Google.com.pk and 284 Other .PK Domains Hacked

ryzvonusef writes with news that hackers have taken down the local Pakistan versions of many popular websites, including google.com.pk, apple.pk, microsoft.pk and yahoo.pk. 284 sites were affected in total. Many of the sites were defaced, and a group called Eboz is taking credit for the hack. According to TechCrunch, "The root of today’s attack, it seems, came via a breach of Pakistan’s TLD operator, PKNIC, which administers and registers all .pk domains. Looking at affected organizations via PKNIC’s look up, it appears that all the sites are now redirecting to two nameservers, dns1.freehostia.com and dns2.freehostia.com."

Difference?

[thej1nx]

And here I thought the Pakistani courts and religious leaders kept passing orders anyways to censor domains, based on hearsay about "immoral stuff" to be found on them . Doubt poor pakistani netizens could tell the difference here.

Its the TLD that was hacked

[Anonymous Coward]

Blame the TLD operators, dont name google,etc who had no role in the hack

Re:

[Anonymous Coward]

Blame the TLD operators, dont name google,etc who had no role in the hack

Sounds like an inside job to me. How many of the 284 sites belonged to non-Pakistani companies? Probably all of them.

Re:

[thetoadwarrior]

It's not that unbelievable that someone would hack in to take it out against US companies given there probably are a lot of people there that aren't happy with the US. Since they may view their government as being too friendly with the US and giving up their people to a country that doesn't have the greatest record of treating its prisoners well.

Re:Its the TLD that was hacked

[Runaway1956]

I was sitting here scratching my head, wondering why all those sites were hosted by the same servers.

Re:

[camcorder]

So in the first place, they wouldn't have registered those domains if they didn't trust on an operator. If someone hacked google and this way hacked my box, I can't blame Google for my losses right? I'm hacked, and my security hole is Google. So it's Google, Apple etc. hacked because their security hole is their domain operators. Google and most of the big web services, try to look local with local domains, translations, on the other hand they pay zero taxes to those governments, so it's also their mistake

Taken down and defaced?

[Anonymous Coward]

I'm not great at networking knowledge, but if you simply redirect to a new IP, is the site really defaced?

Re:Taken down and defaced?

[ark1]

I'm not great at networking knowledge, but if you simply redirect to a new IP, is the site really defaced?

From the end user perspective, site may appear as defaced but the actual web page at {Google, MS,....} is not defaced.

PKNIC unable to respond, PR team in picknick.

[Anonymous Coward]

PKNIC unable to respond, PR team in picknick.

Re:

[maxwell demon]

Well, if the support is via some .pk email address, any mails to support might also not reach their intended destination ...

Re:PKNIC unable to respond, PR team in picknick.

[History's Coming To]

Problem in Karachi Not In Computer?

One might say...

[philip.paradis]

One might say the entire TLD is PhuKed. The teachable moment here is that security rolls downhill, and depending on any single layer of public infrastructure, at least for authentication of who you're talking to without giving serious consideration to cryptographic concerns, is asking for trouble. This is still something that the world is failing at on, well, a global scale.

Well, that and taking perimeter security seriously in terms of access to critical components, and having short order failover to components with completely different codebases ready to roll into production for select services in the event of something nasty happening. These days, virtualization on multiple platforms running in parallel makes that easier, although it does have the effect of acting as a cost multiplier (sliding scale factor-wise) depending on what you're trying to make as bulletproof as possible.

TLDR = Security is hard. Be prepared to be compromised. Have alternate plans in place that assume at least one $major_thing is already silently compromised. Yeah, it's tough. Life is tough.

Re:One might say...

[heypete]

I'd imagine the NIC could simply revert to a backup of their TLD zone and undo the changes -- the zone itself isn't infected and in need of purging, though the systems that can write to it may well be. I would hope that a NIC managing a national-level TLD has backups.

That said, how could any entity that relies on DNS have alternate plans to deal with this sort of thing? Its one thing to have off-site nameservers on a different network to provide some degree of fault tolerance for your own domain, but it's another thing if the TLD itself gets hosed and bad guys modify the zone to point at different nameservers. As far as I can tell there's no reasonable way for the holder of a domain name to prepare for the TLD getting compromised.

