Internet Security Systems - AlertCon(TM)

A New Years Resolution - Find out how your corporate domain name is managed.

Posted by Tom Cross on December 18, 2009 at 5:02 PM EST.

As you've probably already heard, Twitter was defaced last night by a group calling itself the "Iranian Cyber Army." Although website defacements are usually performed by activists who have no official sponsorship, TechCrunch is reporting rumors that this group is actually part of the Government of Iran. Was this an act of Cyberwar? I have no idea, but I do think it ought to serve as a wakeup call for every organization out there with a domain name.

According to media reports the attack more or less worked as follows:

First, members of the "Iranian Cyber Army" obtained access to an email account associated with the person responsible for managing Twitter's domain names. Twitter pays Dyn, Inc to host the DNS records for their domains. The attackers used the automated password recovery feature on Dyn's website to reset the password on Twitter's account. Once the attackers got into Dyn's web interface, it was trivial for them to point Twitter's domain names at the IP addresses of their own website, where they hosted their defacement message.

This is not the first time that DNS management websites on the Internet have fallen prey to attackers. Last December the DNS for payment processor CheckFree.com was redirected to a malicious website in the Ukraine. In that case the attackers logged into CheckFree's account at Network Solutions using the correct username and password, which were likely obtained through a phishing attack. 

The vast majority of domain names are registered by individuals or small organizations who run websites that don't get much traffic. DNS registrars and DNS hosting companies are set up to serve this market by providing extremely inexpensive registrations with easy to use management interfaces protected by simple usernames and passwords. The number of organizations out there with valuable domain names that serve large audiences or are connected with important business processes represent a tiny market by comparison. All too often, these important domain names end up getting managed through the exact same infrastructures and processes that are designed to handle people's personal vanity domains, when in fact they have dramatically different (and more expensive) needs, particularly from a security standpoint.

So, I have a New Years resolution for CIOs and CSOs: When everyone gets back to the office in January, sit down and find out how your domain names are managed.

Where are your domain names registered? How much are you paying for it? (Is your brand really worth just $9.95 a year?)

Who has access to change your DNS registration? Are those people trusted?

How do you authenticate to make changes to your DNS registration? Is that authentication system adequate? (Are you using passwords or certificates?)

What is the access recovery process for your DNS registration in the event that you loose your access credential? Is that recovery process secure?

Have you locked out registrar transfers for your domain?

Is your DNS Whois contact information up to date?

Are you carefully monitoring the email addresses associated with the Whois contact information for your domain? (If not, you might loose your domain if someone complains about the accuracy of your Whois contact information or claims (even fraudulently) that you are infringing upon their trademarks.)

How are you hosting your DNS records?

If you are hosting your DNS with a third party, you need to ask all the access control questions that you asked about your DNS registrar - Who has access, how do they have access, and what is the recovery process...

If you are hosting your own DNS, how are you managing the security of your DNS servers?

What DNS records are you publishing? What process exists within your organization to create a new DNS record within your domain and how do old DNS records get expired? Are those processes connected with other business controls that need to be invoked whenever your organization publishes information on the Internet?

Hopefully, your organization has looked at these questions carefully and has mature processes, but the fact is that these issues are frequently overlooked, and represent a significant and widespread vulnerability on the Internet today.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.