Slashdot Mirror

← Back to Stories (view on slashdot.org)

Want To Hijack a Domain? Just Get a Fax Machine

Posted by Soulskill on from the why-are-fax-machines-still-a-thing dept.

msm1267 writes "Metasploit's HD Moore says hackers sent a spoofed DNS change request via fax to Register.com that the registrar accepted, leading to a DNS hijacking attack against the Metasploit and Rapid7 websites. The two respective homepages were defaced with a message left by the same hacker collective that claimed responsibility for a similar DNS attack against Network Solutions. Rapid7 said the two sites' DNS records have been locked down and they are investigating."

36 of 162 comments (clear)

  1. "hack" by Anonymous Coward · · Score: 5, Insightful

    Social engineering is not hacking to me.

    1. Re:"hack" by i_ate_god · · Score: 5, Insightful

      What is the difference between injecting code into a machine to make it do what you want, and injecting an idea into a human to make the human do what you want.

      --
      I'm god, but it's a bit of a drag really...
    2. Re:"hack" by TheCarp · · Score: 5, Funny

      Because normally by the time you are injecting code into a human, you already got what you wanted. What were we talking about again?

      --
      "I opened my eyes, and everything went dark again"
    3. Re:"hack" by sumdumass · · Score: 3, Insightful

      Hackers also go bowling and put bumper stickers on cars. But few call those activities hacking. Just like few call rescueing kittens- firefighting.

    4. Re:"hack" by Mitchell314 · · Score: 2

      But which one is which?

      --
      I read TFA and all I got was this lousy cookie
    5. Re:"hack" by Forbo · · Score: 2

      If manipulating people into doing things they wouldn't normally do is what you consider a "normal relationship", then you just might be a sociopath.

    6. Re:"hack" by hairyfeet · · Score: 5, Insightful

      But we already HAD a word for that and it was not "hackers" it was con artists...or bunko men if you prefer a more gender specific term.

      If the guys here want to get all pedantic about the difference between virus and malware then why in God's green earth are we calling these guys hackers when they are doing the same shit that has been going on since before the fricking telephone? look up Bunko Bob, or Hod Bacon, guys have been doing cons for hundreds of years using nothing but their ability to manipulate the mark and this is no different and doesn't even require a computer,just the ability to sound professional and manipulate.

      This is NOT hacking folks, not even close. You might as well call a washing machine a jet engine for how far off the mark this is from actually hacking a system.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    7. Re:"hack" by Anonymous Coward · · Score: 5, Funny

      Scripture kiddies?

    8. Re:"hack" by Jawnn · · Score: 2

      Do firefighters really do this? In all my life, I don't think I've ever seen a fire crew helping a cat down from a tree.

      When I was still on the job, the chief of a neighboring department was known to have said, "Ever seen a cat skeleton in a tree? That's why we don't rescue cats."

    9. Re:"hack" by sunderland56 · · Score: 2

      Social engineering is not hacking to me.

      Kevin Mitnick? Is that you?

    10. Re:"hack" by mythosaz · · Score: 5, Funny

      I painted a fence once, but nobody calls me a painter.

      I jumped out of a plane once, but nobody calls me a skydiver.

      ...but suck one cock.

    11. Re:"hack" by fred911 · · Score: 3, Insightful

      "If manipulating people into doing things they wouldn't normally do is what you consider a "normal relationship", then you just might be sociopath."

      Or just a talented salesperson.

      --
      09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    12. Re:"hack" by wagnerrp · · Score: 3, Informative

      Except that's called "cracking" or "conning", not "hacking". Infiltrating computer systems is only hacking in so far as you're writing code with which to do it. That's why "script kiddies" are not hackers.

    13. Re:"hack" by CCarrot · · Score: 3, Funny

      "If manipulating people into doing things they wouldn't normally do is what you consider a "normal relationship", then you just might be sociopath."

      Or just a talented salesperson.

