Potential attack against ccTLD Registration Systems

Dear all,

I was asked to distribute following message from the ICANN security team on our email lists. For any questions, please contact Yurie Ito yurie.ito@icann.org.

Kind regards,

Gabi

----

Hi all,

My name is Yurie Ito, from the ICANN security team.

Towards the end of April, security staff was made aware that DNS
configuration information associated with certain Pacific and African
domains had been subjected to forms of hijacking attacks. Attackers have
recently targeted ccTLD operators. In the reported incidents, the attackers
were able to obtain the user account credentials (logins and passwords) for
a number of high profile domain names, by using data insertion exploits
(primarily, SQL injection methods) to provide the attacker with privileged
access to the registrars’ applications or server operating systems.
Reports further indicate the hackers then used the domain name credentials
to modify the DNS configuration of domains and re-delegate names to web
sites hosting unauthorized content (political agendas or personal
messages).

This trend is worrisome and we encourage the DNS community to monitor
domain registration attacks for suspicious activities during registration
account login attempts, stay informed, share information with other TLD
operators and to consider whether it is appropriate to adopt additional
measures to protect against unauthorized access to registration accounts.

What’s at stake?
- ---------------

Attackers appear focused on high profile domains. Beyond the costs of
response, registration service providers or TLD operators will have to
bear, the organizations affected by the attacks will also incur monetary
losses, loss of business opportunities, embarrassment and harm to brands.
The DNS community at large also will suffer from several second order
affects, including the loss of user confidence in the DNS infrastructure
and registration services, and reputational harm to TLD operators.
Moreover, even in circumstances where the attack is discovered and resolved
quickly, the incorrect DNS information can continue to propagate for some
considerable time due to replication and TTL lifetimes.

Why am I reading this?
- ------------------------

Registration services have become attractive targets for hacker groups, who
share exploit information quickly. Unauthorized access to registration
accounts has numerous benefits to attackers beyond web defacements: once an
attacker gains control of a domain’s DNS configuration, he can use
seemingly legitimate name resolution service to support fast flux networks
and botnets, or he can redirect any critical business application of the
targeted organization (mail, voice, intranet) to malicious or impersonation
sites.

What can you do?
- ----------------

The security staff at ICANN will continue to share information on breaches
or compromises brought to our attention. Open collaboration and incident
information sharing among registry and registrar operators may help prevent
similar incidents from occurring in CCTLDs that have not yet been targeted

We’d like to ask your consideration to the following practices to reduce
or mitigate the current hijacking threat.

- - Consider whether making an Incident Response point of contact available
24x7 to your customers to receive incident reporting, could provide
opportunities for early detection and remediation

- - If you have not already made Incident Response point of contact details
available to your customers, consider doing so now.

- - Consider how registries might identify and share best practices, e.g.,
forming or engaging in some form of social networking where registries can
exchange ideas and built trust relationships among peers

- - Treat the frequency and diversity of attacks against other CCTLDs as an
early warning and an opportunity to review your current methods of
protecting registration account logins

- - Educate your customers. Make them aware of the threat and suggest that
your customers include some periodic form of domain name and DNS monitoring
in their network administration, as well as risk assessment, and disaster
recovery planning (Consider whether this might be an enhanced service
opportunity for your operation.)

- If you do not already include web applications in your security
auditing, consider doing so now. Many best practices and analysis tools for
securing web applications are available and several in particular focus on
methods to assess and mitigate data insertion exploits. ICANN security
staff are available to share information about these with any TLD operator
or registrar who is interested.

For more information,
* ICANN's Security and Stability Advisory Committee (SSAC) is planning to
release SAC040, "Measures to Protect Domain Registration Services from
Exploitation and Misuse" approximately 21 July 2009

We encourage you to share information (in confidence) regarding suspicious
activities with ICANN security staff and ask to alert your colleagues
(again, in confidence) if you suspect or are aware of an on going attack.

Thanks and Best Regards,

Yurie

yurie.ito@icann.org