Google.com.pk and 284 Other .PK Domains Hacked

ryzvonusef writes with news that hackers have taken down the local Pakistan versions of many popular websites, including google.com.pk, apple.pk, microsoft.pk and yahoo.pk. 284 sites were affected in total. Many of the sites were defaced, and a group called Eboz is taking credit for the hack. According to TechCrunch, "The root of today’s attack, it seems, came via a breach of Pakistan’s TLD operator, PKNIC, which administers and registers all .pk domains. Looking at affected organizations via PKNIC’s look up, it appears that all the sites are now redirecting to two nameservers, dns1.freehostia.com and dns2.freehostia.com."

Difference?

[thej1nx]

And here I thought the Pakistani courts and religious leaders kept passing orders anyways to censor domains, based on hearsay about "immoral stuff" to be found on them . Doubt poor pakistani netizens could tell the difference here.

Its the TLD that was hacked

Blame the TLD operators, dont name google,etc who had no role in the hack

Re:Its the TLD that was hacked

[Runaway1956]

I was sitting here scratching my head, wondering why all those sites were hosted by the same servers.

Taken down and defaced?

I'm not great at networking knowledge, but if you simply redirect to a new IP, is the site really defaced?

Re:Taken down and defaced?

[ark1]

I'm not great at networking knowledge, but if you simply redirect to a new IP, is the site really defaced?

From the end user perspective, site may appear as defaced but the actual web page at {Google, MS,....} is not defaced.

One might say...

[philip.paradis]

One might say the entire TLD is PhuKed. The teachable moment here is that security rolls downhill, and depending on any single layer of public infrastructure, at least for authentication of who you're talking to without giving serious consideration to cryptographic concerns, is asking for trouble. This is still something that the world is failing at on, well, a global scale.

Well, that and taking perimeter security seriously in terms of access to critical components, and having short order failover to components with completely different codebases ready to roll into production for select services in the event of something nasty happening. These days, virtualization on multiple platforms running in parallel makes that easier, although it does have the effect of acting as a cost multiplier (sliding scale factor-wise) depending on what you're trying to make as bulletproof as possible.

TLDR = Security is hard. Be prepared to be compromised. Have alternate plans in place that assume at least one $major_thing is already silently compromised. Yeah, it's tough. Life is tough.

Re:One might say...

[heypete]

I'd imagine the NIC could simply revert to a backup of their TLD zone and undo the changes -- the zone itself isn't infected and in need of purging, though the systems that can write to it may well be. I would hope that a NIC managing a national-level TLD has backups.

That said, how could any entity that relies on DNS have alternate plans to deal with this sort of thing? Its one thing to have off-site nameservers on a different network to provide some degree of fault tolerance for your own domain, but it's another thing if the TLD itself gets hosed and bad guys modify the zone to point at different nameservers. As far as I can tell there's no reasonable way for the holder of a domain name to prepare for the TLD getting compromised.

I hope this incident serves as a wakeup call for TLD owners everywhere so they can review their security policies.

Re:PKNIC unable to respond, PR team in picknick.

[History's+Coming+To]

Problem in Karachi Not In Computer?

In Ireland Google.ie and yahoo.ie were also hacked

[Korth]

A similar thing happened in Ireland earlier this month due to a vulnerability in Joomla! http://www.iedr.ie/docs/IEDR_Statement_F_issued_9_November_2012.pdf