Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google.com.pk and 284 Other .PK Domains Hacked

Posted by Soulskill on from the go-big-or-go-home dept.

ryzvonusef writes with news that hackers have taken down the local Pakistan versions of many popular websites, including google.com.pk, apple.pk, microsoft.pk and yahoo.pk. 284 sites were affected in total. Many of the sites were defaced, and a group called Eboz is taking credit for the hack. According to TechCrunch, "The root of today’s attack, it seems, came via a breach of Pakistan’s TLD operator, PKNIC, which administers and registers all .pk domains. Looking at affected organizations via PKNIC’s look up, it appears that all the sites are now redirecting to two nameservers, dns1.freehostia.com and dns2.freehostia.com."

35 comments

  1. Difference? by thej1nx · · Score: 2

    And here I thought the Pakistani courts and religious leaders kept passing orders anyways to censor domains, based on hearsay about "immoral stuff" to be found on them . Doubt poor pakistani netizens could tell the difference here.

  2. Its the TLD that was hacked by Anonymous Coward · · Score: 5, Insightful

    Blame the TLD operators, dont name google,etc who had no role in the hack

    1. Re:Its the TLD that was hacked by Anonymous Coward · · Score: 1

      Blame the TLD operators, dont name google,etc who had no role in the hack

      Sounds like an inside job to me. How many of the 284 sites belonged to non-Pakistani companies? Probably all of them.

    2. Re:Its the TLD that was hacked by Runaway1956 · · Score: 4, Interesting

      I was sitting here scratching my head, wondering why all those sites were hosted by the same servers.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    3. Re:Its the TLD that was hacked by camcorder · · Score: 1, Informative

      So in the first place, they wouldn't have registered those domains if they didn't trust on an operator. If someone hacked google and this way hacked my box, I can't blame Google for my losses right? I'm hacked, and my security hole is Google. So it's Google, Apple etc. hacked because their security hole is their domain operators. Google and most of the big web services, try to look local with local domains, translations, on the other hand they pay zero taxes to those governments, so it's also their mistake that they don't pay taxes to those governments with which they improve their IT infrastructure.

    4. Re:Its the TLD that was hacked by thetoadwarrior · · Score: 1

      It's not that unbelievable that someone would hack in to take it out against US companies given there probably are a lot of people there that aren't happy with the US. Since they may view their government as being too friendly with the US and giving up their people to a country that doesn't have the greatest record of treating its prisoners well.

  3. Taken down and defaced? by Anonymous Coward · · Score: 5, Insightful

    I'm not great at networking knowledge, but if you simply redirect to a new IP, is the site really defaced?

    1. Re:Taken down and defaced? by ark1 · · Score: 3, Informative

      I'm not great at networking knowledge, but if you simply redirect to a new IP, is the site really defaced?

      From the end user perspective, site may appear as defaced but the actual web page at {Google, MS,....} is not defaced.

  4. PKNIC unable to respond, PR team in picknick. by Anonymous Coward · · Score: 1

    PKNIC unable to respond, PR team in picknick.

    1. Re:PKNIC unable to respond, PR team in picknick. by maxwell+demon · · Score: 1

      Well, if the support is via some .pk email address, any mails to support might also not reach their intended destination ...

      --
      The Tao of math: The numbers you can count are not the real numbers.
    2. Re:PKNIC unable to respond, PR team in picknick. by History's+Coming+To · · Score: 4, Funny

      Problem in Karachi Not In Computer?

      --
      Please consider this account deleted, I just can't be bothered with the spam anymore.
    3. Re:PKNIC unable to respond, PR team in picknick. by Anonymous Coward · · Score: 0

      I'm sure the phones being down did not help contacting the registry either.

  5. One might say... by philip.paradis · · Score: 2

    One might say the entire TLD is PhuKed. The teachable moment here is that security rolls downhill, and depending on any single layer of public infrastructure, at least for authentication of who you're talking to without giving serious consideration to cryptographic concerns, is asking for trouble. This is still something that the world is failing at on, well, a global scale.

    Well, that and taking perimeter security seriously in terms of access to critical components, and having short order failover to components with completely different codebases ready to roll into production for select services in the event of something nasty happening. These days, virtualization on multiple platforms running in parallel makes that easier, although it does have the effect of acting as a cost multiplier (sliding scale factor-wise) depending on what you're trying to make as bulletproof as possible.

    TLDR = Security is hard. Be prepared to be compromised. Have alternate plans in place that assume at least one $major_thing is already silently compromised. Yeah, it's tough. Life is tough.

