Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Compromise ICANN, Access Zone File Data System

Posted by timothy on from the that-should-be-a-boss-level dept.

Trailrunner7 writes with this news from ThreatPost: Unknown hackers were able to compromise vital systems belonging to ICANN, the organization that manages the global top-level domain system, and had access to the system that manages the files with data on resolving specific domain names. The attack apparently took place in November and ICANN officials discovered it earlier this month. The intrusion started with a spear phishing campaign that targeted ICANN staffers and the email credentials of several staff members were compromised. The attackers then were able to gain access to the Centralized Zone Data System, the system that allows people to manage zone files. The zone files contain quite bit of valuable information, including domain names, the name server names associated with those domains and the IP addresses for the name servers. ICANN officials said they are notifying any users whose zone data might have been compromised." (Here's ICANN's public note on the compromise.)

44 of 110 comments (clear)

  1. So that's why Slashdot has been screwed up! by TWX · · Score: 4, Funny

    This explains a lot! We're not posting on the real Slashdot at all! We're on someone's bad copy! The entire "beta" thing was just a hijack attempt!

    --
    Do not look into laser with remaining eye.
    1. Re:So that's why Slashdot has been screwed up! by TWX · · Score: 1

      No dice, huh?

      --
      Do not look into laser with remaining eye.
    2. Re:So that's why Slashdot has been screwed up! by MobSwatter · · Score: 1

      Wasn't the RIAA exposed to have interest in attacking DNS? No doubt NSA has been in there a long time but this news is recent, nothing like a batch of movie industry lawyers putting off the fact that movie sales are down because they have only been producing sh!t for movies lately, so they are doing the only intelligent thing. Pass the buck, blame it on piracy. I for the life of me can't figure out why anyone would want to pirate this crap.

  2. fire them by Megor1 · · Score: 1, Insightful

    Any employee dumb enough to fall for a phish should be fired.

    --
    Everyone that disagrees with me is a paid shill
    1. Re:fire them by CaptainDork · · Score: 3, Insightful

      Any IT shop that ain't got the sense god gave a pissant to identify a phishing attack programmatically and shield employees who work on the INCOME side of the ledger, as opposed to IT, which is on the EXPENSE side, needs to be hit over the head with a wet squirrel and stuff.

      --
      It little behooves the best of us to comment on the rest of us.
    2. Re:fire them by NatasRevol · · Score: 1

      I'm not sure a wet squirrel would hurt much...

      --
      There are two types of people in the world: Those who crave closure
    3. Re:fire them by Mr+D+from+63 · · Score: 2, Insightful

      Any employee dumb enough to fall for a phish should be fired.

      I agree, when you work for ICANN or an organization of similar responsibility, there has to be some accountability at the employee level.

    4. Re:fire them by cyberchondriac · · Score: 4, Funny

      I think the squirrel would disagree..

      --

      Look back up at my post, now look back down, you're on the Internet. Now look back up. I'm a signature.
    5. Re:fire them by WaffleMonster · · Score: 3, Informative

      Any employee dumb enough to fall for a phish should be fired.

      The messages were *targeted* they appeared to come from real people within the company. If your PM sent you a word doc detailing a new project proposal and you opened it should YOU be fired?

      SMTP email is a failed experiment causing untold damage to millions of users around the world.

    6. Re:fire them by CaptainDork · · Score: 1

      When I was a young lad and Moby Dick was a minnow, my dad took me squirrel hunting up in the piney woods of Southeast Texas.

      When I shot a squirrel with my .410 shotgun, invariably the rodent would fall into a creek or nasty bog.

      Upon picking it up, the wet squirrel smelled and felt like a musty old mop.

      It wasn't a matter of pain. It was the disgusting smell and texture.

      --
      It little behooves the best of us to comment on the rest of us.
    7. Re:fire them by Archangel+Michael · · Score: 3, Insightful

      If my PM sent me a word doc via email, especially if it was sensitive, I would fire the PM for incompetence. Files should be stored on servers where proper security can be enabled and monitored. Once a doc gets attached to email, you have lost all control over it.

      Document control systems need to be in place, and email is not a document control system.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    8. Re:fire them by CaptainDork · · Score: 1

      I didn't say, PAID on ... I said WORK on ...

      My coworkers and bosses work hard to maintain or increase the revenue stream.

      I'm always asking for money and those people have to swim a little harder to make up the difference.

      --
      It little behooves the best of us to comment on the rest of us.
    9. Re:fire them by omglolbah · · Score: 5, Interesting

      We have a document control system at work, it has grown to such a degree that adding a document is a 3 day process involving a document controller and various other tasks. If the document does not fit a corporate template it may get rejected.

      At that point people tend to go "fuck it" and just send around work copies until it is finalized and THEN go through the hassle.

