Posts Tagged ‘DNS’

Network Solutions reports more DNS problems

Wednesday, October 23rd, 2013

Network Solutions said Tuesday it was trying to restore services after another DNS (Domain Name System) problem.

The latest issue comes two weeks after a pro-Palestinian hacking group redirected websites belonging to several companies whose records were held by Network Solutions, owned by the company

Efforts to reach a company spokesperson were not immediately successful.

“We apologize for the issues our customers have experienced as a result of an incident on the Network Solutions DNS,” the company wrote on Facebook. “We’re in the process of restoring services, and we appreciate your patience as we work toward resolution.”

The DNS is a distributed address book for websites, translating domain names such as into an IP address that can be called into a Web browser. In the past few months, hackers have targeted companies that register domain names and their partners.

A successful DNS hijacking attack can cause thousands of Web surfers to a high-profile website to be redirected to another site even though they’ve typed in or browsed to the correct domain name.

Avira, a security company affected by the attacks two weeks ago, said hackers gained access to its Network Solutions account via a fake password-reset request. Claiming responsibility was a group calling itself the “Kdms Team,” which also attacked the hosting provider LeaseWeb about two days before.

In a separate problem, Network Solutions said Monday some customers could not send email after it was blacklisted by a security company, Trend Micro, and other anti-spam services.

In July, Network Solutions fought off a distributed denial-of-service attack (DDoS) that knocked websites offline and problems with MySQL databases.


Three types of DNS attacks and how to deal with them

Friday, August 30th, 2013

DNS servers work by translating IP addresses into domain names. This is why you can enter into the browser to visit our sister site, instead of trying to remember

When DNS is compromised, several things can happen. However, compromised DNS servers are often used by attackers one of two ways. The first thing an attacker can do is redirect all incoming traffic to a server of their choosing. This enables them to launch additional attacks, or collect traffic logs that contain sensitive information.

The second thing an attacker can do is capture all in-bound email. More importantly, this second option also allows the attacker to send email on their behalf, using the victim organization’s domain and cashing-in on their positive reputation. Making things worse, attackers could also opt for a third option, which is doing both of those things.

“In the first scenario this can be used to attack visitors and capture login credentials and account information. The common solution of mandating SSL works until the attacker takes advantage of [the second option] to register a new certificate in your name. Once they have a valid SSL cert and control of your DNS (one and the same, basically) — they have effectively become you without needing access to any of your servers,” Rapid7’s Chief Research Officer, HD Moore, told CSO in an email.

In a blog post, Cory von Wallenstein, the CTO of Dyn Inc., a firm that specializes in traffic management and DNS, explained the three common types of DNS attacks and how to address them.

The first type of DNS attack is called a cache poisoning attack. This can happen after an attacker is successful in injecting malicious DNS data into the recursive DNS servers that are operated by many ISPs. These types of DNS servers are the closest to users from a network topology perspective, von Wallenstein wrote, so the damage is localized to specific users connecting to those servers.

“There are effective workarounds to make this impractical in the wild, and good standards like DNSSEC that provide additional protection from this type of attack,” he added.

If DNSSEC is impractical or impossible, another workaround is to restrict recursion on the name servers that need to be protected. Recursion identifies whether a server will only hand out information it has stored in cache, or if it is willing to go out on the Internet and talk to other servers to find the best answer.

“Many cache poisoning attacks leverage the recursive feature in order to poison the system. So by limiting recursion to only your internal systems, you limit your exposure. While this setting will not resolve all possible cache poisoning attack vectors, it will help you mitigate a good portion of them,” Chris Brenton, Dyn Inc.’s Director of Security, told CSO in an email.

The second type of DNS attack happens when attackers take over one or more authoritative DNS servers for a domain. In his post, von Wallenstein noted that authoritative DNS hosting is the type of service that his firm provides to Twitter. However, Dyn Inc. wasn’t targeted by the SEA, so their services to Twitter were not impacted by Tuesday’s incident.

