An interesting aspect of widely covered security incidents is that no one ever wants to assume responsibility for failures in people, process or technology. Recently two kids were able to hijack multiple Comcast domains and implement a redirect to their own servers (here), they state they used a combination of social engineering and an undisclosed technical hack against network solutions to take control of the Comcast domains. Not surprisingly Comcast and Network Solutions both deny they are at fault, but yet millions of Comcast customers were left without access to paid services for, in some cases, 24 hours.
Network Solutions has a responsibility to it’s customers, in this case Comcast, to implement controls that limit the ability for a couple of jokers to hijack their domains. Comcast has a responsibility to their customers to ensure availability of services, even when a couple of jokers do hijack their domains. In this incident there was a failure on the part of both companies.
DNS hijacking isn’t new and is often used by phishers, pharmers, and website defacers, which in this type of case are not technically defacing the actual website they are attacking but instead presenting an alternate website. DNS hijacking is difficult to prevent and once detected can take some time to resolve. DNS poisoning, which is essentially open DNS servers not returning valid information allowing an attacker to redirect a computer anywhere, is a similar type of attack however it is perpetrated against a client vs. a company.
Network Solutions has provided steps that can be taken to protect your domain (here), which were posted by sheer coincidence a couple of days following this particular incident. There is nothing new however and telling people to use strong passwords and lock their domains is pretty common practice. Well not bad advice there is a lot more that can and should be done, for example companies should use a brand monitoring or DNS monitoring service that can detect a DNS hijacking within minutes. Attacks of this nature may not always be immediately obvious since they may occur outside of regular office hours or against a subordinate or lesser watched domain, or in the case of a sophisticated attack it may take hours. Additionally understand the solution providers security controls and response SLA’s – demand this information or move to another provider. Most importantly be vigilant.
If you are providing paid services than it is your responsibility to ensure availaility of those services. It is unacceptable to claim you were not hacked and therefore not liable when in fact you must be able to detect any disruption of services and respond quickly to return services.