      It is unfortunate, but I've seen it happen in two different companies so far... both multinational, both ignoring their own procedures for sensitive data.

    10. Re:fire them by sjames · · Score: 3, Insightful

      If anyone doesn't think IT is on the INCOME side, they should give the sales guys a pad and a pencil and shut down IT services for a week. Let's see how much INCOME they have then. Make that week during payroll and lets see what their INCOME looks like when nobody gets paid.

    11. Re: fire them by Anonymous Coward · · Score: 2, Interesting

      No, the GP is correct. Our head accountant recently received an email from our "CEO" telling her to wire some money for services our CEO has used. The perpetrators had done their research, right down to the actual full name of our real CEO and person responsible for the finances. Replies were sent to the Return-Path: header that is not in our domain. Were it not for the difference in email address scheme (first initial, all last name @ domain vs. full first name @ domain) and our existing offline, verbal confirmation for wire transfers exceeding a certain amount, our accountant would not have caught it.

      This is conducted all in standard email. No attachments. No fancy HTML.

    12. Re:fire them by Anonymous Coward · · Score: 1

      I wholly support this sentiment! Especially when Corporate Executives launch unknown attachments from unknown recipients causing a virus outbreak.

      I know what you're thinking: why didn't the Antivirus software catch it!?!? That's a damn good question Bob. Damn good question!

    13. Re:fire them by sjames · · Score: 1

      Put the cheetoes down so you can talk with your mouth instead of your butt.

      By that criterion, sales and marketing are also cost centers. It would be ever so much cheaper to do business if you could just ship product at random and actually get paid. Buty you can't, so you need sales and marketing. It would be nice if the building would clean itself so you could skip janitorial without swimming in trash and filth but you can't.

      Everything is a cost and in a well run business, everything in some way contributes to income. Get over it. Trying to divide entire functions into income or expense just demonstrates an incomplete and fragmented understanding of the system.

    14. Re: fire them by networkzombie · · Score: 1

      Do you run your own SMTP server? No email with your FQDN should be accepted via public incoming SMTP port, only private encrypted SMTP port with AUTH should be used for MUAs and MTAs (message submission). Why would your server accept email from itself? Incoming SMTP ports should never accept email from it's own domain. This way, if you get an email as you describe, you can verify that the account has been compromised.

    15. Re: fire them by Obfuscant · · Score: 2

      "Return-Path" is an SMTP header

      SMTP doesn't have headers. SMTP is a protocol for message transport.

      thus changing the "From:" envelope address.

      There is likewise no "From:" envelope address. There is an envelope-sender (the argument to the SMTP "MAIL FROM" command) which is often inserted into a "Return-Path" header in the message, and is used in the mailbox separator "From" line in mbox email storage.

      ... still can't stop phishers from forging the "From:" header, which is just part of the body of the e-mail.

      The "From:" header is a header, not something in the body of the message. As a header, it is subject to rewriting by transport agents.

      Unfortunately, the envelope address usually never gets to the MUA,

      The MUA has access to all headers in an email, including "Return-Path". It is usually never shown to the user, but a good MUA will have an option to show raw email, including headers. Why? For just this reason.

      If you use an MUA like Outlook that hides all the technical info, it's easy to be fooled.

      Well, there you go. I did say a GOOD MUA ...

      There are several issues at play here:

      1. Employees at a company that manages a huge part of the control of the Internet can't detect phishing email by looking at the address replies will go to.

      2. The email system at said company creates email replies based on information that is supposed to be used ONLY for the transport system to report delivery issues.

      3. The offline verification process intended to stop such fraud worked, which makes this a non-story from the beginning.

    16. Re:fire them by CaptainDork · · Score: 1

      Mod +1 if I could.

      --
      It little behooves the best of us to comment on the rest of us.
    17. Re:fire them by kmoser · · Score: 1

      If these messages appeared to come from real people within the company but really originated outside, they should have had spam filters in place to detect that. In either case, I'm going to go out on a limb and guess they're all running Windows.

  3. Shocked I am not by damn_registrars · · Score: 1

    ICANN is a bunch of incompetent greedy buffoons. I wouldn't expect them to be any more capable of resisting a phishing attack than the pointy-haired boss from Dilbert.

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
  4. Some people better be out of a job... by Anonymous Coward · · Score: 1

    ICANN is one of those places that are paid NOT to fuck up. Given that a phishing attack combined with a weeks to month long exploit time indicates a number of people weren't doing their job, followed best security practices, etc.

    Personally I am of the opinion that it is time for ICANN and the legacy DNS system to be obsoleted, all organizations related to it disbanded, and discusisons begun on doing the same for IANA. The bureacracy involved in each has been a tolerated evil on the internet since at least the 90s, but this latest failure just indicates that very little has been learned by the organizations in their 20+ year tenures.

