DHS Issues Security Alert About Recent DNS Hijacking Attacks

The U.S. Department of Homeland Security has published today an "emergency directive" that contains guidance in regards to a recent report detailing a wave of DNS hijacking incidents perpetrated out of Iran. ZDNet reports: The emergency directive [1, 2] orders government agencies to audit DNS records for unauthorized edits, change passwords, and enable multi-factor authentication for all accounts through which DNS records can be managed. The DHS documents also urges government IT personnel to monitor Certificate Transparency (CT) logs for newly-issued TLS certificates that have been issued for government domains, but which have not been requested by government workers.

The emergency directive comes after last week, the DHS issued an alert about ongoing DNS hijacking attacks through its US-CERT division. The DHS US-CERT alert was based on a report published last week by U.S. cyber-security firm FireEye. The now infamous report detailed a coordinated hacking campaign during which a cyber-espionage group believed to operate out of Iran had manipulated DNS records for the domains of private companies and government agencies. The purpose of these DNS hijacks was to redirect web traffic meant for companies and agencies' internal email servers towards malicious clones, where the Iranian hackers would record login credentials.

Build That Firewall

Build that firewall and make Iran pay for it!

Re: Build That Firewall

[ALB1]

But they have nukes too...

At least the lights are on somewhere

[jimbrooking]

DHS people still working as essential workers through the shutdown. Uncommon sense! Maybe we should take up a collection and send them a pizza.

Re:At least the lights are on somewhere

[rtb61]

The DHS has no choice but to work, otherwise when they are doing nothing, everyone would realise that is pretty much what they do, nothing, apart from spying on their own, the DHS, brownshirts in waiting. Doing something is hardly sending out propaganda alerts, making claims about IP addresses as if they reflect reality. Take the wild illogic, ohh look, DNS redirected, by the IP, addresses, but wait if you can so readily alter DNS, why are IP addresses so secure, wait they are less secure, interesting. You can not really, logically claim successful DNS attacks launched by equally insecure IP addresses, hack one and the other can be hacked and hence, they own claim of the attack source is refuted by the very nature of the successful attack, oh but if it a Russian, Chinese of Iranian IP address, than it is always Russian, Chinese or Iranian intelligence services.

Embarrasing nonsense

[WaffleMonster]

The only problem of import is ability for attackers to record login credentials due to continued use of insecure authentication algorithms.

What should be an obvious basic fact known to all I'm 100% certain will be totally lost on whoever is not furloughed and responsible for these systems.

DNS is the problem. Yes insecure DNS providing insecure pointers to insecure network addresses is the problem. It's all DNS... lock that shit down or a disaster will occur. Yep we're all really THAT stupid.

Personally I blame browser vendors for their persistent refusal to support secure authentication algorithms.

It's normally horses, not zebras

[raymorris]

When you turn on the football game and see an NFL quarterback who looks just like Tom Brady, 99.99% of the time, it's Tom Brady.

Those of us who work in network security day after day, year after year, get to know the other people involved, including the opposition. I can often spot a root kit hidden on a Linux server within seconds of logging in. In those first few seconds I haven't absolutely proved it. I still have to confirm the root kit, but so far I've never been wrong when I spotted the clues. Not because I'm genius, but because after 20 years you get to know your job. Just like the auto mechanic with 20 years of experience can hear your spark plug missing as you drive up to the shop.

In medicine they say "when you hear hoofbeats in the night, look for horses - not zebras." Theoretically, what appears to be Tom Brady playing in the championship game could actually be John Elway come out of retirement wearing a Ton Brady mask. That's physically possible. But you know what, Tom Brady played in the AFC championship yesterday, it wasn't Elway in a mask.

You can't prove it was really Tom Brady in the game yesterday, and I can't prove it was really Iran. But it was Brady, and it was Iran. They are both pretty easy to recognize if you know what you're looking for.