Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
Security The Internet

Hackers Compromise ICANN, Access Zone File Data System 110

Trailrunner7 writes with this news from ThreatPost: Unknown hackers were able to compromise vital systems belonging to ICANN, the organization that manages the global top-level domain system, and had access to the system that manages the files with data on resolving specific domain names. The attack apparently took place in November and ICANN officials discovered it earlier this month. The intrusion started with a spear phishing campaign that targeted ICANN staffers and the email credentials of several staff members were compromised. The attackers then were able to gain access to the Centralized Zone Data System, the system that allows people to manage zone files. The zone files contain quite bit of valuable information, including domain names, the name server names associated with those domains and the IP addresses for the name servers. ICANN officials said they are notifying any users whose zone data might have been compromised." (Here's ICANN's public note on the compromise.)
This discussion has been archived. No new comments can be posted.

Hackers Compromise ICANN, Access Zone File Data System

Comments Filter:
  • by TWX ( 665546 ) on Thursday December 18, 2014 @11:57AM (#48625963)
    This explains a lot! We're not posting on the real Slashdot at all! We're on someone's bad copy! The entire "beta" thing was just a hijack attempt!
  • fire them (Score:2, Insightful)

    by Megor1 ( 621918 )
    Any employee dumb enough to fall for a phish should be fired.
    • Re:fire them (Score:4, Insightful)

      by CaptainDork ( 3678879 ) on Thursday December 18, 2014 @12:04PM (#48626041)

      Any IT shop that ain't got the sense god gave a pissant to identify a phishing attack programmatically and shield employees who work on the INCOME side of the ledger, as opposed to IT, which is on the EXPENSE side, needs to be hit over the head with a wet squirrel and stuff.

      • I'm not sure a wet squirrel would hurt much...

      • Re:fire them (Score:4, Insightful)

        by sjames ( 1099 ) on Thursday December 18, 2014 @01:29PM (#48626915) Homepage Journal

        If anyone doesn't think IT is on the INCOME side, they should give the sales guys a pad and a pencil and shut down IT services for a week. Let's see how much INCOME they have then. Make that week during payroll and lets see what their INCOME looks like when nobody gets paid.

    • Re: (Score:3, Insightful)

      Any employee dumb enough to fall for a phish should be fired.

      I agree, when you work for ICANN or an organization of similar responsibility, there has to be some accountability at the employee level.

    • Re:fire them (Score:4, Informative)

      by WaffleMonster ( 969671 ) on Thursday December 18, 2014 @12:44PM (#48626505)

      Any employee dumb enough to fall for a phish should be fired.

      The messages were *targeted* they appeared to come from real people within the company. If your PM sent you a word doc detailing a new project proposal and you opened it should YOU be fired?

      SMTP email is a failed experiment causing untold damage to millions of users around the world.

      • Re:fire them (Score:4, Insightful)

        by Archangel Michael ( 180766 ) on Thursday December 18, 2014 @12:59PM (#48626661) Journal

        If my PM sent me a word doc via email, especially if it was sensitive, I would fire the PM for incompetence. Files should be stored on servers where proper security can be enabled and monitored. Once a doc gets attached to email, you have lost all control over it.

        Document control systems need to be in place, and email is not a document control system.

        • Re:fire them (Score:5, Interesting)

          by omglolbah ( 731566 ) on Thursday December 18, 2014 @01:15PM (#48626803)

          We have a document control system at work, it has grown to such a degree that adding a document is a 3 day process involving a document controller and various other tasks. If the document does not fit a corporate template it may get rejected.

          At that point people tend to go "fuck it" and just send around work copies until it is finalized and THEN go through the hassle.

          It is unfortunate, but I've seen it happen in two different companies so far... both multinational, both ignoring their own procedures for sensitive data.

      • by kmoser ( 1469707 )
        If these messages appeared to come from real people within the company but really originated outside, they should have had spam filters in place to detect that. In either case, I'm going to go out on a limb and guess they're all running Windows.
    • I partially agree, but remeber this was SPEAR phishing. When you get an email from your boss, with your boss's normal signature, using terms and abbreviations that your company normally uses, your first thought probably isn't "is this a phish?"

      • by RLaager ( 200280 )

        My SMTP server will not accept an email claiming to be from my boss* (in either the envelope or a From: header) unless it was sent by him using SMTP AUTH.

        * Or most of my users; this is our default, with an opt-out option.

    • by Anonymous Coward

      I wholly support this sentiment! Especially when Corporate Executives launch unknown attachments from unknown recipients causing a virus outbreak.

      I know what you're thinking: why didn't the Antivirus software catch it!?!? That's a damn good question Bob. Damn good question!

