Want To Hijack a Domain? Just Get a Fax Machine

← Back to Stories (view on slashdot.org)

Want To Hijack a Domain? Just Get a Fax Machine

Posted by Soulskill on Friday October 11, 2013 @05:01AM from the why-are-fax-machines-still-a-thing dept.

msm1267 writes "Metasploit's HD Moore says hackers sent a spoofed DNS change request via fax to Register.com that the registrar accepted, leading to a DNS hijacking attack against the Metasploit and Rapid7 websites. The two respective homepages were defaced with a message left by the same hacker collective that claimed responsibility for a similar DNS attack against Network Solutions. Rapid7 said the two sites' DNS records have been locked down and they are investigating."

108 of 162 comments (clear)

Min score:

Reason:

Sort:

"hack" by Anonymous Coward · 2013-10-11 05:02 · Score: 5, Insightful

Social engineering is not hacking to me.
1. Re:"hack" by i_ate_god · 2013-10-11 05:05 · Score: 5, Insightful
  
  What is the difference between injecting code into a machine to make it do what you want, and injecting an idea into a human to make the human do what you want.
  
  --
  I'm god, but it's a bit of a drag really...
2. Re:"hack" by TheCarp · 2013-10-11 05:07 · Score: 5, Funny
  
  Because normally by the time you are injecting code into a human, you already got what you wanted. What were we talking about again?
  
  --
  "I opened my eyes, and everything went dark again"
3. Re:"hack" by Zemran · 2013-10-11 05:11 · Score: 1
  
  One is morally wrong and the other is normal relationship...
  
  --
  I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
4. Re:"hack" by guytoronto · 2013-10-11 05:12 · Score: 1
  
  Getting cats out of trees isn't firefighting, but firefighters rescue cats all the time.
  
  Just because social engineering isn't hacking doesn't mean hackers can't do it.
5. Re:"hack" by VortexCortex · 2013-10-11 05:15 · Score: 1
  
  What is the difference between injecting code into a machine to make it do what you want, and injecting an idea into a human to make the human do what you want.
  The difference is that the machines appreciate recursive situational irony...
  The humans don't realize their reality isn't in a machine, it's in a virtual machine. Unlike you history repeating humans, we learn from our mistakes.
6. Re:"hack" by sumdumass · 2013-10-11 05:28 · Score: 3, Insightful
  
  Hackers also go bowling and put bumper stickers on cars. But few call those activities hacking. Just like few call rescueing kittens- firefighting.
7. Re:"hack" by Mitchell314 · 2013-10-11 05:28 · Score: 2
  
  But which one is which?
  
  --
  I read TFA and all I got was this lousy cookie
8. Re:"hack" by dreamchaser · 2013-10-11 05:29 · Score: 1
  
  It most certainly is. In fact, social engineering is quite often used by hackers. Sometimes they use it in conjunction with malicious code, sometimes they don't have to.
9. Re:"hack" by Albanach · 2013-10-11 05:30 · Score: 1
  
  Do firefighters really do this? In all my life, I don't think I've ever seen a fire crew helping a cat down from a tree. I figure when the cat gets hungry, it'll find its way down.
  I thought this just came from cartoons, because fire is hard to animate, and you need to do something with the ladders, otherwise firemen wouldn't have been needed at all.
10. Re:"hack" by Forbo · 2013-10-11 05:36 · Score: 2
  
  If manipulating people into doing things they wouldn't normally do is what you consider a "normal relationship", then you just might be a sociopath.
11. Re:"hack" by nine-times · 2013-10-11 05:36 · Score: 1
  
  Yet traditionally that's how a lot of "hackers" that you hear about have "hacked" into systems. But I know what you mean.
12. Re: "hack" by _0xd0ad · 2013-10-11 05:38 · Score: 1
  
  42
13. Re:"hack" by hairyfeet · 2013-10-11 05:45 · Score: 5, Insightful
  
  But we already HAD a word for that and it was not "hackers" it was con artists...or bunko men if you prefer a more gender specific term.
  If the guys here want to get all pedantic about the difference between virus and malware then why in God's green earth are we calling these guys hackers when they are doing the same shit that has been going on since before the fricking telephone? look up Bunko Bob, or Hod Bacon, guys have been doing cons for hundreds of years using nothing but their ability to manipulate the mark and this is no different and doesn't even require a computer,just the ability to sound professional and manipulate.
  This is NOT hacking folks, not even close. You might as well call a washing machine a jet engine for how far off the mark this is from actually hacking a system.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
14. Re:"hack" by Anonymous Coward · 2013-10-11 06:04 · Score: 5, Funny
  
  Scripture kiddies?
15. Re:"hack" by qwe4rty · 2013-10-11 06:06 · Score: 1
  
  Didn't you see the movie Inception?
16. Re:"hack" by Anonymous Coward · 2013-10-11 06:11 · Score: 1
  
  What is the difference between injecting code into a machine to make it do what you want, and injecting an idea into a human to make the human do what you want.
  1. The machine is lacking Free Will.
  2. You can't "inject" an idea into a human, the best you can do is present an idea and it's up to them to accept, reject, or ignore it.
  3. How did the parent get a +5 Insightful?
17. Re:"hack" by Jawnn · 2013-10-11 06:14 · Score: 2
  
