The New Zealand version of Microsoft's MSN website was briefly hijacked after attackers penetrated that country's prominent domain name registrar. Websites for Sony, BitDefender, and HSBC were also commandeered. The mass defacements came as security researchers gathered in San Francisco discussed vulnerabilities in the DNS, or …
Maybe El Reg's reporting team didn't write this one well out, but it seems to me like the DNS server was well-validated, just exploited through an outside-facing application for direct interaction. In which case, wouldn't this be under the guise of Ye Olde SQL Injection Attack, rather than any route poisoning attacks as Kaminsky et al talked about?
Carrot / Stick?
"Getting 31,000 organizations to install some new code or upgrade their platforms when the platforms are a wide variety seems like a really tough thing to do," said Kapela, who is data center and network director at 5Nines Data. "I'm no organizational manager, but it sounds hard."
OK, then use the stick approach.. set a date to have the work done, and get the bigger western ISP's to block traffic until they have upgraded/installed new code..
Traffic is revenue, if your business is being starved of it because your lazy then.. 'meh'.
BGP issue, OS issue, or application...
rights issue? They should all be running OpenBSD and OpenBPGD.
Tux because he's right in there with the daemon.
It will be like backups.
No one will want to implement a secure method until a whole bunch of people are burned.
Just like backup systems, consumers will not pay for backup solutions until they have lost data.
Could have been worse...
It might have been a pic of Bill 'loving' a sheep.
But then, who in NZ would notice?
@AC 20:28 re. Carrot/Stick
"..set a date to have the work done, and get the bigger western ISP's to block traffic until they have upgraded/installed new code.."
Under what legal authority can you order an ISP to block my access to a website or service from an organisation you do not approve of? Unless that organisation is itself breaking the law then I have every right to use their services.
Was it actually Hijacked?
Not wanting to be all picky and get into semantics for the sake of it but was the page actually hacked or was it just that the DNS was poisoned and requests for all or part of the page redirected to a spurious server?
From reading the article it sounds like the latter
I know I'm going to be wrong and flamed to hell and back but I can take it - does anyone have any good info on how DNS poisoning allows for 'proper' hacking of a 3rd party website? I've seen various articles that mention 'hijacking' but usually they are just rerouting requests rather than actually altering the original
SQL or DNS Injection
This is just injecting into the SQL database. To update the nameservers. Not injecting into DNS cache's. This is a completly differnt thing.
There are all sorts of reasons why DNSSEC hasn't caught on, despite having been standardised some time ago. I'm more in favour of DJB's dnscurve stuff... http://dnscurve.org/dnssec.html
This just so happens to be the one situation in which DNSSEC would have actually been particularly useful, as only the domain keyholders would have been able to modify the records. On the other hand, once your server has been compromised you have all sorts of problems to worry about, and it sounds like the same old sloppy implementatoin error that has screwed up sites of all kinds for years, and probably will continue to do so even with the proliferation of more secure protocols.
You're correct, as I read it: this was a simple redirection (as almost all DNS attacks are), rather than an assault on the original MSN infrastructure. This is what makes DNS attacks so pernicious, of course: you can do all the good work, to secure your systems, yourself, but if your customers are misdirected elsewhere, thinking they are coming to you... well.
DNSSEC would have been able to secure against this, because the client would have been able to use the DNSKEY with the Authoratitive Name Server, and determine whether the answers coming back from the website matched those that should be coming back from the domain owner. Only the domain owner holds the private key, with which to generate such correct responses.
And that's the problem. Not only does this increase the size of the data going over the network, but it all calls for a greater degree of cooperation - particularly at the root or TLD. It isn't impossible, however: Sweden's .se TLD was the first to have a signatures stored at root.
Since I've managed to get this far without making any anti Microsoft comments, I'll ask this: why do MSN have their DNS servers run by a company with a warez skript-kiddie name, who couldn't protect their systems against SQL injection attacks? There's no point building a gated community, and then hiring incompetant security guards, to man the gate, is there?
"why do MSN have their DNS servers run by a company with a warez skript-kiddie name" I'm guessing the name is meant to be a portmanteau of "Domain" and "NZ" given that it's a New Zealand company...
Thanks for the reality check - I thought there was something else going on and someone had invented a whole new attack while my back was turned!!
Going Down, under.
This raises an interesting point. What if the DNS Servers used by the Great Firewall of Oz were hacked. A whole countries external communications routed via China/Russia. ALL your moneyz are belong to us.