Hackers Compromise ICANN, Access Zone File Data System 110
Trailrunner7 writes with this news from ThreatPost: Unknown hackers were able to compromise vital systems belonging to ICANN, the organization that manages the global top-level domain system, and had access to the system that manages the files with data on resolving specific domain names. The attack apparently took place in November and ICANN officials discovered it earlier this month. The intrusion started with a spear phishing campaign that targeted ICANN staffers and the email credentials of several staff members were compromised. The attackers then were able to gain access to the Centralized Zone Data System, the system that allows people to manage zone files. The zone files contain quite bit of valuable information, including domain names, the name server names associated with those domains and the IP addresses for the name servers. ICANN officials said they are notifying any users whose zone data might have been compromised." (Here's ICANN's public note on the compromise.)
So that's why Slashdot has been screwed up! (Score:5, Funny)
Re: (Score:2)
Re: (Score:1)
Wasn't the RIAA exposed to have interest in attacking DNS? No doubt NSA has been in there a long time but this news is recent, nothing like a batch of movie industry lawyers putting off the fact that movie sales are down because they have only been producing sh!t for movies lately, so they are doing the only intelligent thing. Pass the buck, blame it on piracy. I for the life of me can't figure out why anyone would want to pirate this crap.
fire them (Score:2, Insightful)
Re:fire them (Score:4, Insightful)
Any IT shop that ain't got the sense god gave a pissant to identify a phishing attack programmatically and shield employees who work on the INCOME side of the ledger, as opposed to IT, which is on the EXPENSE side, needs to be hit over the head with a wet squirrel and stuff.
Re: (Score:2)
I'm not sure a wet squirrel would hurt much...
Re:fire them (Score:5, Funny)
Re: (Score:2)
When I was a young lad and Moby Dick was a minnow, my dad took me squirrel hunting up in the piney woods of Southeast Texas.
When I shot a squirrel with my .410 shotgun, invariably the rodent would fall into a creek or nasty bog.
Upon picking it up, the wet squirrel smelled and felt like a musty old mop.
It wasn't a matter of pain. It was the disgusting smell and texture.
Re: (Score:2)
I didn't say, PAID on ... I said WORK on ...
My coworkers and bosses work hard to maintain or increase the revenue stream.
I'm always asking for money and those people have to swim a little harder to make up the difference.
Re:fire them (Score:4, Insightful)
If anyone doesn't think IT is on the INCOME side, they should give the sales guys a pad and a pencil and shut down IT services for a week. Let's see how much INCOME they have then. Make that week during payroll and lets see what their INCOME looks like when nobody gets paid.
Re: (Score:2)
Put the cheetoes down so you can talk with your mouth instead of your butt.
By that criterion, sales and marketing are also cost centers. It would be ever so much cheaper to do business if you could just ship product at random and actually get paid. Buty you can't, so you need sales and marketing. It would be nice if the building would clean itself so you could skip janitorial without swimming in trash and filth but you can't.
Everything is a cost and in a well run business, everything in some way contributes
Re: (Score:2)
Mod +1 if I could.
Re: (Score:3, Insightful)
Any employee dumb enough to fall for a phish should be fired.
I agree, when you work for ICANN or an organization of similar responsibility, there has to be some accountability at the employee level.
Re:fire them (Score:4, Informative)
Any employee dumb enough to fall for a phish should be fired.
The messages were *targeted* they appeared to come from real people within the company. If your PM sent you a word doc detailing a new project proposal and you opened it should YOU be fired?
SMTP email is a failed experiment causing untold damage to millions of users around the world.
Re:fire them (Score:4, Insightful)
If my PM sent me a word doc via email, especially if it was sensitive, I would fire the PM for incompetence. Files should be stored on servers where proper security can be enabled and monitored. Once a doc gets attached to email, you have lost all control over it.
Document control systems need to be in place, and email is not a document control system.
Re:fire them (Score:5, Interesting)
We have a document control system at work, it has grown to such a degree that adding a document is a 3 day process involving a document controller and various other tasks. If the document does not fit a corporate template it may get rejected.
At that point people tend to go "fuck it" and just send around work copies until it is finalized and THEN go through the hassle.
It is unfortunate, but I've seen it happen in two different companies so far... both multinational, both ignoring their own procedures for sensitive data.
Re: (Score:2, Interesting)
No, the GP is correct. Our head accountant recently received an email from our "CEO" telling her to wire some money for services our CEO has used. The perpetrators had done their research, right down to the actual full name of our real CEO and person responsible for the finances. Replies were sent to the Return-Path: header that is not in our domain. Were it not for the difference in email address scheme (first initial, all last name @ domain vs. full first name @ domain) and our existing offline, verbal co
Re: (Score:2)
Re: (Score:1)
Incoming SMTP ports should never accept email from it's own domain.
As you can see from his post, his server did not accept an e-mail "from it's own domain":
Replies were sent to the Return-Path: header that is not in our domain.
"Return-Path" is an SMTP header generated by the MTA based on the what it received in the envelope. It's generally only created by an intermediate internal server that forwarded e-mail, thus changing the "From:" envelope address.
And, even a perfectly configured MTA that rejects any "From:" envelope address that is in a domain for which the MTA is an MX still can't stop phishers from forging the "From:" header, which is
Re: (Score:3)
"Return-Path" is an SMTP header
SMTP doesn't have headers. SMTP is a protocol for message transport.
thus changing the "From:" envelope address.