If an attacker were to compromise an authoritative DNS, von Wallenstein explains, the effect would be global. While that wasn’t what the SEA did during their most recent attack, it’s been done before.

In 2009, Twitter suffered a separate attack by the Iranian Cyber Army. The group altered DNS records and redirected traffic to propaganda hosted on servers they controlled. The ability to alter DNS settings came after the Iranian Cyber Army compromised a Twitter staffer’s email account, and then used that account to authorize DNS changes. During that incident Dyn Inc. was the registrar contacted in order to process the change request.

Defense against these types of attacks often include strong passwords, and IP-based ACLs (acceptable client lists). Further, a solid training program that deals with social engineering will also be effective.

“I think the first step is recognizing the importance of authoritative DNS in our Internet connectivity trust model,” Brenton said.

All the time and resources in the world can be placed into securing a webserver, but if an attacker can attack the authoritative server and point the DNS records at a different IP address, “to the rest of the world its still going to look like you’ve been owned,” Brenton added.

“In fact it’s worse because that one attack will also permit them to redirect your email or any other service you are offering. So hosting your authoritative server with a trusted authority is the simplest way to resolve this problem.”

The third type of DNS attack is also the most problematic to undo. It happens when an attacker compromised the registration of the domain itself, and then uses that access to alter the DNS servers assigned to it.

This is also what the SEA did when they went after Twitter and the New York Times. They gained access to MelbourneIT, the registrar responsible for the domains targeted, and changed the authoritative DNS servers to their own.

“At this time, those authoritative nameservers answered all queries for the affected domains. What makes this attack so dangerous is whats called the TTL (time to live). Changes of this nature are globally cached on recursive DNS servers for typically 86,400 seconds, or a full day. Unless operators are able to purge caches, it can take an entire day (sometimes longer) for the effects to be reversed,” von Wallenstein wrote.

Again, Brenton’s advice for authoritative DNS will apply here as well. It’s also possible to host authoritative servers within the organization, allowing for complete control.

“If you are going to run your own authoritative servers, make sure you follow the best security practices that have been identified by SANS and the Center for Internet Security,” Brenton advised.


Network Solutions restores service after DDoS attack

Thursday, July 18th, 2013

Network Solutions said Wednesday it has restored services after a distributed denial-of-service (DDoS) attack knocked some websites it hosts offline for a few hours.

The company, which is owned by, registers domain names, offers hosting services, sells SSL certificates and provides other website-related administration services.

Network Solutions wrote on Facebook around mid-day Wednesday EDT that it was under attack. About three hours later, it said most customer websites should resolve normally.

Some customers commented on Facebook, however, that they were still experiencing downtime. Many suggested a problem with Network Solutions’ DNS (Domain Name System) servers, which are used to look up domain names and translate the names into an IP addresses that can be requested by a browser.

DDoS attacks are a favored method to disrupt websites and involve sending large amounts of data in hopes of overwhelming servers and causing websites to not respond to requests.

Focusing DDoS attacks on DNS servers has proven to be a very effective attack method. In early June, three domain name management and hosting providers — DNSimple, easyDNS and TPP Wholesale — reported DNS-related outages caused by DDoS attacks.

Hosting service DNSimple said it came under a DNS reflection attack, where DNS queries are sent to one party but the response is directed to another network, exhausting the victim network’s bandwidth.


How Spamhaus’ attackers turned DNS into a weapon of mass destruction

Thursday, March 28th, 2013

DNS amplification can clog the Internet’s core—and there’s no fix in sight.

A little more than a year ago, details emerged about an effort by some members of the hacktivist group Anonymous to build a new weapon to replace their aging denial-of-service arsenal. The new weapon would use the Internet’s Domain Name Service as a force-multiplier to bring the servers of those who offended the group to their metaphorical knees. Around the same time, an alleged plan for an Anonymous operation, “Operation Global Blackout” (later dismissed by some security experts and Anonymous members as a “massive troll”), sought to use the DNS service against the very core of the Internet itself in protest against the Stop Online Piracy Act.

This week, an attack using the technique proposed for use in that attack tool and operation—both of which failed to materialize—was at the heart of an ongoing denial-of-service assault on Spamhaus, the anti-spam clearing house organization. And while it hasn’t brought the Internet itself down, it has caused major slowdowns in the Internet’s core networks.

DNS Amplification (or DNS Reflection) remains possible after years of security expert warnings. Its power is a testament to how hard it is to get organizations to make simple changes that would prevent even recognized threats. Some network providers have made tweaks that prevent botnets or “volunteer” systems within their networks to stage such attacks. But thanks to public cloud services, “bulletproof” hosting services, and other services that allow attackers to spawn and then reap hundreds of attacking systems, DNS amplification attacks can still be launched at the whim of a deep-pocketed attacker—like, for example, the cyber-criminals running the spam networks that Spamhaus tries to shut down.

Hello, operator?

The Domain Name Service is the Internet’s directory assistance line. It allows computers to get the numerical Internet Protocol (IP) address for a remote server or other network-attached device based on its human-readable host and domain name. DNS is organized in a hierarchy; each top-level domain name (such as .com, .edu, .gov, .net, and so on) has a “root” DNS server keeping a list of each of the “authoritative” DNS servers for each domain registered with them. If you’ve ever bought a domain through a domain registrar, you’ve created (either directly or indirectly) an authoritative DNS address for that domain by selecting the primary and secondary DNS servers that go with it.

When you type “” into your browser’s address bar and hit the return key, your browser checks with a DNS resolver—your personal Internet 411 service— to determine where to send the Web request. For some requests, the resolver may be on your PC. (For example, this happens if you’ve requested a host name that’s in a local “hosts” table for servers within your network, or one that’s stored in your computer’s local cache of DNS addresses you’ve already looked up.) But if it’s the first time you’ve tried to connect to a computer by its host and domain name, the resolver for the request is probably running on the DNS server configured for your network—within your corporate network, at an Internet provider, or through a public DNS service such as Google’s Public DNS.

There are two ways for a resolver to get the authoritative IP address for a domain name that isn’t in its cache: an iterative request and a recursive request. In an iterative request, the resolver pings the top-level domain’s DNS servers for the authoritative DNS for the destination domain, then it sends a DNS request for the full hostname to that authoritative server. If the computer that the request is seeking is in a subdomain or “zone” within a larger domain—such as—it may tell the resolver to go ask that zone’s DNS server. The resolver “iterates” the request down through the hierarchy of DNS servers until it gets an answer.

But on some networks, the DNS resolver closest to the requesting application doesn’t handle all that work. Instead, it sends a “recursive” request to the next DNS server up and lets that server handle all of the walking through the DNS hierarchy for it. Once all the data is collected from the root, domain, and subdomain DNS servers for the requested address, the resolver then pumps the answer back to its client.

How DNS queries are supposed to work—when they’re not being used as weapons.

To save time, DNS requests don’t use the “three-way handshake” of the Transmission Control Protocol (TCP) to make all these queries. Instead, DNS typically uses the User Datagram Protocol (UDP)—a “connectionless” protocol that lets the server fire and forget requests.

Pump up the volume

That makes the sending of requests and responses quicker—but it also opens up a door to abuse of DNS that DNS amplification uses to wreak havoc on a target. All the attacker has to do is find a DNS server open to requests from any client and send it requests forged as being from the target of the attack. And there are millions of them.

The “amplification” in DNS amplification attacks comes from the size of those responses. While a DNS lookup request itself is fairly small, the resulting response of a recursive DNS lookup can be much larger. A relatively small number of attacking systems sending a trickle of forged UDP packets to open DNS servers can result in a firehose of data being blasted at the attackers’ victim.

