All your domain are belong to us

From Wired Magazine

An interesting aspect of widely covered security incidents is that no one ever wants to assume responsibility for failures in people, process or technology. Recently two kids were able to hijack multiple Comcast domains and implement a redirect to their own servers (here), they state they used a combination of social engineering and an undisclosed technical hack against network solutions to take control of the Comcast domains. Not surprisingly Comcast and Network Solutions both deny they are at fault, but yet millions of Comcast customers were left without access to paid services for, in some cases, 24 hours.

Network Solutions has a responsibility to it’s customers, in this case Comcast, to implement controls that limit the ability for a couple of jokers to hijack their domains. Comcast has a responsibility to their customers to ensure availability of services, even when a couple of jokers do hijack their domains. In this incident there was a failure on the part of both companies.

DNS hijacking isn’t new and is often used by phishers, pharmers, and website defacers, which in this type of case are not technically defacing the actual website they are attacking but instead presenting an alternate website. DNS hijacking is difficult to prevent and once detected can take some time to resolve. DNS poisoning, which is essentially open DNS servers not returning valid information allowing an attacker to redirect a computer anywhere, is a similar type of attack however it is perpetrated against a client vs. a company.

Network Solutions has provided steps that can be taken to protect your domain (here), which were posted by sheer coincidence a couple of days following this particular incident. There is nothing new however and telling people to use strong passwords and lock their domains is pretty common practice. Well not bad advice there is a lot more that can and should be done, for example companies should use a brand monitoring or DNS monitoring service that can detect a DNS hijacking within minutes. Attacks of this nature may not always be immediately obvious since they may occur outside of regular office hours or against a subordinate or lesser watched domain, or in the case of a sophisticated attack it may take hours. Additionally understand the solution providers security controls and response SLA’s – demand this information or move to another provider. Most importantly be vigilant.

If you are providing paid services than it is your responsibility to ensure availaility of those services. It is unacceptable to claim you were not hacked and therefore not liable when in fact you must be able to detect any disruption of services and respond quickly to return services.


6 thoughts on “All your domain are belong to us

  1. I see a connecting thread between a few of the recent major incidents.

    Domain hijacking – as the kids did with Comcast, that could have hijacked to a site that collects user credentials.

    Announcing a more specific route to an unfiltered upstream Tier 1 backbone provider (YouTube, Pakistan), except hijack the route tables long enough to collect whole bunch of user credentials.

    Both require manipulation of a relationship with a provider or partner, and both insert themselves as a wedge between provider/partner and the company consuming the provider service.

    And both take advantage of technologies that were invented early in the Internet history, that are widely recognized as needing security improvements, and that have security improvements readily available but not widely implemented.

    Critical relationships, like the relationship between BGP peers and the relationship between domain provider and customer really should be special relationships, secured by some form of trust that is resistant to trivial manipulation.

  2. Pingback: TechBuddha: Responsibility | Infosecurity.US

  3. From my point of view, narrow and clouded as it is, we have more solutions than implementations. The things I’m referring to on the network side are source address filtering at the customer ingress, BGP route filtering at the customer ingress, DNSSEC, etc. Nothing new. I think we did customer route filtering and ingress filtering on our network a decade or so ago, or in any case too long ago to remember.

    For the alleged social engineering of Network Solutions, presumably the various technologies that we already have, such as two factor authentication, or the private key that my first SSL provider forced me to use, could greatly reduce risk. Alternatively, a provider could send an SMS when administrative action is taken on a domain. I wouldn’t mind a ‘your primary DNS has been change to z.x.n.x’ SMS in the middle of the night. My bank already does that for any online transactions of any amount and in-person transactions above a threshold. Unlike my bank, a domain provider could even be so rude as to require a response to the SMS.

  4. Amrit:

    My name is Shashi Bellamkonda and I work at Network Solutions. Thanks for pointing out our eight tips…

    You mention that, “Network Solutions has a responsibility to its customers, in this case Comcast, to implement controls that limit the ability for a couple of jokers to hijack their domains.” We certainly try to coach our customers to protect themselves with the eight tips, as well as through our customer support center. We continually work on security enhancements related to our customers in order to address ongoing threats that are out there in the market, but maybe we can do more. We have found that some of our clients don’t want extra measures that check and investigate transfers, and protect against hijacks. I would be interested in hearing more of your thoughts on this.



  5. Hey Shashi,

    Thanks for commenting on this post. I think it would be pretty easy to ‘opt in’ for enhanced security. I imagine that you could even charge for it =)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s