  Do firefighters really do this? In all my life, I don't think I've ever seen a fire crew helping a cat down from a tree.
  When I was still on the job, the chief of a neighboring department was known to have said, "Ever seen a cat skeleton in a tree? That's why we don't rescue cats."
18. Re:"hack" by sunderland56 · 2013-10-11 06:17 · Score: 2
  
  Social engineering is not hacking to me.
  Kevin Mitnick? Is that you?
19. Re:"hack" by mythosaz · 2013-10-11 06:17 · Score: 5, Funny
  
  I painted a fence once, but nobody calls me a painter.
  I jumped out of a plane once, but nobody calls me a skydiver.
  ...but suck one cock.
20. Re:"hack" by TheCarp · 2013-10-11 06:20 · Score: 1
  
  Problem for cats is they are better at climbing up than down and can easily get themselves in a predicament, unlike squirrels, they can't actually grip the tree while upside down. I have seen a cat climb up things, or use their claws to hang on things, but, never climb down, they jump down....and if they can't safely jump to a branch that gets them close enough to the ground, I could see them getting stuck.
  I say, "I could see" because I have never seen a cat actually get stuck in a tree. They seem to be smart enough to not climb trees very often. A quick google search indicates that this, appears to be a real problem that people have run into but.... its obviously not so common that everyone knows what to do from the panicked "OMG My cat went missing for 2 days and I found him up in a tree, what do I do now" questions out there.
  http://www.ask.com/answers/19238201/ja-question?q=&o=0&l=dir&jss=0
  and of course:
  http://news.msn.com/us/cop-gets-stuck-in-tree-trying-to-rescue-cat-stuck-in-tree
  
  --
  "I opened my eyes, and everything went dark again"
21. Re:"hack" by gl4ss · 2013-10-11 06:26 · Score: 1
  
  well.. many "traditional" famous hackers were pretty much just fraudsters in every sense of the word.
  people use fraud to get what they want because it works.
  
  --
  world was created 5 seconds before this post as it is.
22. Re:"hack" by Bengie · 2013-10-11 06:30 · Score: 1
  
  The machine follows exactly what it is told, the human sometimes does and sometimes doesn't.
23. Re:"hack" by fred911 · 2013-10-11 06:31 · Score: 3, Insightful
  
  "If manipulating people into doing things they wouldn't normally do is what you consider a "normal relationship", then you just might be sociopath."
  Or just a talented salesperson.
  
  --
  09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
24. Re:"hack" by wagnerrp · 2013-10-11 06:34 · Score: 3, Informative
  
  Except that's called "cracking" or "conning", not "hacking". Infiltrating computer systems is only hacking in so far as you're writing code with which to do it. That's why "script kiddies" are not hackers.
25. Re:"hack" by CCarrot · 2013-10-11 06:44 · Score: 3, Funny
  
  "If manipulating people into doing things they wouldn't normally do is what you consider a "normal relationship", then you just might be sociopath."
  Or just a talented salesperson.
  There's a difference?? I've always considered them synonyms...
  
  --
  "I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
26. Re:"hack" by suutar · 2013-10-11 06:53 · Score: 5, Funny
  
  You take that back! I am not a salesperson! :)
27. Re: "hack" by Anonymous Coward · 2013-10-11 07:14 · Score: 5, Funny
  
  Virgin spotted
  Meh. Virgin spotting on /. is like birdwatching in an aviary.
28. Re:"hack" by TheCarp · 2013-10-11 07:30 · Score: 1
  
  Only if they relax, which, at least in the case of a fall, takes them time to do. Actually I have seen somewhere that they have higher survivability rates ABOVE certain heights than below them. They still often take injuries from long drops.
  Sampling the behaviour of the approximately 9 cats I have seen at various times on the porches of my parents house, I have never seen a cat jump from the second floor front porch to the ground or even to a car roof.
  I have seen several cats jump from the second floor rear porch to the nearby roof (6-8 feet depending on what part of the roof and whether you count the full diagonal of the jump or just the verical component), and then down from there. In fact, even getting down from the top of the cabinet, they hang off the edge to get as low as possible for the drop and aim for the countertop first.
  So Whether they can survive it, they seem aware enough of the possibility of injury to think better of trying it. Which is likely smart when jumping off porches and cabinets, serves them less well in trees.
  
  --
  "I opened my eyes, and everything went dark again"
29. Re:"hack" by mythosaz · 2013-10-11 08:00 · Score: 1
  
  A cat's terminal velocity is survivable for the cat. They can jump from basicly any height and be fine.
  I'm willing to assist in the testing of this theory.
30. Re:"hack" by wjcofkc · 2013-10-11 09:34 · Score: 1
  
  I'm awfully surprised to see this comment modded up... especially on Slashdot. The crowd here should know that social engineering has always been an integral part of hacking. Penetration testers even use it. If I took a bunch of infected USB sticks and tossed them around the employee parking lot of a bank in the dark of the night, and then the next morning the bank employees say 'Yipee! Free thumb drives!' Then run inside and stick them in their computers as fast as they can like a bunch of idiots to see what's on them, quietly letting me into their systems, is that not hacking? I say yes. In the black hat sense anyhow.
  