DNS amplification attacks wouldn’t be nearly as amplified if it weren’t for the “open” DNS servers they use to fuel the attacks. These servers have been configured (or misconfigured) to answer queries from addresses outside of their network. The volume of traffic that can be generated by such open DNS servers is huge. Last year, Ars reported on a paper presented by Randal Vaughan of Baylor University and Israeli security consultant Gadi Evron at the 2006 DefCon security conference. The authors documented a series of DNS amplification attacks in late 2005 and early 2006 that generated massive traffic loads for the routers of their victims. In one case, the traffic was “as high as 10Gbps and used as many as 140,000 exploited name servers,” Vaughan and Evron reported. “A DNS query consisting of a 60 byte request can be answered with responses of over 4000 bytes, amplifying the response packet by a factor of 60.”

But even if you can’t find an open DNS server to blast recursive responses from, you can still depend on the heart of the Internet for a respectable hail of packet projectiles. A “root hint” request—sending a request for name servers for the “.” domain—results in a response 20 times larger than the packet the request came in. That’s in part thanks to DNS-SEC, the standard adopted to make it harder to spoof DNS responses, since now the response includes certificate data from the responding server.

A comparison of a “root hint” query and the response delivered by the DNS server. Not all data shown.
Sean Gallagher

In the case of the attack on Spamhaus, the organization was able to turn to the content delivery network CloudFlare for help. CloudFlare hid Spamhaus behind its CDN, which uses the Anycast feature of the Border Gateway Protocol to cause packets destined for the antispam provider’s site to be routed to the closest CloudFlare point of presence. This spread out the volume of the attack. And CloudFlare was able to then shut off amplified attacks aimed at Spamhaus with routing filters that blocked aggregated DNS responses matching the pattern of the attack.

But that traffic still had to get to Cloudflare before it could be blocked. And that resulted in a traffic jam in the core of the Internet, slowing connections for the Internet as a whole.

No fix on the horizon

The simplest way to prevent DNS amplification and reflection attacks would be to prevent forged DNS requests from being sent along in the first place. But that “simple” fix isn’t exactly easy—or at least easy to get everyone who needs to participate to do.

There’s been a proposal on the books to fix the problem for nearly 13 years—the Internet Engineering Task Force’s BCP 38, an approach to “ingress filtering” of packets. First pitched in 2000  1998 as part of RFC 2267 , the proposal has gone nowhere. And while the problem would be greatly reduced if zone and domain DNS servers simply were configured not to return recursive or even “root hint” responses received from outside their own networks, that would require action by the owners of the network. It’s an action that doesn’t have a direct monetary or security benefit to them associated with it.

ISPs generally do “egress filtering”—they check outbound traffic to make sure it’s coming from IP addresses within their network.  This prevents them from filling up their peering connections with bad traffic.  But “ingress” filtering would check to make sure that requests coming in through a router were coming from the proper direction based on their advertised IP source.

Another possible solution that would eliminate the problem entirely is to make DNS use TCP for everything—reducing the risk of forged packets.  DNS already uses TCP for tasks like zone transfers. But that would require a change to DNS itself, so it’s unlikely that would ever happen, considering that you can’t even convince people to properly configure their DNS servers to begin with.

Maybe the attack on Spamhaus will change that, and core network providers will move to do more to filter DNS traffic that doesn’t seem to match up with known DNS servers. Maybe just maybe, BCP 38 will get some traction. And maybe pigs will fly.


Web users beware: DNSChanger victims lose Web access July 9

Thursday, July 5th, 2012

On that day, the FBI will be shutting down the temporary DNS servers it used to assist DNSChanger victims

If you’re one of thousands of people infected with the DNSChanger malware, get rid of it before Monday.

On July 9, the FBI will be switching off servers it used to keep those infected with the malware on the Internet. The organization says maintaining the servers is costly and that therefore the agency won’t extend its support.

DNSChanger was first discovered in 2007 and was found to have infected millions of computers worldwide. The payload effectively modified a computer’s DNS settings to redirect traffic through its rogue servers. When users typed in a domain name in a browser, the servers would direct them to other sites for the creators’ financial gain.