I hope this incident serves as a wakeup call for TLD owners everywhere so they can review their security policies.

Re:

[drinkypoo]

As far as I can tell there's no reasonable way for the holder of a domain name to prepare for the TLD getting compromised.

You will need additional names under other TLDs, and to advertise them to your users ahead of time. One common way to accomplish this to do it how google does it; no, not to have massive clusters everywhere, but to have multiple international domain names. If your site is translated, they can default to various languages, but all should permit selecting all languages without redirection to another domain.

Re:

[heypete]

Sure, one could have different TLD variants (e.g. example.com/net/org/us/co.uk/etc.), but that isn't terribly useful in terms of continuing to offer service in the event of a TLD compromise: if the registry for your main domain gets borked some users may try a different TLD but most will simply give up -- how many people would try accessing Google under a different ccTLD? Same thing with email: if you have email at your domain and the TLD is hosed then emails can't automatically pick another TLD and try aga

DNSSec

[magamiako1]

Could have solved this issue. Assuming keys wouldn't have been compromised in the process.

Re:

[Anonymous Coward]

Well now that really depends doesn't it? Since the actual registrar was compromised, it could easily have been the machine that holds the key that they got into. In which case DNSSec bought squat. Depends on the attack.

Re:

[GreyFish]

No it wouldn't of done - if you hack the registrar you can change the ds records as well as the ns records. dnssec makes no difference in this case. browser side certificate pinning and forcing sites to be https only would help - then the attackers wouldn't be able to set up fake sites. The real sites would still be broken tho!

Re:

[magamiako1]

Actually, it would have--but only if the .pk private keys were not compromised in the process. Also, a quick change of keys in the root zone for .pk's DS keys would have invalidated the previous keys, resulting in the compromised keys being invalidated globally.

Whether or not the process exists to remove DS records quickly from the root zone, however, I'm not sure--I don't manage TLDs...

In other news sensationalism at an all time high

[Anonymous Coward]

"Oh we don't really have a story if we say the .pk TLD had a compromise of sorts that affected 284 domains. What big names were affected so we can put them in the headline?"

Took them long enough

[LordDfg]

It's not secret Pakistan infrastructure isn't secure as it should be, I am actually quite surprised not one targeted Pakistan before. I guess it wasn't a good idea to attack Israel but in this case it was just old champ saying hi,

hack Pakistan’s TLD operator, PKNIC...

[submit your site]

O my god. how can possible it. hack google.com.pk, apple.pk, microsoft.pk and yahoo.pk with many domain. this domain top TLD & top label domain. it is very bad for all.

In Ireland Google.ie and yahoo.ie were also hacked

[Korth]

A similar thing happened in Ireland earlier this month due to a vulnerability in Joomla! http://www.iedr.ie/docs/IEDR_Statement_F_issued_9_November_2012.pdf [www.iedr.ie]

Freehostia

[TheStonepedo]

Would blocking port 53 by default on free subdomains prevent such hijacking?
I cannot think of a legitimate reason one would need a free DNS server beyond those that already exist with stated goals of minimizing/preventing DNS-based censorship.

Re:

[DamonHD]

Are you saying people like me that have always hosted their own DNS, since the Internet became available to us (~1992 here), should now have to stop doing so?

Rgds

Damon

Re:

[TheStonepedo]

Let's pretend for the sake of argument you are one of the good guys - I believe you, but how can an even-less-technical user be sure?
Could something be done during routing traffic in the internet at large to block port 53 for an IP address or a range of IP addresses when there is reason to believe malicious redirection is occurring?
Is protecting a mostly-non-technical majority from falling for DNS-based bait-and-switch tricks worth having to appeal an occasional false positive?

Outside of the scope of TFS:
Wh

Re:

[DamonHD]

My DNS is often colocated with my Web sites and other services that it supports: forcing me to separate them would add nothing to end-user security in reaching me, and would likely lower reliability and increase costs.

Specialised and high-volume sites will also want to do things such as geo- and load- sensitive DNS and constraining innovation in that area by constraining DNS providers is unlikely to be helpful for the end user (ie would result in slower and less reliable service).

Entire IP addresses can be

Hmm.

[Meski]

And the world at large complained when they fixed it.