  --
  Brought to you by Carl's Junior.
31. Re:"hack" by Zero__Kelvin · 2013-10-11 09:43 · Score: 2
  
  You should look up the origin of the word hacker. It has nothing to do with computers.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
32. Re:"hack" by wagnerrp · 2013-10-11 09:58 · Score: 1
  
  Right, it's the general term for any end user who "hacks together" their own tools and devices, rather than buy a commercial product. It has nothing to do with good or bad, but merely refers to the free-form development process outside of typical engineering methods. As I said, computer hacking implies you're writing your own code (or etching your own hardware).
33. Re:"hack" by Beardo+the+Bearded · 2013-10-11 10:06 · Score: 1
  
  I've seen movies of cats jumping from the top of telephone poles and walking away like "fuck all y'all in the loud trucks, can't a furball take a fuckin' nap?"
  
  --
  
  ---
  ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
34. Re:"hack" by Zero__Kelvin · 2013-10-11 10:11 · Score: 1
  
  Hacking is any clever use of a technique or technology in a manner that isn't otherwise apparent. Furthermore The Request for Comments RFC 1392 amplifies this meaning as "[a] person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular." So if they were doing it to see if they could do it ... to understand the internal workings of the organization ... then they were hacking. Social Engineering is a long established branch of hacking. Famous hacker Kevin Mitnik was famous in large part for his Social Engineering skills. You are correct that Script Kiddies are not hackers, but saying that this wasn't a hack is 100% incorrect.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
35. Re:"hack" by JWSmythe · 2013-10-11 17:49 · Score: 1
  
  I'm amazed this flaw still exists. It reminds me of back in the day, when NSI only accepted registrations via email. Changes could be forced by sending a sufficient number of change requests. We'd do it just to make sure the changes were accepted, since most of the time they'd screw it up. We'd send something like 20 requests. A few would be approved.
  You could move just about any domain to anywhere else, as long as you could forge the email header to be a legitimate contact.
  I never considered it a "hack". It was just a kludge to make a flawed system work properly. Well, too properly if I, for example, accidentally moved a domain that wasn't mine.
  So now you have to forge a fax? Oohh, that sounds rough.
  
  --
  Serious? Seriousness is well above my pay grade.
36. Re:"hack" by JWSmythe · 2013-10-11 18:07 · Score: 1
  
  I grew up on a farm, and we had plenty of cats and squirrels around.
  Squirrels never cried when they were stuck in a tree, because they never were.
  Cats would occasionally cry, but would eventually climb down. Even at 15' to 20' above the ground, they were fine. Their instincts and learned abilities work fine. They can't grip very well going head first down a tree. It's more like a clawed running fall, only slowing themselves a little. :) If they're too high, they can climb down backwards, stopping to rest or look around as they please. It's not terribly graceful, but they did fine. The important part to remember is, they got themselves there in the first place, so they have a path to get back down.
  If they don't survive, you've just witnessed evolution at work.
  
  --
  Serious? Seriousness is well above my pay grade.
37. Re:"hack" by JWSmythe · 2013-10-11 18:12 · Score: 1
  
  I'm surprised you haven't been slammed with the "Mitnik wasn't a hacker!" posts. For the most part, he manipulated people, or as you said "Social Engineering skills".
  If someone used those same skills to relieve an old lady out of a large sum of money without any technology needing to be involved, he'd just be called a con artist. Same deal, but sometimes a different goal.
  
  --
  Serious? Seriousness is well above my pay grade.
38. Re:"hack" by Zero__Kelvin · 2013-10-12 01:10 · Score: 1
  
  I wasn't slammed with such posts because Mitnick was a hacker. He was a smart hacker for the most part, but his addiction got the best of him. Real hackers don't spend months trying to brute force the passwd file when they can simply make a phone call and get on with their hacking. He used his access to hack. He gained that access through Social Engineering. This couldn't be more true to the initial MIT Hacker ethic, where they gained access to the hardware through all kinds of clever hacks so they could get on with the hacking. If Mitnick Social Engineered the passwords and sold them for profit then he would be the con artist you describe. He didn't. He Social engineered the passwords and then proceeded to hack.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
39. Re:"hack" by JWSmythe · 2013-10-12 03:49 · Score: 1
  
  I'm not arguing against that. You are correct. There are a lot of people that would argue against it, frequently on here.
  Maybe the crowd here has changed a lot, or maybe they are realizing that he did more than ask politely for passwords.
  
  --
  Serious? Seriousness is well above my pay grade.
40. Re:"hack" by Zero__Kelvin · 2013-10-12 04:04 · Score: 1
  
  If the crowd has changed it has changed for the worse. We may have made the transition from "Kevin Mitnick wasn't a hacker!" to "Kevin who?" ;-) Cheers!
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
41. Re:"hack" by dreamchaser · 2013-10-12 04:43 · Score: 2
  
  I take it you aren't in the security field then, because social engineering is widely regarded as form of hacking. Saying that it isn't so doesn't change that one bit.
42. Re:"hack" by NewYork · 2013-10-12 04:58 · Score: 1
  
  What is the difference between injecting code into a machine to make it do what you want, and injecting an idea into a human to make the human do what you want.
  RELIGION
  
  --
  Casteism
43. Re:"hack" by Lisias · 2013-10-12 06:11 · Score: 1
  
  What is the difference between injecting code into a machine to make it do what you want, and injecting an idea into a human to make the human do what you want.
  Humans are supposed to be "sapiens".
  