    1. Re:Some people better be out of a job... by TWX · · Score: 4, Interesting

      And replace it with what, exactly?

      Seriously, how do you intend to manage all of the addressing, both the IP level and the human-readable level, without some form of central authority?

      --
      Do not look into laser with remaining eye.
    2. Re:Some people better be out of a job... by mmell · · Score: 4, Funny

      I'll bet he could tell you. He has written a hostfile manager that guards your home, brings you your slippers and makes your coffee in the morning.

    3. Re:Some people better be out of a job... by bmo · · Score: 1

      Peer Name Resolution.

      The problem is that it's patent encumbered, by Mickeysoft, so it's useless.

      There is also something called Hierarchical DHT-based name resolution.

      Abstract:

      Information-centric network (ICN) architectures are an increasingly important approach for the future Internet. Several ICN approaches are based on a flat object ID namespace and require some kind of global name resolution service to translate object IDs into network addresses. Building a world-wide NRS for a flat namespace with 10^1^6 expected IDs is challenging because of requirements such as scalability, low latency, efficient network utilization, and anycast routing that selects the most suitable copies. In this paper, we present a general hierarchical NRS framework for flat ID namespaces. The framework meets those requirements by the following properties: The registration and request forwarding matches the underlying network topology, exploits request locality, supports domain-specific copies of binding entries, can offer constant hop resolution (depending on the chosen underlying forwarding scheme), and provides scoping of publications. Our general NRS framework is flexible and supports different instantiations. These instantiations offer an important trade-off between resolution-domain (i.e. subsystem) autonomy (simplifying deployment) and reduced latency, maintenance overhead, and memory requirements. To evaluate this trade-off and explore the design space, we have designed two specific instantiations of our general NRS framework: MDHT and HSkip. We have performed a theoretical analysis and a simulation-based evaluation of both systems. In addition, we have published an implementation of the MDHT system as open source. Results indicate that an average request latency of (well) below 100ms is achievable in both systems for a global system with 12 million NRS nodes while meeting our other specific requirements. These results imply that a flat namespace can be adopted on a global scale, opening up several design alternatives for information-centric network architectures.

      http://dl.acm.org/citation.cfm...

      --
      BMO

    4. Re:Some people better be out of a job... by rdnetto · · Score: 1

      And replace it with what, exactly?

      Seriously, how do you intend to manage all of the addressing, both the IP level and the human-readable level, without some form of central authority?

      I've been playing around with some ideas lately on how to implement a decentralised DNS, and what it basically comes down to is how you resolve conflicts. e.g. Microsoft reserves www.microsoft.com, then I try to do so. Ideally, the order shouldn't affect the final result, because a first-come-first-server system encourages squatting. Crypto-based systems also have to consider if the domain name can be reacquired if the private key is lost/stolen.
      Here's a quick summary of the different approaches:

      Traditional DNS: uses first-come-first-serve (FCFS) and conflicts are resolved through legal means (trademark law). Conflicts are resolved by the registrar - the second application is denied because the name is already in use. Centralized.

      mDNS: uses multicast, impractical for global usage. No conflict resolution. This is the only decentralized approach that doesn't involve a DHT.

      Microsoft PNRP: requires registrars which sign names to handle conflict resolution. (The unsecured variant has no conflict resolution.) Also requires IPv6, which is currently impractical.

      Namecoin (decentralized with FCFS): Conflict resolution is implemented algorithmically. There is a small (1 cent) cost associated with updates.

      Decentralized with voting: whichever resolvent the majority decide is official gets the domain name. Impractical, due to ease with which fake votes could be created. (Can be mitigated by making voting expensive - the bitcoin approach.)

      Decentralized with trust-on-first-use (TOFU): conflict resolution is implemented by the resolver. Where there is a unique resolvent, it is used and added to a list of trusted resolvents. Where there are multiple resolvents, and the name has not been resolved by the user previously, the client may check white/blacklists published by other clients whom they have previously marked as trusted. If unique resolution is still not possible, manual intervention is required.

      Currently I'm leaning towards the TOFU approach, since it's an extension of what's currently used for SSH clients. The only issue is that allowing multiple clients to resolve the same name differently borders on breaking the internet (see RFC 2826). However, it does have the nice property that it's the only decentralized system where a name-holder have their private key seized by an attacker, and still recover the domain name (by creating new keys and having people blacklist the old domain name in favour of them).

      If anyone has some ideas/suggestions on this, I'd love to hear them.

      --
      Most human behaviour can be explained in terms of identity.
  5. DNSSEC by fph+il+quozientatore · · Score: 1

    So, I assume DNSSEC is screwedcompromised already?

    --
    My first program:

    Hell Segmentation fault

    1. Re:DNSSEC by Ethanol · · Score: 2

      No. DNSSEC keys are in stored in a vault and only brought out for signing ceremonies. As far as I can tell, bad guys will have gotten access to some potentially valuable identity information and passwords, and copies of TLD zone files; nothing related to DNSSEC.

