has better coverage: http://www.guardian.co.uk/technology/2011/sep/05/dns-hackers-telegraph-interview and http://www.guardian.co.uk/technology/2011/sep/05/turkish-hacker-group-diverts-users
On early Sunday evening, UK time, The DNS records of many websites, including those of The Register and The Telegraph, were hijacked and redirected to a third party webpage controlled by Turkish hackers. The Register's website was not breached. And as far as we can tell there was no attempt to penetrate our systems. But we …
Like comments now stretching beyond the 800 pixel width of the screen I'm using to view them on.
Such complaints used to be dismissed with a, "get with the programme, stop being a Luddite; time for a sensible-sized monitor". That was never an entirely valid response to the problem and less so with the proliferation of hand-held and mobile devices.
Oh well, time to write another Greasemonkey script to re-render the pages to fit :-(
..until you're older. I have an HTC Desire and I struggle at times to read the text. I almost have to remove my glasses now and might have to switch to varifocals. I'm holding out until it gets so bad that I can't read my laptop screen easily.
I'm only 44.
In my case Presbyopia began to kick in at age 39. That was after let's call it twenty years of using a computer (excluding playing games on a Sinclair Spectrum). So don't be so smug. Hopefully there'll be a revolution in display technology for mobile devices before it hits you.
Still - the important point to note:You don't have to be 'old and frail' to start having problems.
I'm 45 and have just noticed the glasses on / glasses off issue with my new Macbook Air 11" ... so I will have to keep using the "applekey +" keystrokes to enlarge the text until I get the firm to pay for varifocals.
Still not bad for 32 years of VDU squinting and I've always been myopic .. just waiting until I get 20/20 vision when I'm 80+
Mobile devices are covered with m.register.co.uk, with the unfortunate omission of icons when posting a message (which I get round by knocking off the m. at the start of the address when replying to a post). I hope someone at Vulture Central takes the hint and adds post icons to the mobile version of the website.
In fact I'm using m.theregister.co.uk from my desktop as something somewhere still has www.theregister.co.uk in its DNS cache poisoned.
Sure, if your web browser can't either zoom the page to a useable compromise size - your definition of "useable" - or, in the case of Opera, squeeze the stuff onto the screen itself - not guaranteed. Disabling the site's CSS may also help.
I'm no longer using a tablet in portrait orientation, 480x800, for this, and that's probably a good thing.
Yup - our l33t hackers will hijack the aliens DNS, causing them to die of acute embarrasment when their invasion webpages redirect...
(which is actually slightly more likely than the Powerbook-virus-transfer-to-the-mothership-mainframe-via-AppleTalk trick, tbh)
I consider myself a hacker (in the original sense of the word, and not limited to software or computer either), and the way I'd like to deal with the cracker/script kiddie end of the scale it through the business end of an AK47, or copious amounts of C4. Oh, and that includes spammers too. After buggering them with a splintery broomstick lovingly marinated in Mad Dog 44 Magnum Pepper Extract (look up its Scoville rating if the name is not explicit enough)
The problem is the term hacker has as many as three distinct meanings in computing:
(1) Originally someone who hacked out code. Not necessarily a compliment.
(2) Later it became a term used for a very good coder or someone who loved coding for its own sake.
(3) Later still it was used (largely by the media) to describe crackers, script kiddies and even blackhats.
The last two definitions are still in use. I avoid the term and always use an alternative as it is too easily misunderstood.
Almost, but not quite. See:
And that's a later-day version of the file I first ran across at Stanford in ~1976. If I remember correctly, back then it was called "AIWORD.RF". Hacking wasn't just about software, it also involved modifying chassis with hacksaws to make parts fit. The license plate frame on my daily driver has read "Beware of programmers who carry screwdrivers" for several decades ...
OS X has a lovely "Try turning off and on again" and "Are there any devices you can turn off and on?" messages in their assistants.
IF end user router companies could agree on a simple standard for doing these simple tasks (e.g. a basic secured page relative to modem ip to reboot) , operating systems or even browsers could deal with the non standard and confusing interfaces.
