SEO Exploit via DNS “piggybacking” found in the wild

A recent report out from the ISC (the ‘Internet Storm Center’, a program of the SANS Technology Institute) warns domain owners to check their DNS records.

We offer a DNS Records tool on frag.co.uk/tools/ that may be some help to our customers.

The report details around 50 organizations that have had new machine names added to their DNS zone information. These were then pointed to sites used to boost the search engine positions of pharmaceuticals, personals, and adult web sites.

A good explanation, and some other sites that are affected can be found on the ISC Diary – What’s In a Name blog post.

For example, the Federal Commission of Taxation in Argentina at www.cfi.gov.ar have a subdomain they presumably were unaware of, at “buy-viagra.cfi.gov.ar”, thankfully now suspended.

We run our own internal DNS servers here at frag.co.uk, and can proudly announce that all our domain owners are unaffected, secured and safe from this attack. Please feel free to contact us for more details.

Do you outsource your DNS? Would you ever catch something like this?

We may be able to help. One of our totally free tools on frag.co.uk/tools/ offers a “DNS Records” tab that allows you to keep an eye on your DNS records. Do let us know how you get on.

DigiNotar CA hack, and serious weaknesses in security

DigiNotar, the Dutch certificate authority was recently the center of a significant hacking case. On the 19th July, the CA discovered that at least 531 rogue certificates has been issued. However, it was only in August that the attacked became public knowledge.

Security firm, Fox-IT were hired to investigate the breach, and the compromise has incurred financial losses that have caused the DigiNotar to declare bankruptcy.

So what happened? Fox-IT reported to net-security.org:

“The most critical servers contain malicious software that can normally be detected by anti-virus software,” it says. “The separation of critical components was not functioning or was not in place. We have strong indications that the CA-servers, although physically very securely placed in a tempest proof environment, were accessible over the network from the management LAN.”

All CA servers were members of one Windows domain and all accessible with one user/password combination. Moreover, the used password was simple and susceptible to brute-force attacks.

The software installed on public-facing web servers was outdated and unpatched, and no antivirus solution was installed on them. There was no secure central network logging in place, and even though the IPS was operational, it is unknown why it didn’t block at least some of the attacks.

The DigiNotar-controlled intermediates have been blacklisted in Mozilla Firefox and Google Chrome, and also by other browser manufacturers. The Dutch government announced on September 3, 2011, that they will switch to a different firm as certificate authority.

Some of the certificates signed by Diginotar include *.google.com, and even attempted signing certificates for double-wildcarded certificates for *.*.com and *.*.org. There seems to be some confusion whether these “double wildcard” certificates are valid but if they are then no DigiNotar-protected .com or .org sites could be trusted.

In the last week, The Register has reported researchers have discovered a serious weakness in virtually all websites protected by the secure sockets layer protocol that allows attackers to silently decrypt data that’s passing between a webserver and an end-user browser.

If true, the underlying vulnerability  is present in virtually all applications that use TLS 1.0, making it possible to apply the technique to instant messenger and Virtual Private Networking programs.

Although TLS 1.1 has been available since 2006 and isn’t susceptible, virtually all SSL connections rely on the vulnerable TLS 1.0, as The Register reports;
“While both Mozilla and the volunteers maintaining OpenSSL have yet to implement TLS 1.2 at all, Microsoft has performed only slightly better. Secure TLS versions are available in its Internet Explorer browser and IIS webserver, but not by default. Opera remains the only browser that deploys TLS 1.2 by default.”

As also reported by The Register; this handy image explains all;

Support for TLS 1.1 and 1.2 is virtually non-existent, Qualys Director of Engineering Ivan Ristic says via The Register

Support for TLS 1.1 and 1.2 is virtually non-existent, Qualys Director of Engineering Ivan Ristic says via The Register

As reported; “What prevents people is that there are too many websites and browsers out there that support only SSL 3.0 and TLS 1.0. If somebody switches his websites completely over to 1.1 or 1.2, he loses a significant part of his customers and vice versa.”

eMail: web@frag.co.uk
Phone: 07739 315821

Meta


frag.co.uk
on Google+