    2. Re:DNSSEC by marka63 · · Score: 1

      For the root zone there is very little that is actually signed as most of the root zone is delegating NS records (not signed just their presence in the NSEC record is signed) and glue address records (not signed). If you can alter the root zone contents you can introduce new DS records matching DNSKEY records you control. These would then get signed and if you can direct your targets to this alternate version of the TLD it will be accepted as valid. This will only work until the zone signing key is rolled at which stage the DNSSEC validation chain will no longer work and you will need to go back and get the DS re-signed. Actually changing the root zone contents like this will almost certainly be caught as it is a highly examined zone. In particular people checking DS/DNSKEY pairs looking for errors so they can be fixed quickly. Now if you can get someone to sign a isolated DS RRset that is not in the root zone but is for a TLD then this could go undetected for longer but that is a much harder problem than just changing the root zone contents. That still only has a limited lifetime as the RRSIGs need to be refreshed.

      The signing ceremony is where the DNSKEY RRset is re-signed to introduce / remove zone signing keys. The private part of the zone signing key has to be available on a day to day basis for the normal day to day changes in the root zone. That said the private part is still held in a HSM and the worst that can happen is that someone can get some data signed which can be used until the zone signing key is rolled.

  6. Apparently I've been a hacker for years by kdub007 · · Score: 4, Insightful

    I've been able to get all of that info for 15 years using the apparently malicious tool, WHOIS. Now, if they were able to change that data, that's different, but according to this post, all the "hackers" got was publicly available information.

    --
    The correct answer is 42.
    1. Re:Apparently I've been a hacker for years by EndlessNameless · · Score: 1

      If you actually read the article, you would see that they had administrative access to the zone files. Which means they could have changed whatever they wanted. They also had access to usernames and passwords, so hopefully no one used the same credentials elsewhere.

      Get back to us when you pull that off with whois.

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    2. Re:Apparently I've been a hacker for years by Cramer · · Score: 1

      Nope. Lame summary: The zone files contain quite bit of valuable information... *Other* files with the CZDS held usernames and encrypted passwords. That is the only "valuable" non-public information.

  7. Is it old-fashioned of me to think.... by Glasswire · · Score: 2

    ... that administrative changes at this level should only be allowable from physical access to closed admin networks and the value of having staff be able to make changes in their PJs from some hotel room is overrated?

    1. Re:Is it old-fashioned of me to think.... by Xest · · Score: 1

      This was my first thought when I read about this yesterday too. Why oh why isn't such an important system air gapped from the rest of the general drones in ICANN's offices?

      I mean seriously? Can the fucking receptionist communicate directly with these core servers for example?

      I know it's hard for many IT workers, but sometimes you just need to get off your fat arse and walk over to the system you need to administer to maintain security. Anyone working somewhere important like ICANN that puts convenience of being able to remain on their arse over security needs to be fired. If they want a job where they can put convenience over security then they can go work in 99% of other organisations that don't need that level of security.

  8. somewhat. SPEAR phishing by raymorris · · Score: 2

    I partially agree, but remeber this was SPEAR phishing. When you get an email from your boss, with your boss's normal signature, using terms and abbreviations that your company normally uses, your first thought probably isn't "is this a phish?"

    1. Re:somewhat. SPEAR phishing by RLaager · · Score: 1

      My SMTP server will not accept an email claiming to be from my boss* (in either the envelope or a From: header) unless it was sent by him using SMTP AUTH.

      * Or most of my users; this is our default, with an opt-out option.

  9. Let me be the first to say that by organgtool · · Score: 4, Funny

    This never would have happened if there was an air gap between the DNS servers and the internet.

  10. CZDS isn't about managing zone files by MrCawfee · · Score: 4, Informative

    ...it is about publishing them. You can request a free account and download the current zone file for the root dns.

    Verisign also provides this service for free for .COM and .NET, CZDS is just a centralized place so you can get the zones for all the new gTLDs without requesting accounts at 500 registries.

    This hack, while bad, doesn't directly affect the root dns system.

  11. The bad puns... by Arterion · · Score: 1

    I know this it totally off-topic and may hurt my karma, but ICANN not resist the temptation. I just don't have the resolve. I'm phishing for puns. What's your best ICANN pun?

    --
    "That which does not kill us makes us stranger." -Trevor Goodchild
  12. Who are you? by mmell · · Score: 1

    (N/T)

  13. Why, thank you! by mmell · · Score: 2

    Coming from you Al, that's a compliment!

  14. Re: "He" has (what about YOU off-topic troll?) by Redmancometh · · Score: 1

    You're an idiot.

  15. If it ever happens, I'll let you know. by mmell · · Score: 1

    N/T