Late last year, the FBI disrupted the crime ring and converted the rogue servers to clean servers to give infected users time to fix their systems. A host of tools and techniques have surfaced for removing the malware, but thousands of machines are still affected. If DNSChanger is not removed from those computers, users won’t be able to connect to the Internet.

So, before that happens, Web users are encouraged to head over to a special DNSChanger Web site,, to see how to fix the problem. Several security firms, including McAfee and Trend Micro, also have free tools available to remove DNSChanger.

Source:  CNET

Google will alert users to DNSChanger malware infection

Tuesday, May 22nd, 2012

Google is using a clever Domain Name System hack to let people infected with the DNSChanger malware know that they have only a few weeks left before their Internet connection goes dead.

The warning that will appear at the top of search results for people whose computers are infected

Google is about to begin an ambitious project to notify some half a million people that their computers are infected with the DNSChanger malware.

The effort, scheduled to begin this afternoon, is designed to let those people know that their Internet connections will stop working on July 9, when temporary servers set up by the FBI to help DNSChanger victims are due to be disconnected.

“The warning will be at the top of the search results page for regular searches and image searches and news searches,” Google security engineer Damian Menscher told CNET this morning. “The text will say, ‘Your computer appears to be infected,’ and it will give additional detail warning them that they may not be able to connect to the Internet in the future.”

The malware, also known as “RSPlug,” “Puper,” and “Jahlav,” was active until an FBI investigation called Ghost Click resulted in six arrests last November.

DNSChanger worked by pointing infected computers to rogue Domain Name System servers that could, for instance, direct someone trying to connect to to a scam Web site.

Computers became infected with DNSChanger when they visited certain Web sites or downloaded particular software to view videos online. In addition to altering the DNS server settings, the malware also prevented antivirus updates from happening.

Source:  CNET

Truth about the March 8 Internet Doomsday

Monday, February 20th, 2012

While it’s true some users may lose their Internet access next month, it’s not the FBI’s fault

Heard the one about the FBI shutting down the Internet next month?

Like many memes before it, this dire warning is floating around blogs and sites. It even names a date: March 8 as the day the FBI might “shut down the Internet.” But relax, that’s not really the case.

While yes, an untold number of people may lose their Internet connection in less than three weeks, if they do they only have nefarious web criminals to blame and certainly not the FBI.

If people end up in the dark on March 8 it’s because they’re still infected with the malware the FBI started warning people about last November when it shut down a long-standing Estonian Web traffic hijacking operation that controlled people’s computers using a family of DNSChanger viruses. The malware works by replacing the DNS (Domain Name System) servers defined on a victim’s computer with fraudulent servers operated by the criminals. As a result, visitors are unknowingly redirected to websites that distributed fraudulent software or displayed ads that put money into the bad guys’ pockets.

Here’s the worst part: The malware also prevents security updates and disables installed security software.

To help protect victims, the FBI replaced the rogue servers with legitimate ones — a measure the agency said would be in effect for 120 days. Had it not taken that step and simply shut down the bad servers back in November, infected computers would have been immediately blocked from Internet access.

So the current problem isn’t that the FBI will be shutting down the Internet when the 120 days runs out on March 8, it’s that many people and organizations haven’t removed the malware from their computers. In fact, as many as half of Fortune 500 companies and government agencies are delinquent in updating, according to some reports.

So how do you know if your computer or router is infected with DNSChanger?

The FBI says the best way to know is to have them checked out by a computer professional, which admittedly isn’t very helpful.

However, it does offer a resource paper PDF with guidance to make that determination yourself, although even if you find out your system is infected the FBI says you still need a pro to scrub your machine.

As another alternative, you can use the free Avira DNS Repair Tool to figure out if a computer is using one of the temporary DNS servers. Unfortunately, the tool only works on Windows and doesn’t actually remove the Trojan.