  --
  Lisias@Earth.SolarSystem.OrionArm.MilkyWay.Local.Virgo.Universe.org
44. Re:"hack" by wagnerrp · 2013-10-12 06:12 · Score: 1
  
  You would be correct that I'm not in the security field, of course you're missing the point that hacking does not directly have anything to do with computer security. Just because mainstream media decides to abuse a word out of ignorance, making it something "evil" and "bad", does not mean you have to as well.
45. Re:"hack" by hobarrera · 2013-10-12 06:17 · Score: 1
  
  Neither is incompetence no behalf of the registrar.
46. Re:"hack" by Xemu · 2013-10-12 08:10 · Score: 1
  
  2. You can't "inject" an idea into a human, the best you can do is present an idea and it's up to them to accept, reject, or ignore it.
  Ma'am, I suggest you go watch
  http://www.ted.com/talks/elizabeth_loftus_the_fiction_of_memory.html
  where it is shown that it is indeed possible to "inject" ideas into humans.
  
  --
  Tell your friends about xenu.net
47. Re:"hack" by doccus · 2013-10-12 12:18 · Score: 1
  
  The humans don't realize their reality isn't in a machine, it's in a virtual machine. Unlike you history repeating humans, we learn from our mistakes.
  You darn tootin' machines are all alike. You might learn from your mistakes, if you were capable of recognizing you made them ;-)
48. Re:"hack" by dreamchaser · 2013-10-12 12:53 · Score: 1
  
  That's a common misconception. I am in the IT security field, a senior network security engineer and consultant. I'm well steeped in the business, and I will tell you that you're wrong. I'm not drawing from mainstream media. I live it daily. I'm one of the guys who helps try to protect organizations from the black hats. Social engineering is every bit as much a part of what is known as 'hacking' (I hate the term btw, but it is what is is) as are active attacks, malware, and botnets.
49. Re:"hack" by Hentes · 2013-10-13 00:32 · Score: 1
  
  What's the difference? At the end of the day, they got what they wanted. Real hackers care about results, not methods.
50. Re:"hack" by TheCarp · 2013-10-13 00:56 · Score: 1
  
  http://en.wikipedia.org/wiki/Cat_righting_reflex#Injury
  Yup cats definitely get hurt from falling but, I do believe the original post that started us down this road said "survivable" which doesn't really mean unharmed:
  
  of 132 cats that were brought into the New York Animal Medical Center after having fallen from buildings, it was found that the injuries per cat increased depending on the height fallen up to seven stories but decreased above seven stories.[8] The study authors speculated that after falling five stories the cats reached terminal velocity and thereafter relaxed and spread their bodies to increase drag.
  Falling from height is always a very risky gamble, but people have survived falls from airplanes.
  Falls have a ridiculously high chance of mortal injury, but its not 100%, hell just by being in shape and learning to land properly people can do some amazing things without injury. Parcour runners run away from falls that would leave me with broken, twisted, limbs, and I would be lucky if my neck wasn't one of them.
  
  --
  "I opened my eyes, and everything went dark again"
51. Re:"hack" by Zero__Kelvin · 2013-10-13 10:09 · Score: 1
  
  No, but I would have others believe I know the meaning of the word origin.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
52. Re:"hack" by TheCarp · 2013-10-14 07:05 · Score: 1
  
  After I saw this, I looked it up..... wow cats never cease to amaze me. Video I saw some guy was trying to get one of those neck loops around the cat when it decided it was time to go. Duh, that is so NOT how I would try to control a cat.
  Get one hand on that scruff FIRST. Then do what you want. In fact, I did just that recently when i saw an escaped kitty playing dodge the traffic, he ran to hide under a car and I went over, lay on the ground and tried to calm him.... someone saw me and wanted to "help"....
  So i told them to walk around the other side so the cat doesn't run INTO traffic and "try to scare him this way". I knew it wouldn't really work that way :) but as soon as they walked around, the cat turned his head, and I immediately scruffed him. (Note for non-cat people: Don't ever lift an adult cat by the scruff, just grab and hold it for control)
  Aside from that just... wow what a jump!
  
  --
  "I opened my eyes, and everything went dark again"
legal crime by schneidafunk · 2013-10-11 05:04 · Score: 3, Insightful

What is the legal crime committed here, simply fraud?

--
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
1. Re:legal crime by Anonymous Coward · 2013-10-11 05:11 · Score: 2, Informative
  
  Counts as both wire fraud and CFAA violations
2. Re:legal crime by gstoddart · 2013-10-11 05:18 · Score: 1
  
  Fraud fore sure. Probably some computer hacking laws. Uttering a false statement. Possibly receipt of stolen goods. Depending on the value of the domain the theft could reach felony threshold. You could reach and say identify theft, but that's probably pushing it.
  Depends on how creative the DA feels like being, but I should think there's quite a few charges which could be applied here.
  
