[afnog] Google blames DNS insecurity for Web site defacements

Dr Paulos Nyirenda paulos at sdnp.org.mw
Mon May 18 09:09:01 UTC 2009 

Our intention in contributing to this was not to write an "article". 
We simply wanted to contribute additional technical information so as 
to assit to increase awareness and provide additional details on the 
incident.

Regards,

Paulos
======================
Dr Paulos B Nyirenda
.mw ccTLD
http://www.registrar.mw


On 18 May 2009 at 11:43, Rebecca Wanjiku wrote:

> Hi,
> 
> I hope the article would have had more details.
> When I talked to Google rep in California, he said it happened at .ug
> registry level, which means there is nothing much he could tell me.
> When I talked to Musisi from .Ug he said that it was just a minor
> incident and that he did not think it was a story.
> I tried to dig for more info but I was not getting anywhere.
> 
> I hope you all appreciate that there is a lot of secrecy; people think
> if they give you the info they will look insecure and it is easier for
> them to say; "I do not think that is a story".
> 
> regards
> Becky
> 
> 2009/5/18 Dr Paulos Nyirenda <paulos at sdnp.org.mw>:
> >
> > Greetings from Malawi.
> >
> > We also saw attempts to alter DNS records on the .mw ccTLD on 13 May
> > 2009 around midnight Malawi time. Attempts were made to alter DNS
> > records at the registry for 23 domains linked to major brands
> > including those listed by SM here. The attack attempt was on the SQL
> > server but they did not manage to alter our DNS.
> >
> > I would also like to confirm that this does not seem to be a case of
> > DNS cache poisoning, it was an SQL level attack attempt on the
> > registry.
> >
> > The attempt at .mw was to change the nameservers to hosts with names
> > of the form - crackers*.homelinux.com - where * is empty or an
> > integer. We saw the attack as coming from or via two or more networks
> > including those with network names: (a) *fdcservers on ARIN and (b)
> > TurkTelekom on RIPE.
> >
> > Hope this gives additional technical information.
> >
> > Regards,
> >
> > Paulos
> > ======================
> > Dr Paulos B Nyirenda
> > .mw ccTLD
> > http://www.registrar.mw
> >
> >
> > On 17 May 2009 at 13:58, SM wrote:
> >
> >> At 02:42 17-05-2009, Calvin Browne wrote:
> >> >I agree with this - the release is just way too short on details to
> >> >understand what went wrong here.
> >> >More details are needed.
> >>
> >> There are reports that the following web sites were affected:
> >>
> >>   www.google.co.ma
> >>
> >>   www.aol.ug
> >>   www.bmw.co.ug
> >>   www.cisco.co.ug
> >>   www.cnn.co.ug
> >>   www.defenceuganda.mil.ug
> >>   www.google.ug
> >>   www.hotmail.ug
> >>   www.hotmail.co.ug
> >>   www.microsoft.ug
> >>   www.orange.ug
> >>   www.toshiba.co.ug
> >>
> >> The nameservers for google.co.ma were changed on 9th May.  The domain
> >> resolved to a different IP address.  That brought visitors to a web
> >> site which wasn't hosted by Google.  The .ug problem occurred between
> >> 11 May and 13 May.  This is not a case of DNS cache
> >> poisoning.  DNSSEC does not offer any protection against SQL injection attacks.
> >>
> >> Regards,
> >> -sm
> >>
> >> _______________________________________________
> >> AfrICANN mailing list
> >> AfrICANN at afrinic.net
> >> https://lists.afrinic.net/mailman/listinfo.cgi/africann
> >
> >
> > _______________________________________________
> > AfrICANN mailing list
> > AfrICANN at afrinic.net
> > https://lists.afrinic.net/mailman/listinfo.cgi/africann
> >
> 
> 
> 
> -- 
> Best regards,
> 
> Becky
> 
> 254 720318925
> 
> beckyit.blogspot.com

More information about the afnog mailing list