Indeed, removing the malware is a challenge, and many people will be cut off from Internet access on March 8, reports the security news site KrebsonSecurity. It also notes that the industry and law enforcement group DNSChanger Working Group (DCWG) has a site that can help people check whether their systems are infected.

To get help, network administrators can send a request to one of the members of the DCWG and home users can use the step-by-step instructions at the DCWG Web site to see if they’re infected with the DNSChanger malware.

If you determine your system is infected you can start from scratch and reinstall your operating system, or take the FBI’s advice and get help from a professional if you want to remain online after March 8.


Anonymous threatens to DDOS root Internet servers

Monday, February 20th, 2012

The threat from the hacktivist group is unlikely to be successful, said an expert

An upcoming campaign announced by the hacking group Anonymous directed against the Internet’s core address lookup system is unlikely to cause much damage, according to one security expert.

In a warning on Pastebin, Anonymous said last Thursday it would launch an action on March 31 as part of “Operation Global Blackout” that would target the root Domain Name System (DNS) servers.

Anonymous said the attack has been planned as a protest against “our irresponsible leaders and the beloved bankers who are starving the world for their own selfish needs out of sheer sadistic fun”.

The DNS translates a Web site name, such as, into a numerical IP (Internet Protocol) address, which is used by computers to find the Web site.

The 13 authoritative root servers contain the master list of where other nameservers can look up an IP address for a domain name within a certain top-level domain such as “.com.”

The group said it had built a “Reflective DNS Amplification DDOS” (distributed denial-of-service) tool, which causes other DNS servers to overwhelm those root servers with lots of traffic, according to the Pastebin post.

But there are several factors working against the Anonymous campaigners, wrote Robert Graham, CEO of Errata Security.

“They might affect a few of the root DNS servers, but it’s unlikely they could take all of them down, at least for any period of time,” Graham wrote. “On the day of their planned Global Blackout, it’s doubtful many people would notice.”

Although there are 13 root servers, an attack on one would not affect the other 12, Graham wrote. Additionally, an attack would be less successful due to “anycasting,” which allows traffic for a root server to be redirected to another server containing a replica of the same data.

There are hundreds of other servers worldwide that hold the same data as the root servers, which increase the resiliency of DNS.

ISPs also tend to cache DNS data for a while, Graham wrote. ISPs may cache data for a day or two before needing to do a fresh lookup, a time period that can be set on servers known as “time-to-live.” It means that even if a root server was down, it would not necessarily immediately affect an ISP’s customers.

Lastly, root DNS servers are closely watched. If trouble started, the malicious traffic to the root servers would likely be blocked, with disruptions lasting a few minutes, Graham wrote.

“Within minutes of something twitching, hundreds of Internet experts will converge to solve the problem,” he wrote.


Half of Fortune 500 firms infected with DNS Changer

Friday, February 3rd, 2012

Machines will be cut off from the Web next month, say experts

Half of all Fortune 500 companies and major U.S. government agencies own computers infected with the “DNS Changer” malware that redirects users to fake websites and puts organizations at risk of information theft, a security company said today.

DNS Changer, which at its peak was installed on more than four million Windows PCs and Macs worldwide — a quarter of them in the U.S. alone — was the target of a major takedown organized by the U.S. Department of Justice last November.

The takedown and accompanying arrests of six Estonian men, dubbed “Operation Ghost Click,” was the culmination of a two-year investigation, although some security researchers have been tracking the botnet since 2006. As part of the operation, the FBI seized control of more than 100 command-and-control (C&C) servers hosted at U.S. data centers.

According to Tacoma, Wash.-based Internet Identity (IID), which provides security services to enterprises, half of the firms in the Fortune 500, and a similar percentage of major U.S. government agencies, harbor one or more computers infected with DNS Changer.

IID used telemetry from its monitoring of client networks, as well as third-party data, to claim that at least 250 of the Fortune 500 companies and 27 out of 55 major government agencies had at least one computer or router infected with DNS Changer as of early this year.