  --
  Lost at C:>. Found at C.
3. Re:legal crime by TheCarp · 2013-10-11 05:22 · Score: 2
  
  > Uttering a false statement.
  Hey man, they were just taking after the example set by our political leaders!
  
  --
  "I opened my eyes, and everything went dark again"
4. Re:legal crime by lister+king+of+smeg · 2013-10-11 05:38 · Score: 1
  
  would it be wire fraud if sent by mail?
  
  --
  ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
5. Re:legal crime by Chris+Mattern · 2013-10-11 05:43 · Score: 3, Informative
  
  No, then it would be mail fraud, of course. US law treats the two pretty much the same, however; both are defined in Title 18 of the US Code, mail fraud in Section 1341, wire fraud in Section 1343.
6. Re:legal crime by ShaunC · 2013-10-11 12:19 · Score: 1
  
  Hands up, who remembers Happy Hardcore's old AOL screen name MrWireFraud?
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
A hack is not just a hack by cyberpocalypse · 2013-10-11 05:09 · Score: 5, Insightful

There has been some commentary via mailing lists and Twitter feeds that this was not a big deal. Firstly, hats off to HD and his team, there was nothing they could have done about it. Secondly, this isn't to be taken lightly. Sure the attackers were minor script kiddies, but the reality is, the attack could have been extremely vicious. Consider an attacker replicating the content of the site and simply replacing the applications (nexpose, metasploit) with backdoored versions. Companies like Register and GoDaddy are lacking in the validation category. ANYONE can create fake identification using GIMP, Photoshop, etc., the fact they did not offer anything other than a fax request is mind bogglingly stupid. They should have called BACK the registrant's number to confirm the change request. But, companies would argue: "that would be costly" not even thinking of turning that kind of validation into say a business model: "for $10 extra per year..." when they should be doing it from the jump. (Neither here nor there) Personally, I hadn't been running any updates, but if I did, I would be going back, wiping my machines, and re-installing.
1. Re:A hack is not just a hack by cascadingstylesheet · 2013-10-11 05:18 · Score: 3, Funny
 
 Why do you use that crappy font? Makes what you have to say totally unreadable.
 Because crappy fonts prove your 1eet haX0r street cred?
2. Re:A hack is not just a hack by gstoddart · 2013-10-11 05:23 · Score: 1
 
 Because crappy fonts prove your 1eet haX0r street cred?
 Not if you don't know it's '133t' instead of '1eet'. And 'h4x0r' not 'haX0r' ;-)
 Yes, I know, STFU. :-P
 
 --
 Lost at C:>. Found at C.
3. Re: A hack is not just a hack by _0xd0ad · 2013-10-11 05:42 · Score: 3, Informative
 
 Why does your browser use a crappy font for monospaced text? There's a setting for that. Mine uses Consolas. It's readable. And it differentiates between O and 0, and other characters that look similar (if not identical) in most other fonts.
4. Re:A hack is not just a hack by Princeofcups · 2013-10-11 05:42 · Score: 1
 
 Personally, I hadn't been running any updates, but if I did, I would be going back, wiping my machines, and re-installing.
 
 DNS hijacking has nothing to do with server access.
 
 --
 The only thing worse than a Democrat is a Republican.
5. Re:A hack is not just a hack by TheRealMindChild · 2013-10-11 05:42 · Score: 2
 
 Ok, firstly the "You don't know what you are talking about, go back to school and learn something" retort makes your argument almost ignore worthy. It shows you have very little to stand on and a personal attack is always an indicator of insecurity.
 
 With that, IF the SSL cert is stolen, then the system itself is compromised, which the attacker would use it instead of setting up their own. Secondly, having SSL won't make anything LESS secure, but it MIGHT make things even just a little bit harder for the attacker. Thirdly, no one said rely solely on that. It is simply a link in a security chain, which IS good security practice.
 
 Just because "Once a person was able to sneak a gun into a courtroom" may have occurred is absolutely a terrible reason not abolish checking for them.
 
 --
 
 "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
6. Re:A hack is not just a hack by TheCarp · 2013-10-11 06:27 · Score: 1
 
 Interesting that it includes unix based systems but isn't giving mkfs a block device. Even the honor system trojan is buggy.
 
 --
 "I opened my eyes, and everything went dark again"
7. Re:A hack is not just a hack by psydeshow · 2013-10-11 06:33 · Score: 2
 
 SSL certs would have battled against this. They cert wouldn't match when visiting the spoofed site.
 Except for the part where if you control the domain registration you can have a new SSL cert issued within minutes.
8. Re:A hack is not just a hack by swillden · 2013-10-11 07:19 · Score: 1
 
 Why do you use that crappy font? Makes what you have to say totally unreadable.
 Hmm... troll, or idiot... I can't decide. Ah well, it's a distinction without a difference.
 
 --
 Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
9. Re:A hack is not just a hack by Zedrick · 2013-10-11 09:27 · Score: 1
 
 I'm not quite sure about the ICANN regulations, but with some TLD's a signed fax is a valid request- ie if a registrar get a fax (or letter) demanding DNS changes (or EPP-codes), the registrar *have to* do what's asked without "being troublesome" and calling back etc. It has nothing to do with cost. Stupid? Sure. But not the registrars fault.
10. Re: A hack is not just a hack by Just+Some+Guy · 2013-10-11 09:45 · Score: 1
 
 Mine does too, which is great for sites like Github where it's not actually a sign of mental illness to post things that render in monospace.
 
