In association with heise online

30 May 2008, 10:56

Comcast domain diverted by crackers [Update]

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Just before midnight on 28 May, crackers calling themselves "KRYOGENIKS Defiant and EBK" managed to break into Comcast's Network Solutions account and change its DNS entry to point to a rogue site. Comcast responded swiftly, and the tampered DNS entry was only in place for around three hours. However, it apparently took a bit longer for the recovery to propagate through the DNS network.

The attackers apparently got hold of the password used for administration of Comcast's account with Network Solutions, although neither Comcast nor Network Solutions have volunteered an opinion as to how this could have happened. However it is not an unknown phenomenon – ICANN published a paper week of 26 May describing registrar password phising attacks, and weak SSL key generation algorithms might contribute to insecurities in DNSSEC and DomainKeys (DK), allowing passwords to be sniffed. Some smaller domain name resellers in the UK do not even use SSL connections on their customer control panels.

Judging by the content of the site to which Comcast's domain name was redirected and by obscenities included in the tampered registration entry, this attack seems to have been the work of somewhat juvenile perpetrators. However, as DNS is essentially at the heart of trust on the internet, this kind of attack is extremely hazardous. In event of electronic war, the wholesale rerouting of internet resources would in principle offer a much greater tactical advantage than their destruction or blocking. But adequate protection is as much an administrative and procedural problem as a technical one, and solutions will require transnational co-operation. Such bodies as ENISA in Europe and the ACM in America must be looked to for standards that properly protect the infrastructure against what ENISA itself has referred to as "digital 9/11".

[Update] In an interview with Wired the attackers, who turn out indeed to be teenagers and may have been Comcast customers, say they changed the DNS entry out of annoyance with a Comcast administrator. After finding they could access Comcasts's domain management console and making a minor change, they phoned the company but were not taken seriously by the administrator they spoke to. They then redirected the domain in vengeance.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit