Turks hijack Kiwi MSN via DNS cracks The New Zealand version of Microsoft's MSN website was briefly hijacked after attackers penetrated that country's prominent domain name registrar. Websites for Sony, BitDefender, and HSBC were also commandeered. The mass defacements came as security researchers gathered in San Francisco discussed vulnerabilities in the DNS, or …
Maybe El Reg's reporting team didn't write this one well out, but it seems to me like the DNS server was well-validated, just exploited through an outside-facing application for direct interaction. In which case, wouldn't this be under the guise of Ye Olde SQL Injection Attack, rather than any route poisoning attacks as Kaminsky et al talked about?
"Getting 31,000 organizations to install some new code or upgrade their platforms when the platforms are a wide variety seems like a really tough thing to do," said Kapela, who is data center and network director at 5Nines Data. "I'm no organizational manager, but it sounds hard."
OK, then use the stick approach.. set a date to have the work done, and get the bigger western ISP's to block traffic until they have upgraded/installed new code..
Traffic is revenue, if your business is being starved of it because your lazy then.. 'meh'.
"..set a date to have the work done, and get the bigger western ISP's to block traffic until they have upgraded/installed new code.."
Under what legal authority can you order an ISP to block my access to a website or service from an organisation you do not approve of? Unless that organisation is itself breaking the law then I have every right to use their services.
Not wanting to be all picky and get into semantics for the sake of it but was the page actually hacked or was it just that the DNS was poisoned and requests for all or part of the page redirected to a spurious server?
From reading the article it sounds like the latter
I know I'm going to be wrong and flamed to hell and back but I can take it - does anyone have any good info on how DNS poisoning allows for 'proper' hacking of a 3rd party website? I've seen various articles that mention 'hijacking' but usually they are just rerouting requests rather than actually altering the original
There are all sorts of reasons why DNSSEC hasn't caught on, despite having been standardised some time ago. I'm more in favour of DJB's dnscurve stuff... http://dnscurve.org/dnssec.html
This just so happens to be the one situation in which DNSSEC would have actually been particularly useful, as only the domain keyholders would have been able to modify the records. On the other hand, once your server has been compromised you have all sorts of problems to worry about, and it sounds like the same old sloppy implementatoin error that has screwed up sites of all kinds for years, and probably will continue to do so even with the proliferation of more secure protocols.
You're correct, as I read it: this was a simple redirection (as almost all DNS attacks are), rather than an assault on the original MSN infrastructure. This is what makes DNS attacks so pernicious, of course: you can do all the good work, to secure your systems, yourself, but if your customers are misdirected elsewhere, thinking they are coming to you... well.
DNSSEC would have been able to secure against this, because the client would have been able to use the DNSKEY with the Authoratitive Name Server, and determine whether the answers coming back from the website matched those that should be coming back from the domain owner. Only the domain owner holds the private key, with which to generate such correct responses.
And that's the problem. Not only does this increase the size of the data going over the network, but it all calls for a greater degree of cooperation - particularly at the root or TLD. It isn't impossible, however: Sweden's .se TLD was the first to have a signatures stored at root.
Since I've managed to get this far without making any anti Microsoft comments, I'll ask this: why do MSN have their DNS servers run by a company with a warez skript-kiddie name, who couldn't protect their systems against SQL injection attacks? There's no point building a gated community, and then hiring incompetant security guards, to man the gate, is there?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