      There's a difference?? I've always considered them synonyms...

      --
      "I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
    14. Re:"hack" by suutar · · Score: 5, Funny

      You take that back! I am not a salesperson! :)

    15. Re: "hack" by Anonymous Coward · · Score: 5, Funny

      Virgin spotted

      Meh. Virgin spotting on /. is like birdwatching in an aviary.

    16. Re:"hack" by Zero__Kelvin · · Score: 2

      You should look up the origin of the word hacker. It has nothing to do with computers.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    17. Re:"hack" by dreamchaser · · Score: 2

      I take it you aren't in the security field then, because social engineering is widely regarded as form of hacking. Saying that it isn't so doesn't change that one bit.

  2. legal crime by schneidafunk · · Score: 3, Insightful

    What is the legal crime committed here, simply fraud?

    --
    Some people die at 25 and aren't buried until 75. -Benjamin Franklin
    1. Re:legal crime by Anonymous Coward · · Score: 2, Informative

      Counts as both wire fraud and CFAA violations

    2. Re:legal crime by TheCarp · · Score: 2

      > Uttering a false statement.

      Hey man, they were just taking after the example set by our political leaders!

      --
      "I opened my eyes, and everything went dark again"
    3. Re:legal crime by Chris+Mattern · · Score: 3, Informative

      No, then it would be mail fraud, of course. US law treats the two pretty much the same, however; both are defined in Title 18 of the US Code, mail fraud in Section 1341, wire fraud in Section 1343.

  3. A hack is not just a hack by cyberpocalypse · · Score: 5, Insightful


    There has been some commentary via mailing lists and Twitter feeds that this was not a big deal. Firstly, hats off to HD and his team, there was nothing they could have done about it. Secondly, this isn't to be taken lightly. Sure the attackers were minor script kiddies, but the reality is, the attack could have been extremely vicious. Consider an attacker replicating the content of the site and simply replacing the applications (nexpose, metasploit) with backdoored versions.

    Companies like Register and GoDaddy are lacking in the validation category. ANYONE can create fake identification using GIMP, Photoshop, etc., the fact they did not offer anything other than a fax request is mind bogglingly stupid. They should have called BACK the registrant's number to confirm the change request. But, companies would argue: "that would be costly" not even thinking of turning that kind of validation into say a business model: "for $10 extra per year..." when they should be doing it from the jump. (Neither here nor there) Personally, I hadn't been running any updates, but if I did, I would be going back, wiping my machines, and re-installing.

    1. Re:A hack is not just a hack by cascadingstylesheet · · Score: 3, Funny

      Why do you use that crappy font? Makes what you have to say totally unreadable.

      Because crappy fonts prove your 1eet haX0r street cred?

    2. Re: A hack is not just a hack by _0xd0ad · · Score: 3, Informative

      Why does your browser use a crappy font for monospaced text? There's a setting for that. Mine uses Consolas. It's readable. And it differentiates between O and 0, and other characters that look similar (if not identical) in most other fonts.

    3. Re:A hack is not just a hack by TheRealMindChild · · Score: 2

      Ok, firstly the "You don't know what you are talking about, go back to school and learn something" retort makes your argument almost ignore worthy. It shows you have very little to stand on and a personal attack is always an indicator of insecurity.

      With that, IF the SSL cert is stolen, then the system itself is compromised, which the attacker would use it instead of setting up their own. Secondly, having SSL won't make anything LESS secure, but it MIGHT make things even just a little bit harder for the attacker. Thirdly, no one said rely solely on that. It is simply a link in a security chain, which IS good security practice.

      Just because "Once a person was able to sneak a gun into a courtroom" may have occurred is absolutely a terrible reason not abolish checking for them.

      --

      "When life gives you lemons, don't make lemonade. Make life take the lemons back!" -- Cave Johnson
    4. Re:A hack is not just a hack by psydeshow · · Score: 2

      SSL certs would have battled against this. They cert wouldn't match when visiting the spoofed site.