There is likewise no "From:" envelope address. There is an envelope-sender (the argument to the SMTP "MAIL FROM" command) which is often inserted into a "Return-Path" header in the message, and is used in the mailbox separator "From" line in mbox email storage.
... still can't stop phishers from forging the "From:" header, which is just part of the body of the e-mail.
The "From:" header is a header, not something in the body of the message. As a header, it is subject to rewriting by transport agents.
Unfortunately, the envelope address usually never gets to the MUA,
The MUA has access to all headers in an ema
Re: (Score:1)
somewhat. SPEAR phishing (Score:3)
I partially agree, but remeber this was SPEAR phishing. When you get an email from your boss, with your boss's normal signature, using terms and abbreviations that your company normally uses, your first thought probably isn't "is this a phish?"
Re: (Score:1)
My SMTP server will not accept an email claiming to be from my boss* (in either the envelope or a From: header) unless it was sent by him using SMTP AUTH.
* Or most of my users; this is our default, with an opt-out option.
Re: (Score:1)
I wholly support this sentiment! Especially when Corporate Executives launch unknown attachments from unknown recipients causing a virus outbreak.
I know what you're thinking: why didn't the Antivirus software catch it!?!? That's a damn good question Bob. Damn good question!
Shocked I am not (Score:2)
Some people better be out of a job... (Score:1)
ICANN is one of those places that are paid NOT to fuck up. Given that a phishing attack combined with a weeks to month long exploit time indicates a number of people weren't doing their job, followed best security practices, etc.
Personally I am of the opinion that it is time for ICANN and the legacy DNS system to be obsoleted, all organizations related to it disbanded, and discusisons begun on doing the same for IANA. The bureacracy involved in each has been a tolerated evil on the internet since at least t
Re:Some people better be out of a job... (Score:5, Interesting)
Seriously, how do you intend to manage all of the addressing, both the IP level and the human-readable level, without some form of central authority?
Re:Some people better be out of a job... (Score:5, Funny)
Why, thank you! (Score:3)
If it ever happens, I'll let you know. (Score:2)
Who are you? (Score:2)
Re: "He" has (what about YOU off-topic troll?) (Score:2)
You're an idiot.
Re: (Score:2)
Peer Name Resolution.
The problem is that it's patent encumbered, by Mickeysoft, so it's useless.
There is also something called Hierarchical DHT-based name resolution.
Abstract:
Information-centric network (ICN) architectures are an increasingly important approach for the future Internet. Several ICN approaches are based on a flat object ID namespace and require some kind of global name resolution service to translate object IDs into network addresses. Building a world-wide NRS for a flat namespace with 10^1^6
Re: (Score:2)
And replace it with what, exactly?
Seriously, how do you intend to manage all of the addressing, both the IP level and the human-readable level, without some form of central authority?
I've been playing around with some ideas lately on how to implement a decentralised DNS, and what it basically comes down to is how you resolve conflicts. e.g. Microsoft reserves www.microsoft.com, then I try to do so. Ideally, the order shouldn't affect the final result, because a first-come-first-server system encourages squatting. Crypto-based systems also have to consider if the domain name can be reacquired if the private key is lost/stolen.
Here's a quick summary of the different approaches:
Traditional
DNSSEC (Score:2)
Re: (Score:3)
No. DNSSEC keys are in stored in a vault and only brought out for signing ceremonies. As far as I can tell, bad guys will have gotten access to some potentially valuable identity information and passwords, and copies of TLD zone files; nothing related to DNSSEC.
Re: (Score:2)
For the root zone there is very little that is actually signed as most of the root zone is delegating NS records (not signed just their presence in the NSEC record is signed) and glue address records (not signed). If you can alter the root zone contents you can introduce new DS records matching DNSKEY records you control. These would then get signed and if you can direct your targets to this alternate version of the TLD it will be accepted as valid. This will only work until the zone signing key is roll
Apparently I've been a hacker for years (Score:4, Insightful)
Re: (Score:2)
If you actually read the article, you would see that they had administrative access to the zone files. Which means they could have changed whatever they wanted. They also had access to usernames and passwords, so hopefully no one used the same credentials elsewhere.
Get back to us when you pull that off with whois.
Re: (Score:1)
Nope. Lame summary: The zone files contain quite bit of valuable information... *Other* files with the CZDS held usernames and encrypted passwords. That is the only "valuable" non-public information.
Is it old-fashioned of me to think.... (Score:3)
... that administrative changes at this level should only be allowable from physical access to closed admin networks and the value of having staff be able to make changes in their PJs from some hotel room is overrated?
Re: (Score:2)
This was my first thought when I read about this yesterday too. Why oh why isn't such an important system air gapped from the rest of the general drones in ICANN's offices?
I mean seriously? Can the fucking receptionist communicate directly with these core servers for example?
I know it's hard for many IT workers, but sometimes you just need to get off your fat arse and walk over to the system you need to administer to maintain security. Anyone working somewhere important like ICANN that puts convenience of b
Let me be the first to say that (Score:5, Funny)
CZDS isn't about managing zone files (Score:5, Informative)
...it is about publishing them. You can request a free account and download the current zone file for the root dns.
Verisign also provides this service for free for .COM and .NET, CZDS is just a centralized place so you can get the zones for all the new gTLDs without requesting accounts at 500 registries.
This hack, while bad, doesn't directly affect the root dns system.
The bad puns... (Score:2)
I know this it totally off-topic and may hurt my karma, but ICANN not resist the temptation. I just don't have the resolve. I'm phishing for puns. What's your best ICANN pun?