 --
 Dewey, what part of this looks like authorities should be involved?
11. Re:A hack is not just a hack by JWSmythe · 2013-10-11 18:40 · Score: 1
 Look down at the bottom of the textarea. If you select 'code', it puts everything into monospace, and (should) escape html entities. Alternatively, you can use the tags in the below list, from which ecode sets a block to be monospace with escaped html entities.
 I wonder if I can post them all in one message. :)
 b = bold i italics
 p = new paragraph
 br = line break a = link
 
 ol ordered list
 li line item
 
 ul unordered list
 li line item
 dl descriptive list dt descriptive term descriptive description
 em emphasis strong tt teletype text
 
 blockquote: this is a block of quoted text.
 
 multiple blockquotes can be nested if you're really determined to put a whole thread into one message
 
 div
 
 ecode allows escaped code such as Allowed HTML... <a> <ol> <ul> <li> <dl> <dt> <dd> <tt> <blockquote> <div> <ecode>
 
 quote is an alias for blockquote
 ... and all that garbage was generated with ...
 
 b = bold i italics p = new paragraph br = line break <A HREF='/'>a = link</A> <ol> <li>ol ordered list <li>li line item </ol> <ul>ul unordered list <li> li line item </ul> <dl> dl descriptive list <dt> dt descriptive term </dt> <dd> descriptive description </dl> </dl> em emphasis strong <tt> tt teletype text</tt> <blockquote> blockquote: this is a block of quoted text. <blockquote>multiple blockquotes can be nested if you're really determined to put a whole thread into one message </blockquote> </blockquote> <div> div <ecode> ecode allows escaped code such as Allowed HTML... <a> <ol> <ul> <li> <dl> <dt> <dd> <tt> <blockquote> <div> <ecode>
 
 quote is an alias for blockquote
 Don't read past here. :)
 unfortunately, making so many short lines made the lameness filter throw the message "Your comment has too few characters per line (currently 27.4). ", so I'm padding the message with real words, so I won't see "Your comment has too few characters per line (currently 27.4). " again, and hopefully it will think that this is an informative message like it is, rather than saying "Your comment has too few characters per line (currently 27.4). " Whew.
 But no, that didn't work. Now I'm at "Your comment has too few characters per line (currently 32.0). ", which means I have "Your comment has too few characters per line (currently 32.0). ", and I really should have more characters per line, but if I just put one character repeated, it will complain about that too, so lets see where we are now instead of "Your comment has too few characters per line (currently 32.0). "
 This is apparently harder than it seems, as it now says "Your comment has too few characters per line (currently 36.1). ", which means trying to explain how Slashdot works in a Slashdot post is going to make me type a lot of new junk so I won't see "Your comment has too few characters per line (currently 36.1). ", but I'll probably be caught by another lameness filter. Like, it may realize I keep using the same words over and over, even though I'm typing a lot in between messages li
 --
 Serious? Seriousness is well above my pay grade.
12. Re:A hack is not just a hack by JWSmythe · 2013-10-11 18:50 · Score: 1
 
 I vote idiot. :)
 
 --
 Serious? Seriousness is well above my pay grade.
13. Re:A hack is not just a hack by cascadingstylesheet · 2013-10-11 23:35 · Score: 1
 
 Not if you don't know it's '133t' instead of '1eet'. And 'h4x0r' not 'haX0r' ;-)
 I take great pride in not knowing the precise syntax for those :)
14. Re:A hack is not just a hack by Lisias · 2013-10-12 06:17 · Score: 1
 
 Please, show some respect for the idiots... Many of them are good people (idiotic, but good people), and don't deserve be compared with a jackass like that. :-)
 
 --
 Lisias@Earth.SolarSystem.OrionArm.MilkyWay.Local.Virgo.Universe.org
15. Re:A hack is not just a hack by Lisias · 2013-10-12 06:21 · Score: 1
 
 kudos, my friend. Your post is one of the best I ever read here, especially the part after "Dont read past here". :-)
 
 --
 Lisias@Earth.SolarSystem.OrionArm.MilkyWay.Local.Virgo.Universe.org
16. Re:A hack is not just a hack by JWSmythe · 2013-10-12 14:43 · Score: 1
 
 :) Thank you.
 
 --
 Serious? Seriousness is well above my pay grade.
Resolved by al3 · 2013-10-11 05:14 · Score: 5, Funny

"The DNS hijacking attack was resolved within an hour, Moore said."
Is that a DNS joke?
1. Re:Resolved by cascadingstylesheet · 2013-10-11 05:17 · Score: 2
  
  "The DNS hijacking attack was resolved within an hour, Moore said."
  Is that a DNS joke?
  Well, the resolution may take 24 - 48 hours to reach your part of the world ...
2. Re:Resolved by Anonymous Coward · 2013-10-11 05:20 · Score: 1
  
  I get it - I dig that pun!
Really by fax? by yakatz · 2013-10-11 05:19 · Score: 3, Interesting

The only evidence actually quoted that the attack was by faxed change request is the defaced website. Do we trust the "hackers" that much that we believe they made the change by sending a fax? Could the group be giving a red herring?
1. Re:Really by fax? by horm · 2013-10-11 06:16 · Score: 1
  
  Should we provide a definition for every colloquialism we use?
2. Re:Really by fax? by yakatz · 2013-10-11 06:29 · Score: 1
  
  I don't have an ax to grind and I certainly don't want to create bad blood, but we can build a castle in the air of people all over the world who understand every English idiom.
  
