Sunday (04/092011) saw the websites of three large companies (and a few others) apparently hacked by the hacker group Turkguvenligi.
But how did they gain access to several sites all at the same time?
It’s inconceivable that Vodafone, The Daily Telegraph, The Register and UPS all use the same hosting severs.
But they do all use related DNS servers and a common flaw on those appears to have allowed the attack.
Web Address Book:
The DNS system is literally the way that the host service is published to users, an easy to remember address for a (potentially) complex number identification system, IP Addresses.
Like all such systems it adds huge value and brings some, hopefully minor, risks.
DNS, like all address books, needs updating. In this case the provider, Group NBT & subsidiaries (i.e. NetNames), allows access to a system that can update DNS records over the web. This is the standard way that customers access and update any DNS record and their is technically nothing wrong with this as long as standard precautions are taken.
- Ensure the patching/security of the update service
- Ensure the security of the accounts/passwords
One of these is the remit of the DNS company, the other their clients.
Of course if the controlling account on any system is compromised there is little that can be done until the breach is noticed and the credentials revoked or updated.
The group Turkguvenligi claimed in an interview with the Guardian that the attack was possible result of an SQL Injection flaw on the controlling servers. These allow ‘extra’ commands to be sent to a database server because the input has not been sanitised correctly before being parsed.
The DNS company have also stated that they have revoke access to several accounts used in the attack, implying a breach of credentials was also possibly involved. They have confirmed the SQL Injection flaw.
Using these items the hackers were able to redirect users to a third party site. This site simply stated that Sunday was world hackers day (as declared by Turkguvenligi) and that Hacking is not a crime.
The Sophos article has a full description and a screenshot.
As this is a redirection attack the websites themselves were never breached or compromised, only the DNS update system (and by extension the DNS system).
Fixing the issue:
Fixing this issue is simple enough.
- Remove access to the update system
- Remove compromised accounts
- Reinstate previous data
- Fix the SQL Injection hole
- Resume access to the update system
Unfortunately, however, DNS has some quirks that mean the fix may result in further disruption for some hours.
In order to prevent the Internet from being flooded with DNS resolution requests each record is marked with a TTL, a Time To Live. This is normally in the region of 1 to 4 hours but can longer.
Of course, because the TTL is also controlled by the DNS system that value could have compromised too and made to be, say, a week.
The result is that a client that received the hacked version of the address would not check again until that TTL had expired.
That means that those clients, for that period of time will continue to be redirected to the third party site.
Cached DNS records can be flushed in the clients Operating System but most users do not know how to do this. Some web browsers also keep their own internal cache of DNS records and this can prove to be next to impossible to flush.
So all users/clients can do is search for the solution or wait for the TTL to expire.
service nscd restart
- Mac OS X:
If you run a caching DNS server for your users look into how to flush individual records. Alternatively flush the entire cache but that does cause a little bit of a surge as it is repopulated.
Damage and Risk:
Obviously the reputation of the DNS company, Group NBT & NetNames, has been dented but little actual damage has been done. Some of the sites are revenue earners or corporate so there is again a reputation implication.
As NetNames own DNS Security page says:
…a failure in the DNS has the potential to eradicate your entire online business presence…
No actual customer data appears to have been compromised or exposed and no phishing attempt (where the third party site pretends to be the original to trick you in entering personal details) was made.
As other have stated, this is the Web Graffiti.
Sophos blog article
The Register statement
The Daily Telegraph article
NetNames DNS Security page
Turkguvenligi Twitter feed
Zone-H record of Turkguvenligi activity
– Posted using BlogPress