10/30/2013, Author: Sabrina Berkenkopf

"Hacking like its 1964"... by fax!

Prominent cases of DNS hijacking reveal essential security problems

News that renowned companies in the IT security industry had apparently been hacked quickly spread through Twitter and other channels. It soon became clear, however, that the report was inaccurate. There was no hacking involved, but employees of two domain registries who had been tricked in an almost unbelievable way into allowing the manipulation of DNS entries. The KDMS team claimed responsibility for the brazen attacks.

A set of attacks by the KDMS team rendered the websites of globally renowned companies temporarily unavailable: Alexa.com, AVG, Avira, Bitdefender, ESET, Leaseweb, Metasploit, Rapid7, Redtube and WhatsApp were amongst the current slate of victims. DNS manipulation was used to redirect internet traffic from the relevant websites to the attackers' servers. Visitors were then treated to politically motivated messages stored there. No malware attack was involved, although this would have also been technically possible in a variety of different ways.

How could this happen?

HD Moore, head researcher at Rapid7 and founder of the Metasploit project, documented the time in which the websites of Rapid7 and Metasploit were not reachable via his Twitter account and answered his fellow researchers' questions about the events. The tweet that he sent out on October 11 at 06:31 AM seemed unbelievable:

Screenshot of HD Moore's Tweet Employees of Register.com, a domain registry, had apparently accepted a fax as a valid application to change the DNS entries for certain domains. It appears that the fax was not checked for authenticity. "Maybe they called the number listed on the fax [for verification]", Moore said later. He was justifiably harsh in mocking the situation, saying: "Hacking like its 1964". While he appreciated the attackers' creativity, he found little to laugh about. Colloquially, situations like this are called "epic fails" on the net.

The other DNS hijacking cases have also seen so-called 'spear phishing attacks' in which registrar Network Solutions received requests to reset the password — not from the rightful owners of the domains, of course, but rather from attackers.


Social engineering vs. technical attacks

This example once again illustrates why security concepts for corporate and private users must be well-designed on a number of levels. The attacks were not of a technical nature in the sense of malware or exploitation of security loopholes, but rather targeted humans as the weakest link and tricked them through social engineering. The best countermeasures typically focus on training, know-how and attention to detail.
What is even worse though: Even if a company's or private individual's security concept is almost flawless, there are dependencies outside of one's control, like the domain registrar in this case.

A relevant analogy can be found in the recent cases of espionage involving PRISM, Tempora und Co.: You can't trust just in the integrity and security of your own internal system/network. Any time an external interface (ISP, email provider...) is vulnerable to spying, there's not much the affected persons can do. A truly holistic approach to security must thus always involve end-to-end encryption, VPN connections and other prudent measures.



G Data is committed to protecting personal and corporate data according to the strict German guidelines and laws! This approach, including G Data's promise of IT security without backdoors, has earned the Bochum-based software company the IT Security Made in Germany quality seal, among others.


Share this article

G DATA | Trust in German Sicherheit