    --
    Write failed: Broken pipe
    1. Re:One might say... by heypete · · Score: 4, Interesting

      I'd imagine the NIC could simply revert to a backup of their TLD zone and undo the changes -- the zone itself isn't infected and in need of purging, though the systems that can write to it may well be. I would hope that a NIC managing a national-level TLD has backups.

      That said, how could any entity that relies on DNS have alternate plans to deal with this sort of thing? Its one thing to have off-site nameservers on a different network to provide some degree of fault tolerance for your own domain, but it's another thing if the TLD itself gets hosed and bad guys modify the zone to point at different nameservers. As far as I can tell there's no reasonable way for the holder of a domain name to prepare for the TLD getting compromised.

      I hope this incident serves as a wakeup call for TLD owners everywhere so they can review their security policies.

    2. Re:One might say... by drinkypoo · · Score: 1

      As far as I can tell there's no reasonable way for the holder of a domain name to prepare for the TLD getting compromised.

      You will need additional names under other TLDs, and to advertise them to your users ahead of time. One common way to accomplish this to do it how google does it; no, not to have massive clusters everywhere, but to have multiple international domain names. If your site is translated, they can default to various languages, but all should permit selecting all languages without redirection to another domain.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:One might say... by heypete · · Score: 1

      Sure, one could have different TLD variants (e.g. example.com/net/org/us/co.uk/etc.), but that isn't terribly useful in terms of continuing to offer service in the event of a TLD compromise: if the registry for your main domain gets borked some users may try a different TLD but most will simply give up -- how many people would try accessing Google under a different ccTLD? Same thing with email: if you have email at your domain and the TLD is hosed then emails can't automatically pick another TLD and try again -- if COM gets hacked, emails addressed to @gmail.com users aren't going to try @googlemail.com or other Google domains.

      It's one thing to prepare for failures at one's own domain (for example, having a "network status" page at a different TLD using different DNS servers, having administrative mail accounts on a secondary domain/TLD, etc.) but a compromised TLD is a catastrophic failure and there's no sensible technical way for anyone "downstream" (that is, domain holders) to mitigate such an issue in a way that would be seamless and automatic to users.

  6. DNSSec by magamiako1 · · Score: 1

    Could have solved this issue. Assuming keys wouldn't have been compromised in the process.

    1. Re:DNSSec by Anonymous Coward · · Score: 1

      Well now that really depends doesn't it? Since the actual registrar was compromised, it could easily have been the machine that holds the key that they got into. In which case DNSSec bought squat. Depends on the attack.

    2. Re:DNSSec by GreyFish · · Score: 1

      No it wouldn't of done - if you hack the registrar you can change the ds records as well as the ns records. dnssec makes no difference in this case. browser side certificate pinning and forcing sites to be https only would help - then the attackers wouldn't be able to set up fake sites. The real sites would still be broken tho!

    3. Re:DNSSec by magamiako1 · · Score: 1

      Actually, it would have--but only if the .pk private keys were not compromised in the process. Also, a quick change of keys in the root zone for .pk's DS keys would have invalidated the previous keys, resulting in the compromised keys being invalidated globally.

      Whether or not the process exists to remove DS records quickly from the root zone, however, I'm not sure--I don't manage TLDs...

  7. In other news sensationalism at an all time high by Anonymous Coward · · Score: 1

    "Oh we don't really have a story if we say the .pk TLD had a compromise of sorts that affected 284 domains. What big names were affected so we can put them in the headline?"

  8. ALL YOUR SITES ARE BELONG TO TALIBAN !! by Anonymous Coward · · Score: 0, Troll

    And death to the infidels !!

    Aaaayyyyaaaaaayyyyaaaayyyyhgghghhghgh !!

  9. Took them long enough by LordDfg · · Score: 1

    It's not secret Pakistan infrastructure isn't secure as it should be, I am actually quite surprised not one targeted Pakistan before. I guess it wasn't a good idea to attack Israel but in this case it was just old champ saying hi,

    --
    Follow me: http://www.twitter.com/dfg
  10. hack Pakistan’s TLD operator, PKNIC... by submit+your+site · · Score: 1

    O my god. how can possible it. hack google.com.pk, apple.pk, microsoft.pk and yahoo.pk with many domain. this domain top TLD & top label domain. it is very bad for all.