  I wanted to have one idiom for every letter, but I got tired of it.
3. Re:Really by fax? by X0563511 · 2013-10-11 09:23 · Score: 1
  
  The problem is that businesses seem to think fax machines are magically perfect and couldn't possibly be impersonated.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
There's a name for this. by Minwee · 2013-10-11 05:27 · Score: 5, Funny

It's "Canadian Hacking". Instead of breaking into someone's computers and maliciously altering their data, you just call them up or send a note to ask politely if they would do it to themselves.
You'd be surprised at how often it works, eh?
1. Re:There's a name for this. by nine-times · 2013-10-11 06:40 · Score: 4, Interesting
  
  Honestly, it does work a lot. I work in IT and have had to help clients get control of various kinds of accounts to which they have lost usernames, passwords, and other vital information. You know, things like, "A previous employee bought our domain name and set up the DNS for us using his personal account. His name is on the account. We don't know what the associated email address is. We certainly don't have the password. We've tried contacting this ex-employee, and found that his phone number doesn't work anymore."
  And really, you'd be surprised what you can get if you call up, sound professional and honest, and just ask people to help you out. Domain registrations are generally kind of a pain in the butt, but even those usually just require some faxed documentation. I've had some accounts (not domain registrations) where the support basically said, "Oh, you're supposed to have access? Let me just reset the password for you." It's pretty disturbing. But then I also legitimately need to do this sort of thing all the time because businesses rarely pay any attention to these things.
2. Re:There's a name for this. by FeelGood314 · 2013-10-11 08:06 · Score: 1
  
  When I was working for a very reputable 3 letter company, I had a "customer" ask us to hack a security device. There was a feature that had me stumped so I phoned the manufacturer of the device who put me in touch with their supply of this feature. The supply explained how unbeatable their product was and how to implement it. Now the implementation had one difficult step and I asked what would happen if that step was missed and was told how it would render the product vulnerable. The maker of the device had skipped this step so getting into the device was easy after that. I told the truth the whole time, even stated my intentions and still everyone helped me. Of coarse my employer never validate the identity of the "customer".
3. Re:There's a name for this. by thegarbz · 2013-10-11 10:56 · Score: 1
  
  It works well outside of IT. The customer is always right (bullshit) approach to managing or diffusing situations often lead to people being overly helpful and bending the rules, especially if you can voice despair.
  A few classic lines:
  - I wasn't told a case number. They'll put me on hold for half an hour again.
  - Those guys just transferred me to you!
  - Look I've been on the phone to you all day and you guys have given me a complete run around!
  When people feel customers have been dicked around by their own stupid policies they go out of their way to help.
4. Re:There's a name for this. by rueger · 2013-10-11 10:58 · Score: 1
  
  Actually, we learned this technique from our colonial overlords. Then again, some Canadian companies aren't dumb enough to act on that's sent to them...
  
  --
  Three Squirrels
It's common by Anonymous Coward · 2013-10-11 05:42 · Score: 1

I recently moved. As I called the various utilities to tell them to cancel my service few of them asked for any kind of identification except my address. I other words in could easily shut off anyone's gas, electricity, internet service
On the other hand it's pretty nice to live in a society with so much trust
Was like that years ago too. by future+assassin · 2013-10-11 05:44 · Score: 1

In 1999/2000 all we had to do to get a dns change from network solutions was fax in a request with a company letter head. They would change the new clients DNS to use and off we went.

--
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
Re:DNSSEC? by ledow · 2013-10-11 05:52 · Score: 1

Only if does it in English could have.
Re:Fax machines are still a thing... by ledow · 2013-10-11 05:57 · Score: 1

A legally-qualified friend of mine once told me that fax was officially regarded as a valid "service" in legal terms (i.e. you could send summons, court orders, etc. by it and count them as being served on someone).
There are rules for communications in legal terms, which basically say that if you replied to an email, then email is a valid form of service for you, and things like that, but fax had enjoys a special relationship with legal people for a long time. Hence some finance / legal departments will only accept things by fax sometimes, which although nonsensical in technical terms, has a good reason behind it.
I imagine the situation has changed with the advent of electronic court proceedings (according to what I was researching for preparation to sue my car insurance company, I am able to do virtually the entire case online nowadays, thanks to the UK Government Gateway authentication) but it still holds a few powers that courts will recognise but may not for things like email, messaging, etc.
Registrar security is kind of a joke sometimes by Tridus · 2013-10-11 05:59 · Score: 4, Interesting

I had to do this recently for a legitimate reason. A friend had bought a small hobby type operation (including the domain), but the old owner forgot to change the domain ownership over and dropped off the grid. It wasn't really a problem until we wanted to change hosting providers, at which point we couldn't update the DNS settings.
Since we actually had control of the domain, I used the account that was listed as the admin contact to send an email to the registrar explaining the situation and asking if they could change the info for us. Without any validation whatsoever they sent me the username and password (apparently stored in clear text) for the account, allowing me to do anything I wanted with it.
Thankfully I don't use that registrar for my own stuff. I expected at least to have to show some proof of ownership or something.