The still-infected machines pose several problems, said experts.

“Initially, DNS Changer was worrisome because it could redirect you from a safe location to a dangerous one controlled by criminals,” said Rod Rasmussen, the chief technology officer of IID in an emailed statement. “However, the FBI temporarily fixed that. Now, the big worry is that machines that are still infected face a second vulnerability — they are left with little if any security.”

That’s because DNS Changer also blocks software updates — the patches vendors like Microsoft issue to fix flaws — and disables installed security software.

Others, however, have pointed out that computers still infected with DNS Changer have only weeks before they will be crippled.

As part of Operation Ghost Click, a federal judge approved a plan where clean DNS servers were deployed by the Internet Systems Consortium (ISC), the non-profit group that maintains the popular BIND DNS open-source software. Without that move, infected systems would have been immediately cut off from the Internet when the FBI seized the criminals’ domain servers.

But the ISC was authorized to maintain the alternate DNS servers only for 120 days, or until early next month.

“[The ISC] will shut down the [DNS] servers in March and anybody who is still using those servers will then lose access to the Internet,” said Wolfgang Kandek, chief technology officer of Qualys, in a Thursday post to that company’s security blog.

Qualys has added DNS Changer detection to its free BrowserCheck tool that runs on Windows PCs, while the umbrella organization DNS Changer Working Group — of which IID is a member — has created a website that steps users through the process of detecting infected PCs and Macs.


VeriSign, maintainer of net’s DNS, warns it was repeatedly hacked

Thursday, February 2nd, 2012

VeriSign, the company that manages a key internet database for routing traffic to websites and email addresses, exposed private information after being hacked on multiple occasions in 2010, the company quietly disclosed late last year.

While executives with the Reston, Virginia company said they don’t believe servers that maintain the DNS (domain name system) were breached, they couldn’t rule out the possibility. They also warned that they couldn’t guarantee steps taken to remediate the breach would succeed. What’s more, the attacks, which came to light in an article published by Reuters on Tuesday, didn’t come to the attention of managers in a timely manner.

“The occurrences of the attacks were not sufficiently reported to the Company’s management at the time they occurred for the purposes of assessing any disclosure requirements,” VeriSign said in an Securities and Exchange filing in October. The tersely worded disclosure didn’t say how many incidents occurred, when they happened or what information was obtained by the attackers.

Ken Silva, VeriSign’s chief technology officer until November 2010, told reporter Joseph Menn he didn’t learn of the breaches until contacted by the Reuters journalist. Based on the vague language in the filing, Silva speculated that VeriSign executives “probably can’t draw an accurate assessment” of the damage.

Over the past few years, hackers have increased attacks on companies that help secure networks used by government agencies and corporations. Last March, RSA, whose two-factor SecurID tokens are used by 40 million employees to access sensitive networks, said a highly sophisticated hack exposed sensitive information that could compromise their effectiveness. A later attack on defense contractor Lockheed Martin was aided by the theft of the confidential data.

A raft of companies that issue SSL (secure sockets layer) certificates used to verify the authenticity of millions of websites have also been successfully targeted. Among them is DigiNotar, a Netherlands-based certificate authority whose digital imprimatur was used to mint counterfeit credentials used to spy on some 300,000 Google Mail users, most of whom were located in Iran.

Until September 2010, VeriSign ran its own certificate issuing business. A spokeswoman for Symantec, which purchased the operation from VeriSign, told Reuters “there is no indication that the 2010 corporate network security breach mentioned by VeriSign Inc was related to the acquired SSL product production systems.”


Seven accused in $14 million click-hijacking scam

Thursday, November 10th, 2011

The U.S. Department of Justice said today that it has uncovered a large, sophisticated Internet scam ring that netted $14 million by infecting millions of computers with malware designed to redirect their Web searches to sites that generated ad revenue.

