September 5, 2011 08:12 AM ET
IDG News Service - A Turkish hacking group managed to tamper
with Internet addressing records over the weekend, redirecting
dozens of websites belonging to companies including Microsoft,
UPS and Vodafone to a different web pages controlled by the
hackers.
According to Zone-H, a website that tracks defacements, 186
websites were redirected to a page controlled by
"Turkguvenligi." A message on the redirect page read: "4 Sept.
We Turkguvenligi declare this day as World Hackers Day - Have
fun ;) h4ck y0u."
All of the websites were registered through NetNames, which is
part of NBT group. NetNames provides DNS (Domain Name
System) services for the websites, which is the system used to
translates a domain name into an IP address that can be called
into a webbrowser.
Turkguvenligi managed to hack NetName's DNS servers through
a SQL injection attack, which involves putting commands into a
web-based form to see if the back-end database responds. If
those commands aren't scanned for malicious code, an attacker
could gain access to the system.
In the case of NetNames, Turkguvenligi put a redelegation order
into the company's system and changed the address of the
master DNS servers that served data for the websites, according
to a statement from NetNames. The attack occurred around 9
p.m. BST on Sunday.
"The rogue name server then served incorrect DNS data to
redirect legitimate web traffic intended for customer web sites
through to a hacker holding page branded Turkguvenligi," the
statement read. "The illegal changes were reversed quickly to
bring service back to the customers impacted and the accounts
concerned have been disabled to block any further access to the
systems."
The hack accomplished by Turkguvenligi is a powerful one.
Although it appears the goal of the group was just to vandalize
the sites for a while, the group could have set up lookalike sites
for the real ones, tricking users into thinking they were on the
legitimate site and possibly stealing logins and passwords.
Two of HSBC's banking sites -- one with a country-code Top Level
Domain in South Korea and one in Canada -- were targeted,
according to the list compiled by Zone-H.
Other websites affected were those belonging to The Telegraph
newspaper, The Register technology news site, Coca-Cola,
Interpol, Adobe,Dell, several Microsoft country sites, Peugeot,
Harvard University and the security companies F-Secure,
BitDefender and Secunia. The website for Gary McKinnon, the so-
called NASA hacker who is appealing extradition to the U.S. on
hacking charges, was also hit.
The Register wrote that its website was not breached and that
service was restored about three hours after the attack.
"As far as we can tell there was no attempt to penetrate our
systems,"wrote Drew Cullen . "But we shut down access/services
- in other words, anything that requires a password - as a
precaution."NSSEC, a security measure now being deployed by many
registrars to guard against DNS tampering may not have
prevented this kind of attack, said Paul Mutton , a security analyst
with Netcraft.
DNSSEC uses public key cryptography to digitally "sign" the DNS
records for websites. It is designed to stop attacks such as cache
poisoning, where a DNS server is hacked, making it possible for a
user to type in the correct website name but be directed to a
fake website.
"If the attacker was able to change the DNS settings held by the
domain registrar, presumably they could also have changed
other settings, such as disabling DNSSEC, or rather, simply
change the DNS settings to point to nameservers that do not
support DNSSEC."
NetNames described the attacks against its systems as being
"sustained and concentrated." "We will continue to review our
systems to ensure that we provide our customers a solid, robust
and above all secure service," it said.
No comments:
Post a Comment