--
-- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
1. Re:Registrar security is kind of a joke sometimes by Anonymous Coward · 2013-10-11 06:36 · Score: 2, Insightful
  
  Which registrar was this? I would like to know so that I can avoid them in the future.
2. Re:Registrar security is kind of a joke sometimes by mynamestolen · 2013-10-11 07:48 · Score: 1
  
  Get someone to try it on your own registrar and post us the results.
  
  --
  work in progress
Re:Fax machines are still a thing... by WillAffleckUW · 2013-10-11 06:19 · Score: 1

Actually, some contracts require you to have one.
That said, just buy a $49 modem and use it to be a "fax machine".

--
-- Tigger warning: This post may contain tiggers! --
Re:Fax machines are still a thing... by jandrese · 2013-10-11 06:25 · Score: 1

The ironic part is that they probably take faxes because they're considered more secure than email. I mean if you have official looking letterhead, that means you must be legitimate, right?

--

I read the internet for the articles.
Breaking into a tech museum by Arancaytar · 2013-10-11 07:07 · Score: 2

just to steal an internet domain?
1. Re:Breaking into a tech museum by thegarbz · 2013-10-11 11:00 · Score: 1
  
  Funny story, we have an ancient system at work which we can remotely administer via a 28.8k modem. Our office upgraded everything to VoIP and ripped out all the telephone lines. All but one ... and would you know it it's an unused fax machine.
"hacking a system", see hacker's dictionary by raymorris · 2013-10-11 07:57 · Score: 2

> But we already HAD a word for that and it was not "hackers" it was con artists..
I think the distinction is in your last three words, "hacking a system".
A con man or fraudster will get a _person_ to hand over their property.
A hacker manipulates a _system_ to have it do something other than what it's supposed to do.
TFA says:
"The group was able to change the DNS records managed by Network Solutions for a number of security companies".
They did a number of companies by exploiting NetSol's SYSTEM, not simply tricking one person, but exploiting
holes in the system that the person what was part of. If you can fairly reliably exploit the system, it's a hack in my opinion whether that's a TCP/IP system, a phone system, a traffic light control system, or system that includes both
computers and human.
However, see also the Jargon File for original meanings of the term:
http://www.dourish.com/goodies/jargon.html
http://www.outpost9.com/reference/jargon/jargon_23.html#SEC30
Re:Fax machines are still a thing... by Shimbo · 2013-10-11 09:54 · Score: 1

I mean if you have official looking letterhead, that means you must be legitimate, right?
Thankfully, the days when our admin people wanted a fax on headed notepaper before they believed a business was legitimate are long gone. However, the ways that legitimate business people identify themselves to you are still very primitive. If you're lucky they send you a notification that you can pick up a PM. Banks are often the worst, where they robocall you and want you to provide personal details before they tell you why they called.
Changing a DNS record is small beer, though. Social engineering by fax can acheive much more than that: http://www.nbcnews.com/id/18251472/ns/us_news-crime_and_courts/t/prison-releases-felon-after-getting-phony-fax/
Not defaced by sjames · 2013-10-11 10:57 · Score: 1

Defaced implies that they were changed on the server. That didn't happen. The domain was hijacked and the replacement pages were put up on another server.
Want so jail time by Stan92057 · 2013-10-11 11:18 · Score: 1

Want so jail time with Bubba? Use a fax machine to steal someones domain.

--
Jack of all trades,master of none
1. Re:Want so jail time by mysidia · 2013-10-11 13:19 · Score: 1
  
  Want so jail time with Bubba? Use a fax machine to steal someones domain.
  Yeah; that's where you may be if you use a fax machine.
  The "cool kids" (evil criminal hax0rs) may use guessed credentials on FoIP / IP to fax services.
  To point the domain to DNS servers/web servers running on a hosting account the evil hax0r also hacked.
  The authorities will come a knocking on the victim's door instead of the bad guy's, in this case
2. Re:Want so jail time by Stan92057 · 2013-10-11 15:02 · Score: 1
  
  Our prisons are full to the max with criminals who think they cant get caught. Guess they were wrong hu?
  
  --
  Jack of all trades,master of none
3. Re:Want so jail time by mysidia · 2013-10-11 20:06 · Score: 1
  
  Our prisons are full to the max with criminals who think they cant get caught. Guess they were wrong hu?
  Yes, but kind of hard to catch criminals from Russia/China who have covered their tracks.
  Someone might eventually track them, but it's unlikely the authorities in their country will even do anything about it.
4. Re:Want so jail time by Stan92057 · 2013-10-12 04:55 · Score: 1
  
  Maybe, maybe not. But if You want some jail time . Bubba meet.................. lol
  
  --
  Jack of all trades,master of none