Six people have been arrested in Estonia and a Russian is being sought on charges of wire fraud and computer intrusion, the FBI said. They are accused of infecting about 4 million computers in more than 100 countries–500,000 in the U.S. alone, including NASA–with malware called DNSChanger. The malware altered the Domain Name Server settings on the computers so they could be automatically redirected to rogue DNS servers and then on to specific Web sites.

In essence, the malware hijacked the computers when certain Web searches were done, redirecting them to sites that would pay them money when people visited or clicked on ads.

“When users of infected computers clicked on the link for the official Web site of iTunes, for example, they were instead taken to a Web site for a business unaffiliated with Apple Inc. that purported to sell Apple software,” an FBI statement said.

In addition, the malware would redirect infected computers searching for Netflix to a business called “BudgetMatch” and searches or the IRS to H&R Block, according to the FBI.

Defendants also allegedly replaced legitimate ads on sites with ads that triggered payments to them. For instance, they are accused of replacing an American Express ad on the Wall Street Journal home page with an ad for “Fashion Girl LA,” and an Internet Explorer 8 ad on with one for an e-mail marketing firm.

Computers became infected with DNSChanger when they visited certain Web sites or downloaded particular software to view videos online. In addition to altering the DNS server settings, the malware also prevented antivirus and operating systems from updating, according to officials.

The defendants allegedly created companies that masqueraded as legitimate advertising publisher networks. The operation began in 2007 and ended in October with the completion of the two-year FBI investigation called “Operation Ghost Click,” the FBI alleges.

The rogue DNS servers used in the operation have been replaced with legitimate servers in the hopes that infected computers will still be able to access the Internet. Owners of infected computers will need to clean the malware off their machines. People can see if their computer is infected by typing in their DNS information on this FBI Web page.

The indictment filed in the U.S. District Court of New York was unsealed today.

Source:  CNET

ICANN approves plan to vastly expand top-level domains

Wednesday, June 22nd, 2011

Do you find the reliance on things like .com, .net, and .org too restrictive? Haven’t found a country code that floats your boat? ICANN, the organization responsible for managing the domain name system, has decided that it’s time for a more flexible system for managing the top-level domains that help translate IP addresses into human-readable form. The plan has been in the works since 2009, but it has experienced a series of delays. Now, though, the organization has finally approved a process for handling new generic top-level domains (gTLDs), and will begin accepting applications in January.

Prior to ICANN’s existence, gTLDs were pretty limited: .com .edu .gov .int .mil .net .org and .arpa, although a large collection of country codes also existed. In 2003 and 2004, however, the organization began allowing a cautious expansion, adding things like .name and .biz (along with some oddities like .aero and .cat). And, just this year, it approved the .xxx domain after a rather contentious consideration period.

ICANN apparently recognized that there’s a continued interest in expanding gTLDs, and set about creating a mechanism to handle requests as they come in, rather than to consider them in batches on an ad-hoc basis. And at least according the FAQ site that it has set up, the organization expects a busy response: “Soon entrepreneurs, businesses, governments and communities around the world will be able to apply to operate a Top-Level Domain of their own choosing.” (More details, including an Applicant Guidebook, are also available.)

Still, the FAQ also makes it clear that grabbing a gTLD won’t be an exercise in casual vanity. Simply getting your application processed will cost $185,000 and, should it be approved, you’ll end up being responsible for managing it. Do not take this lightly, ICANN warns, since “this involves a number of significant responsibilities, as the operator of a new gTLD is running a piece of visible Internet infrastructure.” Presumably, service providers will take care of this hassle, but that will simply add to the cost of succeeding.

ICANN suggests the changes will “unleash the global human imagination.” At best, the unleashing will be pretty limited, with a maximum of 1,000 new domains a year. Some of these will undoubtedly show signs of imagination through a clever use of character combinations in some URLs. Mostly, however, we expect that the new gTLDs will simply provide domain registrars with the opportunity to suggest you buy even more domains when you register a .com or .net.