I rarely use modem's interface to reboot since I don't have time to browse 10 pages (some even have flash!) designed in that years cool asia page fashion.
In fact, I once "fixed" friends car by just turning off motor and on, "like a freaking computer" (in his words). Seems the fuel computer of car freaked out a bit. :)
Works for a lot of things to reset to a pre-configured state and its good to remind people of the simple solutions. Sometimes its easier to say "Dad, turn it off at the mains, wait a few seconds and then turn it on again" then to drive a few hundred miles just to perform hands-on diagnosis and reach the same conclusion.
I'm sure lots of enterprises still run weekly "reboot server to clear memory leak" etc housekeeping actions ... its sad but true .. fixing the symptom is cheaper than upgrading the software stack. It used to be said that "Microsoft fix #1" was reboot/powercycle .. its the fix of last resort for Unix/Linux boxes though.
My Smart Car has lost its marbles a couple of times refusing to change gear using its tiptronic controls .. so it was time to pull over, turn off and turn on again to fix .. interestingly it worked regardless of the number of windows I had opened.
Replaced the air filter, plugs, cleaned MAF sensor and throttle body, and then reset BCU/ECU to relearn parameters in my 08 GMC Canyon 2.9L 4cyclinder truck. Have to do it again when my new ported throttle body shows up. Picky picky and likes throwing CEL codes. Determined to get 30mpg average out of this truck... Need to get it on a dyno and custom tuned but I digress....
What was I on about?
People supporting and controlling Turkish government can enter a top secret military facility without getting noticed, plant dvd-rs containing thousands of pages of rigged documents and call the police.
Or. They can record thousands of people phone calls, daily activities and even bed activities and make them their puppet, especially if the person is in media.
Current policy of UK and US Govt. is to support the .tr government so if you are British or American, you will never hear about these.
Would you dare to protest such a government? It would be like setting up a pirate radio station in Berlin back in 1930s.
I have a clue about who the idiot could be (like all .tr IT) but for this kind of pathetic lamer, best is not to advertise.
What exactly do you think matters about version numbers and extension names that The Reg shouldn't be showing them?
There is nobody with a brain out there attacking servers but "ignoring" certain version numbers of Apache / modules because they look up-to-date. It's a pointless task because where there is no version number at all you'll probably try your exploit anyway because it almost certainly means someone who's scared of showing what ancient version they have running, and where a version number is returned it can easily be faked, and where it's not faked and not-out-of-date, it takes longer to check the version number against some magical list of "non-exploitable" Apache versions than it does just to try whatever exploit you're attempting anyway. And Apache version numbers mean nothing because even Debian/Ubuntu sometimes uses "old" versions of Apache that have been patched even if their version numbers aren't one of the "officially" fixed versions.
SSH has as part of the protocol that you MUST give a version number out in the initial parts of the handshake (a lot of clients rely on it for feature detection etc.) and it's never been a problem in all the time that protocols been around (and, if anything, encourages people to upgrade!)
If you're worried about showing your version numbers, you're scared about people finding out what you ACTUALLY run. That's more worrying than anything they could do with that information (which would be precisely ZERO because most attack tools are automated and just-don't-care about version numbers because they can try the entire exploit in the time it takes to find out the version of a remote server; in the same way that I still witness tons of SPF failures on email - because the people sending out spam just don't care or it's not worth the effort to bother to weed out SPF-enabled domains from their "fake-from-address" list).
Someone in IT suggesting that someone else knowing what version number of a piece of software you run is like a mechanic saying that you should take the badges off your car so that people don't know it's a Ford in case they try all to break into it using methods that only work on Fords. 1) It fools no-one. 2) Car thieves aren't stupid enough to be stopped when their "Ford-only" exploit doesn't work. 3) A brick through the window works on pretty much every car in the world.
For the record we have checked our DNS records using the following:
http://dns.squish.net shows no problem.