    --
    Submit your Site URL to the Best of the Web Directory.
  11. In Ireland Google.ie and yahoo.ie were also hacked by Korth · · Score: 3, Interesting

    A similar thing happened in Ireland earlier this month due to a vulnerability in Joomla! http://www.iedr.ie/docs/IEDR_Statement_F_issued_9_November_2012.pdf

  12. Hey, Boo-boo! by Anonymous Coward · · Score: 0

    Someone stole our pic-a-nic basket!

  13. Freehostia by TheStonepedo · · Score: 1

    Would blocking port 53 by default on free subdomains prevent such hijacking?
    I cannot think of a legitimate reason one would need a free DNS server beyond those that already exist with stated goals of minimizing/preventing DNS-based censorship.

    --
    I'll be your candy shop of infinite deliciousity if you'll be my discotheque of endless rump-shaking.
    1. Re:Freehostia by DamonHD · · Score: 1

      Are you saying people like me that have always hosted their own DNS, since the Internet became available to us (~1992 here), should now have to stop doing so?

      Rgds

      Damon

      --
      http://m.earth.org.uk/
    2. Re:Freehostia by TheStonepedo · · Score: 1

      Let's pretend for the sake of argument you are one of the good guys - I believe you, but how can an even-less-technical user be sure?
      Could something be done during routing traffic in the internet at large to block port 53 for an IP address or a range of IP addresses when there is reason to believe malicious redirection is occurring?
      Is protecting a mostly-non-technical majority from falling for DNS-based bait-and-switch tricks worth having to appeal an occasional false positive?

      Outside of the scope of TFS:
      What do you do with your DNS?

      --
      I'll be your candy shop of infinite deliciousity if you'll be my discotheque of endless rump-shaking.
    3. Re:Freehostia by DamonHD · · Score: 1

      My DNS is often colocated with my Web sites and other services that it supports: forcing me to separate them would add nothing to end-user security in reaching me, and would likely lower reliability and increase costs.

      Specialised and high-volume sites will also want to do things such as geo- and load- sensitive DNS and constraining innovation in that area by constraining DNS providers is unlikely to be helpful for the end user (ie would result in slower and less reliable service).

      Entire IP addresses can be blackholed (blocked) if they are misbehaving, and delegation to misbehaving DNS servers can be stopped, though because of cacheing (etc) the latter may be slow to take effect.

      Rgds

      Damon

      --
      http://m.earth.org.uk/
    4. Re:Freehostia by Anonymous Coward · · Score: 0

      The correct way is to prevent unauthorized people from editing the TLD root. What does it even mean to block port 53 on a free subdomain? Maybe you mean residential subnets or something. Anyway, the attacker could just as easily have done a DoS by changing the NS records for everything to 0.0.0.0, or deleting the whole lot, or just buying a couple instances on something so they would have super-secure ultra-legit corporate enterprise-class IPs from which to host the malicious DNS servers, assuming they didn't do that already.

      Using port blocking (and NAT) to transition the internet from a mesh system to a broadcast system by dictating who can listen for requests (or otherwise do "server" stuff) on what service doesn't actually improve security at all; it just changes the way attacks are done, at the cost of one of the best features of the internet. If the (probably incompetent) .pk ccTLD operators had protected the critical network infrastructure with which they were charged, this problem would not have occurred.

      On the other hand, the more the internet becomes a broadcast system, the more network resources (and permissions on your own connection!) are capitalized, which does nothing but increase service provider margins.

  14. What did they expect? by Anonymous Coward · · Score: 0

    From a nation that lets its "ally" blow up citizens because they're near someone who might look a bit like a terrorist?

  15. google.com.pk and pknic.net.pk are both in USA by Anonymous Coward · · Score: 0

    whois google.com.pk
    This TLD has no whois server, but you can access the whois database at
    http://www.pknic.net.pk/

    Copyright notice on http://www.pknic.net.pk/ is outdated: 1995-2008 PKNIC SRS,Inc.

    geoiplookup google.com.pk
    GeoIP Country Edition: US, United States

    geoiplookup pknic.net.pk
    GeoIP Country Edition: US, United States

    Any theories?

  16. Hmm. by Meski · · Score: 1

    And the world at large complained when they fixed it.

  17. Agree by Anonymous Coward · · Score: 0

    Yeah, I agree that actually the name servers were changed pointing to some dns1.freehostia.com and dns2.freehostia.com.

    It was basically D.N.S Hacking. The data stored with Google was not compromised. and hence was safe.

    Read more about how Google.com.pk and other .PK domains were hacked. Click here - How Google.com.pk and other .PK domains were hacked.