexperienced.
Most organisations make significant efforts to secure their systems, which is laudable. However, the DNS settings, which are commonly stored at a third-party registrar, can easily be forgotten. Weak or compromised passwords, or inadequate security at the registrar, may give the attackers access to the DNS settings, allowing them to redirect traffic.
One way to mitigate the damage of DNS hijacks is to use DNSSEC, which authenticates the origin of DNS requests. However, this is not entirely without risk either: after American ISP
Comcast
enabled DNSSEC verification for its customers, requests to the website of NASA were blocked due to a misconfiguration in the latter’s DNS settings. Ironically, this happened on the same day as the
Wikipedia
blackout, which led many users to believe that NASA was participating in the protests too.
More at
Internet Identity
here
, with more on the DNSSEC issue at
Dark Reading
here
.
Comcast
has published
this PDF
on the case, which is intended to help other early DNSSEC adopters.
Posted on 26 January 2012 by
Virus Bulletin
Leave a Reply