We've checked each dns server manually, and from two non reg hosts/ one worked fine, one not so much -- the latter, stale DNS.
If anyone has any ideas on how to persuade DNS server operators / ISPs to update their records more quickly we are all ears.
And if you fancy resolving to our IP addresses:
184.108.40.206 or 220.127.116.11 - former is US, latter is UK. Both are fine.
... the magic trick known as "dig +trace". It'll show how it goes about resolving, say, theregister.co.uk:
$ dig +trace theregister.co.uk
; <<>> DiG 9.6.1-P1 <<>> +trace theregister.co.uk
;; global options: +cmd
. 247532 IN NS k.root-servers.net.
. 247532 IN NS j.root-servers.net.
. 247532 IN NS a.root-servers.net.
. 247532 IN NS m.root-servers.net.
. 247532 IN NS b.root-servers.net.
. 247532 IN NS i.root-servers.net.
. 247532 IN NS h.root-servers.net.
. 247532 IN NS e.root-servers.net.
. 247532 IN NS g.root-servers.net.
. 247532 IN NS d.root-servers.net.
. 247532 IN NS l.root-servers.net.
. 247532 IN NS f.root-servers.net.
. 247532 IN NS c.root-servers.net.
;; Received 512 bytes from 127.0.0.1#53(127.0.0.1) in 6 ms
uk. 172800 IN NS ns2.nic.uk.
uk. 172800 IN NS ns6.nic.uk.
uk. 172800 IN NS ns5.nic.uk.
uk. 172800 IN NS ns7.nic.uk.
uk. 172800 IN NS nsb.nic.uk.
uk. 172800 IN NS nsc.nic.uk.
uk. 172800 IN NS nsd.nic.uk.
uk. 172800 IN NS ns3.nic.uk.
uk. 172800 IN NS nsa.nic.uk.
uk. 172800 IN NS ns1.nic.uk.
uk. 172800 IN NS ns4.nic.uk.
;; Received 497 bytes from 18.104.22.168#53(m.root-servers.net) in 32 ms
theregister.co.uk. 172800 IN NS ns6.theregister.co.uk.
theregister.co.uk. 172800 IN NS ns3.theregister.co.uk.
theregister.co.uk. 172800 IN NS ns1.theregister.co.uk.
theregister.co.uk. 172800 IN NS ns5.theregister.co.uk.
theregister.co.uk. 172800 IN NS ns2.theregister.co.uk.
theregister.co.uk. 172800 IN NS ns4.theregister.co.uk.
;; Received 239 bytes from 22.214.171.124#53(ns2.nic.uk) in 26 ms
*** AND HERE IT STOPS ***
The next stop would've been a query directed to one of the NSes listed and an answer containing an A record for theregister.co.uk. Since that's missing I had to ask them by hand (their A records are conveniently listed in the whois) and stuffed them in /etc/hosts, allowing me to get my commentarding fix.
Why does it stop? Because it doesn't know how to go on. To ask for theregister.co.uk it just got told to ask ns[1-6].theregister.co.uk and to resolve, say, ns1.theregister.co.uk it first needs to ask about theregister.co.uk. And so it hangs. The fix for that is called "glue records", where the previous server also gets told the A records to go with the nameservers. That is, the answer should've looked much like this except there should've been a bunch of A records for ns[1-6] in the same answer packet. Your webmaster is expected to understand this.
Also a minor point of bitching about how the webform b0rks the formatting here.
When I saw the defacement page.
I was about to drop a mail as could get to the page if I put in the www at the beginning and I did not know of the twitter account (now bookmakred) but thought you'd probably be aware.
Maybe its time we sent DNS change requests to registrars using PGP signed mail just as they do to the Nominet Automaton automated system?
re PGP signing...
Um well the change of nameservers for theregister.co.uk would have required a secured request from netnames to Nominet, so the issue isn't that the nameserver changes aren't controlled/signed/restricted, more that if you use a registrar like netnames that has a "control panel" and automates that, breeching that defeats the other.
the reg could have a nominet account itself and not need a third party, not have a control panel and problem solved, or use someone like my company which for this very reason has no such automation - much harder to compromise something if there is nothing to compromise!