      Except for the part where if you control the domain registration you can have a new SSL cert issued within minutes.

  4. Resolved by al3 · · Score: 5, Funny

    "The DNS hijacking attack was resolved within an hour, Moore said."

    Is that a DNS joke?

    1. Re:Resolved by cascadingstylesheet · · Score: 2

      "The DNS hijacking attack was resolved within an hour, Moore said."

      Is that a DNS joke?

      Well, the resolution may take 24 - 48 hours to reach your part of the world ...

  5. Really by fax? by yakatz · · Score: 3, Interesting

    The only evidence actually quoted that the attack was by faxed change request is the defaced website. Do we trust the "hackers" that much that we believe they made the change by sending a fax? Could the group be giving a red herring?

  6. There's a name for this. by Minwee · · Score: 5, Funny

    It's "Canadian Hacking". Instead of breaking into someone's computers and maliciously altering their data, you just call them up or send a note to ask politely if they would do it to themselves.

    You'd be surprised at how often it works, eh?

    1. Re:There's a name for this. by nine-times · · Score: 4, Interesting

      Honestly, it does work a lot. I work in IT and have had to help clients get control of various kinds of accounts to which they have lost usernames, passwords, and other vital information. You know, things like, "A previous employee bought our domain name and set up the DNS for us using his personal account. His name is on the account. We don't know what the associated email address is. We certainly don't have the password. We've tried contacting this ex-employee, and found that his phone number doesn't work anymore."

      And really, you'd be surprised what you can get if you call up, sound professional and honest, and just ask people to help you out. Domain registrations are generally kind of a pain in the butt, but even those usually just require some faxed documentation. I've had some accounts (not domain registrations) where the support basically said, "Oh, you're supposed to have access? Let me just reset the password for you." It's pretty disturbing. But then I also legitimately need to do this sort of thing all the time because businesses rarely pay any attention to these things.

  7. Registrar security is kind of a joke sometimes by Tridus · · Score: 4, Interesting

    I had to do this recently for a legitimate reason. A friend had bought a small hobby type operation (including the domain), but the old owner forgot to change the domain ownership over and dropped off the grid. It wasn't really a problem until we wanted to change hosting providers, at which point we couldn't update the DNS settings.

    Since we actually had control of the domain, I used the account that was listed as the admin contact to send an email to the registrar explaining the situation and asking if they could change the info for us. Without any validation whatsoever they sent me the username and password (apparently stored in clear text) for the account, allowing me to do anything I wanted with it.

    Thankfully I don't use that registrar for my own stuff. I expected at least to have to show some proof of ownership or something.

    --
    -- "So they told me that using the download page to download something was not something they anticipated." - Bill Gates
    1. Re:Registrar security is kind of a joke sometimes by Anonymous Coward · · Score: 2, Insightful

      Which registrar was this? I would like to know so that I can avoid them in the future.

  8. Breaking into a tech museum by Arancaytar · · Score: 2

    just to steal an internet domain?

  9. "hacking a system", see hacker's dictionary by raymorris · · Score: 2

    > But we already HAD a word for that and it was not "hackers" it was con artists..

    I think the distinction is in your last three words, "hacking a system".

    A con man or fraudster will get a _person_ to hand over their property.
    A hacker manipulates a _system_ to have it do something other than what it's supposed to do.
    TFA says:

    "The group was able to change the DNS records managed by Network Solutions for a number of security companies".

    They did a number of companies by exploiting NetSol's SYSTEM, not simply tricking one person, but exploiting
    holes in the system that the person what was part of. If you can fairly reliably exploit the system, it's a hack in my opinion whether that's a TCP/IP system, a phone system, a traffic light control system, or system that includes both
    computers and human.

    However, see also the Jargon File for original meanings of the term:
    http://www.dourish.com/goodies/jargon.html
    http://www.outpost9.com/reference/jargon/jargon_23.html#SEC30