Previous month:
June 2011
Next month:
August 2011

July 2011

Phishing for domain name accounts

In a traditional phishing campaign, phishers send an email to users in an attempt to steal account or identity information. Many phish campaigns target likely online bank or e-merchant customers. A lesser known campaign targets individuals and companies who've registered domain names.

This sort of phishing is like diving for seawater pearls. In this analogy, the oyster is a domain name registration account, the oyster meat is the registration record.  The real prize, the pearl, is the name server configuration for a domain name.

In Part I of my Enterprise Efficiency article, Phishers Are Casting Nets for Your Domain Names, I explain how phishers run these phish campaigns, what they are after, why gaining control over name servers of registered domain names is so important to phishers, and what the consequences are for victims of these attacks.

In Part II, I explain measures that organizations can take to protect themselves against these attacks: how to use registrar correspondence to your advantage, how proactive monitoring of your domain’s Whois and DNS information can serve as an early warning system of account compromise, and what information you'll need should you become a victim.

So this isn't simply a wordy referral, I'll share some history. Rod Rasmussen of Internet Identity first shared a spample from a registrar phishing campaign with me in late 2007. I worked with Rod and members of the APWG Internet Policy Committee to gather  information regarding the attacks. We took the info to ICANN's Security and Stability Advisory Committee (SSAC).


Photo by ToastyKen

SSAC Exposes Danger of Registrar Phishing

Since these email campaigns impersonate domain name registrars, SSAC published an advisory in May 2008. Since that time, we've seen similar phishing campaigns, and SSAC has published other reports that recommend measures  to protect domain registration accounts against compromise. Some of these measures are recommended for registrars and some for registrants. My two-part series discusses these.

Domain names are critically important to any business or organization with an online presence. And if your name servers are not resolving your domain names to *your* IP addresses, you're in a heap of trouble.  Don't dismiss them as plumbing.  Protect your investment. Read the articles.

My $.02 on the spike in hacking

Freakonomics recently held a security forum and asked Why Has There Been So Much Hacking Lately? Or Is It Just Reported More?

Bruce Schneier, a panel member, and Mike Rothman a sad panda who deserved to be invited but wasn't, don't see the hacking "spike" as a spike at all. Both agree that it's being reported more. And both agree that neither the attacks nor the attackers are more sophisticated but that they are being given more exposure and notoriety opportunities through social and traditional media.

Mainstreaming of Hacking

Mike calls this a time of "mainstreaming of hacking" in his blog article. I agree. Attacks today are like a cable network's steady stream of Law & Order reruns: a single (perhaps not even clever) exploit of a badly written piece of commonly deployed software is re-used over and over again by a range of actors: bad, misguided or criminal. In the majority of incidents, there is little sophistication or skill involved.

Reporters who don't take the time to understand what they are reporting beyond the need to make things newsworthy in Internet time are prone to making every incident or breach a headline event.Mike makes the sobering observation that reporting is too frequently fueled by Tweets and social media rather than fact checking, research and reliable informants. Outside the Brian Krebs class of "crossover reporters", I can't argue with Mike on this point.


Photo by bareform

"Things were always this bad"

Bruce Schneier says, "It’s not that things are getting worse; it’s that things were always this bad." I think it's important to take this claim in the context of the points Bruce was trying to make, that this generation of hackers "graphically illustrate what we’ve been saying for years: organizations need to beef up their security against a wide variety of threats."

In another context - accessibility - things are arguably getting worse. Attack tools are readily available. They come with GUIs, manuals or help files, and hacker discussion forums may be better info sources for n00bs than customer help desks of commercial application developers. The bar of entry for hacking is at an all time low, as is evidenced by the steady stream of neanderthals that law enforcement agents are apprehending month after month. (The arrests gets fewer Tweets, brief praise and fewer "above the fold" opportunities. They are apparently newsworthy to a smaller audience.)

Hackers Have New Motivations

The sets of motivations have also expanded beyond notoriety to include greed, espionage (commercial and political) and political activism. Perhaps attacks for these purposes occurred more commonly in the past than is generally known. But as many of the incidents demonstrate, the lines are blurred among the motivations, or at the least, what is reported is. Some call certain acts hacktivism, others call them criminal acts or attention mongering of the most juvenile form. Irrespective of the motive, and As Henry Harrison, another Freakonomics panelist points out, "the online environment presents very little in the way of disincentive for this sort of activity".

We've come full circle.  We are simply not doing a good enough job of security. Through our complacency and denial, we are stimulating rather than disincenting miscreancy and crime. Whether there are more incidents or breaches is rather unimportant.