This leaves us with the human hijacking and compromise issues, which are more readily dealt with using a shotgun.
 Obviously we wouldn't use one.
is that as of this morning Australian time, and still as of this post, theregister.co.uk now gives me a DNS error. Interestingly, if I connect to the VPN service I subscribe to (VyprVPN), I can reach the site (which is why your logs for this post would show me as coming from Amsterdam instead of Australia.) Most likely my ISP has cached the error and hasn't caught up yet. So it's also a good test of the censorship-bypassing abilities of the VPN, since a DNS failure at the local level is similar to the effect that the Great Aussie Firewall would have if it were in place, which is the reason I subscribed to the VPN service in the first place.
Looks like a plot to me .. The Reg always looking for talent in it's IT department ( eat your heart out BOFH. ) the boyos defaced to prove their worth and will soon be hired in the Reg's internet security department. In other words , they defaced to get jobs :) It was not malicious at all .. no really . it was all a plot to get cushy jobs in Vulture Central to get out of the misery they face in Turkey .. So be good sports and hire them already :)
And do remember to feed a hungry programmer today :)
I didn't see the defacement page, just got site unavialable type error messages. For a (brief) while I thought my router had dropped connection but then everything else worked ok. Glad to see you back this morning, if you weren't I might have to do some work!
I think your ISP doesn't run a well managed DNS server and it seems it is time to switch to opendns.com or google dns. I can never use google services of that kind but it exists.
Badly managed dns servers can create way more serious problems than couple of defaced sites, especially in days every ssl provider manages to get "hacked" or socially engineered.
While on it, "repair my internet connection" (or whatever its called) will also clear system dns caches on windows, it is easier for newbies. For routers? Power cycle.
These "hackers" smash a load of windows, digitally speaking, and the Grauniad contacts them the same day and politely publishes their comments ? That's innapropriate. There was no angle here. It was mindless vandalism of other people's property. The fact it involved computers does not change that. Hey, Turkguvenligi, why don't you GET A JOB like the rest of us.
The Register and the other defaced sites are famous and popular, old school news sites. So, it was all over the tech news sites especially because The Register was one of the victims ;)
So, someone serious at managing could manually update the dns of the particular zone. That is the "seriously managed isp" I talk about. I know one did, not a big deal.
DNS servers are the least cared boxes in ISPs. So, some third parties coming with the idea "we can invent in this dinosaur aged protocol" are my choice, unless I settle somewhere and run my own dns server.
I missed the redirection bit of all this and just found the site down this morning. Reghardware is clearly made of stronger stuff (or, more likely, registered with another organisation?) as that was available without needing to consider resorting to a direct IP address connection.
I for one condemn our attempted new Reg overlords.
New trend is: "You don't care? Good bye" as seen with that poor dutch ssl provider. First time Mozilla and MS showed no mercy, purged their root.
Things got way complex these days, even I security check a stupidly simple, easily readable php contact form on a website I manage. It is also damn easy, especially if you can/will pay for it.
Map the name servers which are ns1.theregister.co.uk etc to the IP of their own nameserver and extend the TTL and get
at least 24 hours depending on the internal cache rules of those queries made after the hack / max-cache-ttl/
Would have been neater.
Although looking at it yumurtakabugu.com doesn't have it's own NS but uses active-dns.com. Still would only take a few minutes
to set one up.
It was all very well getting instructions to edit hosts files with the IP but that only worked to get onto the site,couldn't access any comments and a lot of pages on the reg were still unable to resolve,even after the hosts edit. I was able to do some basic reading using google cache and muttering about how everyone else seemed to be able to get on with no problems.
If, when I go to a web site, its IP address has changed since the last time I visited it, the browser should prompt me, and ask if I want to go to the old address or the new one.