  • ICANN is a bunch of incompetent greedy buffoons. I wouldn't expect them to be any more capable of resisting a phishing attack than the pointy-haired boss from Dilbert.
  • by Anonymous Coward

    ICANN is one of those places that are paid NOT to fuck up. Given that a phishing attack combined with a weeks to month long exploit time indicates a number of people weren't doing their job, followed best security practices, etc.

    Personally I am of the opinion that it is time for ICANN and the legacy DNS system to be obsoleted, all organizations related to it disbanded, and discusisons begun on doing the same for IANA. The bureacracy involved in each has been a tolerated evil on the internet since at least t

    • by TWX ( 665546 ) on Thursday December 18, 2014 @12:10PM (#48626113)
      And replace it with what, exactly?

      Seriously, how do you intend to manage all of the addressing, both the IP level and the human-readable level, without some form of central authority?
      • by mmell ( 832646 ) on Thursday December 18, 2014 @12:16PM (#48626175)
        I'll bet he could tell you. He has written a hostfile manager that guards your home, brings you your slippers and makes your coffee in the morning.
      • by bmo ( 77928 )

        Peer Name Resolution.

        The problem is that it's patent encumbered, by Mickeysoft, so it's useless.

        There is also something called Hierarchical DHT-based name resolution.


        Information-centric network (ICN) architectures are an increasingly important approach for the future Internet. Several ICN approaches are based on a flat object ID namespace and require some kind of global name resolution service to translate object IDs into network addresses. Building a world-wide NRS for a flat namespace with 10^1^6

      • by rdnetto ( 955205 )

        And replace it with what, exactly?

        Seriously, how do you intend to manage all of the addressing, both the IP level and the human-readable level, without some form of central authority?

        I've been playing around with some ideas lately on how to implement a decentralised DNS, and what it basically comes down to is how you resolve conflicts. e.g. Microsoft reserves, then I try to do so. Ideally, the order shouldn't affect the final result, because a first-come-first-server system encourages squatting. Crypto-based systems also have to consider if the domain name can be reacquired if the private key is lost/stolen.
        Here's a quick summary of the different approaches:


  • So, I assume DNSSEC is <strike>screwed</strike>compromised already?
    • by Ethanol ( 176321 )

      No. DNSSEC keys are in stored in a vault and only brought out for signing ceremonies. As far as I can tell, bad guys will have gotten access to some potentially valuable identity information and passwords, and copies of TLD zone files; nothing related to DNSSEC.

    • For the root zone there is very little that is actually signed as most of the root zone is delegating NS records (not signed just their presence in the NSEC record is signed) and glue address records (not signed). If you can alter the root zone contents you can introduce new DS records matching DNSKEY records you control. These would then get signed and if you can direct your targets to this alternate version of the TLD it will be accepted as valid. This will only work until the zone signing key is roll

  • by kdub007 ( 3899329 ) on Thursday December 18, 2014 @12:10PM (#48626109) Homepage
    I've been able to get all of that info for 15 years using the apparently malicious tool, WHOIS. Now, if they were able to change that data, that's different, but according to this post, all the "hackers" got was publicly available information.
    • If you actually read the article, you would see that they had administrative access to the zone files. Which means they could have changed whatever they wanted. They also had access to usernames and passwords, so hopefully no one used the same credentials elsewhere.

      Get back to us when you pull that off with whois.

  • ... that administrative changes at this level should only be allowable from physical access to closed admin networks and the value of having staff be able to make changes in their PJs from some hotel room is overrated?

    • by Xest ( 935314 )

      This was my first thought when I read about this yesterday too. Why oh why isn't such an important system air gapped from the rest of the general drones in ICANN's offices?

      I mean seriously? Can the fucking receptionist communicate directly with these core servers for example?

      I know it's hard for many IT workers, but sometimes you just need to get off your fat arse and walk over to the system you need to administer to maintain security. Anyone working somewhere important like ICANN that puts convenience of b

  • by organgtool ( 966989 ) on Thursday December 18, 2014 @12:54PM (#48626605)
    This never would have happened if there was an air gap between the DNS servers and the internet.
  • by MrCawfee ( 13910 ) <.moc.oohay. .ta. .eefwacrm.> on Thursday December 18, 2014 @12:54PM (#48626607) Homepage is about publishing them. You can request a free account and download the current zone file for the root dns.

    Verisign also provides this service for free for .COM and .NET, CZDS is just a centralized place so you can get the zones for all the new gTLDs without requesting accounts at 500 registries.

    This hack, while bad, doesn't directly affect the root dns system.

  • I know this it totally off-topic and may hurt my karma, but ICANN not resist the temptation. I just don't have the resolve. I'm phishing for puns. What's your best ICANN pun?

egrep -n '^[a-z].*\(' $ | sort -t':' +2.0