After all, normally, browsers keep a browser history, and they go out and get the IP address from the URL before fetching the page with the IP address, so the information is there. Naturally, this is an extra pop-up when a page legitimately changes, but when people see the old page really isn't there, then they can proceed based on the change apparently being legitimate.
I've just installed the following Firefox addons...
DNSSEC Validator (changing the preferences to use OARC's validator)
I've imported CACert.org's two root certificates, added CACert.org's revoke list to auto-update in Firefox, and made everything validate via OCSP with CACert Class 3 Root - Root CA and when a connection fails treat the certificate as invalid.
Also, before I had my ISP's secondary DNS as my primary DNS server and OpenDNS's secondary DNS as my secondary DNS server. Now as my ISP have demonstrated they're useless at DNS it's OpenDNS all the way.
Any other suggestions welcome.
"While no-one can completely defend against such sustained and concentrated malicious attacks ... "
if it was SQL injection, then yes you can completely defend against "little bobby tables" and all his "insert into dns..." chums.
Unless of couse it wan't SQL injection in the deeply orthodox sense.
Just in case anyone cared to know:
Turkish is an agglutinative language and very idiomatic.
güven - feeling of being safe or secure
güvenlik - security, safety (think of lik as roughly meaning with)
Turkgüvenliği - Turk related security, safety? (Obviously there is some heavy irony and idiom here.)
yumurta - egg..... or testicle!
kabuk - outer covering; eggshell
yumurta kabuğu - more verbose way of saying eggshell; scrotum is usually haya torbası
So would you trust a DNS named "eggshell" or what could be a veiled reference to scrotum?
Maybe you can see now why the Turks might be getting more of a kick out of this than you thought. Like if you got everyone to use a DNS server called up1.gentlemanssausage.net. Hehehehehehe
... defending against SQL Injection is on the other hand actually, very easy and we are desperately ashamed that we demonstrated such rank incompetence that we left such a gaping hole in our security systems, thereby proving our claim to that our customers privacy and security are of paramount importance to be a barefaced lie issued by our marketing department without prior vetting by our technical or legal teams.
That *is* the way that quote continued, isn't it ?
Glad to have you back El Reg.
Look Presbyopia strikes us all (it started happening to me at age 50). No need to go to the fondleslab version of things, as there is a nice plugin for Firefox named "NoSquint" that puts things in a proper perspective (render things at 120% text).
Unfortunately not all web sites (thanks for being kind ElReg!) aren't up to the task and you get overlaid text (or worse!). Unfortunately, many of these sites are ones used by employers, or their agents, and they don't work well at all. But I seem to get through, which may be part of the test. (*SIGH*)
Been using Open DNS and Comodo DNS then changed to Norton DNS after seeing this review. Not quite apples and oranges I know but still a fruity topic and worth mentioning as an extra layer of protection for professionals and small businesses rather than some of you big and clever boys and girls out there.
Nothing is impossible, especially if sloppy programming caused the vulnerability which enabled an SQL injection attack. If we look at the bigger picture, this type of hacking tool is just another form of malware. We offer that Ether2 will enable a path to ensemble computing, where according to Intel research, we will have a higher sensitivity to malware, stronger neighborhood trust models leading to self configuration, and the ability for servers to collaborate in order to defend the network. Secondarily, if it was a DoS attack designed to take the server down by overflowing the buffer, then the fact that nodes can share compute power (basically giving any LAN supercomputing cluster capabilities) would allow load balancing between servers at the edge of the network so the attack couldn’t take hold, and the offending IP addresses could be red flagged, ports blocked, etc. The question about how they got in must be answered. If they sneaked by the session border controller in an encrypted media packet for say a VoIP of video flow, we’ll be running a proprietary watermarking technique to render the executable code inoperable. Then there is the issue of deep packet inspection getting overloaded at the gateway, and Ether2 is 100% distributed so the DPI load would also be running in distributed network chips, as opposed to gateway flooding. In short, we take a more global view on the security issues in networks, and when the network architecture resembles cable TV, it will be a paradigm shift for security.
Biting the hand that feeds IT © 1998–2019