markn.ca
Archive 5 min read

DNS Hijacking

There has been a significant increase in DNS hijacking attacks over the past couple of months...and why not? It's a simple, direct way for cybercriminals to take over an organizations identity or to intercept critical communications.

DNS Hijacking

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Morning everybody. How are you doing today? On this episode of the show? We're gonna talk about the domain name system or DNS and some of the challenges it presents from a security perspective. Now, Brian Krebs, the intrepid cybersecurity reporter has a fantastic post up. Um You're seeing it on screen here now in the vlog and of course, I'll link to it in the description down below.

Um Sort of summarizing some of the recent challenges around DNS security. Now, this summarizes a report from Cisco Research, from Crowdstrike Research Arm and from Fire Eye as well. All three of them have been looking at DN hijacking attacks over the last little while and this was in fact what the Department of Homeland Security in the US issued an alert about about a month ago and essentially domain name service or the domain name system.

The DNS system is what lines up, you know, mark dot C with the IP address or IP addresses that host that content. So that works for any domain name look up. So we use it in email, we use it in web, we use it in every internet transaction. There's a DNS component.

So it's absolutely critical. Now, there's a couple sides of this as an organization you want to secure DNS traffic for your users looking out. So when they're looking up things like, hey, where does Google live? That's a DNS request. And there's a whole set of security procedures and protocols you want to do to make sure that that request is secure.

But what we're talking about today and what Brian was diving into in his article is around the opposite side as a company or as somebody hosting content. How do you make sure that that's secure? Now, these hijacking attempts are essentially the Attackers, the cyber criminals are trying to take over these domains.

So they're using various techniques so that they, in my case would steal Markan dot ca and instead of pointing to my email and to my website, they would point it to their resources. Now, you can start to think about the possibilities here. This is an extremely powerful attack because if you take over that domain name now, for all intents and purposes, you are that organization on the web and really clever attacks would keep the website going to where it needs to be.

But intercept the email in a way that's really hard to detect. Now, the spate of these attacks that are going on. Um I have highlighted some of the weaknesses in the domain name system. Now, when you get a domain, you register it, now you don't go to the top level domain.

So a top level domain is the dot C A or.com or.edu or dot Dev or any number of the new dot TL DS. Now, normally they have a registrar. Uh, that's somebody who keeps track of who's what name. So who, what name is assigned to what person or what organization.

Now, you don't deal with those, you deal with bottom end registers, you don't deal with the TLD reg they, you deal with a company that does multiple. So like a go daddy, I want my name or rebel.com, that kind of thing. They would be able to register on your behalf.

So you say I want Mark dot C A and they register that with Sira, who is the entity that owns dot C A and there's an entity that owns every.top level domain here. So that's sort of that structure. Now, the problem is is that registrar level security, it can be socially engineered.

We've seen that in the past where people are convincing the registrar to move the request somewhere else. Now, these attacks that Krebs had detailed were actually using the way that registrars talk to each other. So that back end chain, they were abusing that to take over various domains.

And one of the really scariest parts of this story is that they got to one of the top 13 domain infrastructure systems. So in this case, it was net nod in the EU and they hold one of the 13 master DNS servers around the world. And that's pretty scary because they're really serious about operational security.

Yet, these Attackers were able to kind of worm their way through using authenticated credentials at different levels to get up to the top to fish. These employees. Now there are various techniques like DNS C which is an encryption scheme through DNS to ensure proper transitions, proper root zone transfers, all these kind of things.

Um But none of this was perfect. And really the idea today is I wanted to highlight this as a major issue for organizations and for individuals, if you're running a web property and most of us are you want to make sure that you've leveraged every single possible security control that your registrar offers.

So you know a unique individual pass phrase for that registrar two factor authentication. You can also use something called domain locking where you're requesting at the registrar, any major domain name changes, you want them to take additional steps to verify. Um You can also put in things like privacy controls to help obscure your identity, which is great from a privacy perspective, but from a security perspective that also makes it harder to socially engineer because they're not exactly sure who is the owner of that um registry or that registry entry.

So that mark dot might not relate back to mark, it relates to a proxy entity and that makes it a little bit harder to socially engineer, but you need to go through and take these steps to lock that account down because at the end of the day, that's your identity online and that's absolutely critical to protect because if somebody takes that over there, are you and they could do untold amounts of damage in a very short amount of time.

Now, part of the attack that Krebs highlighted was that these people were fishing these domains, so they were taking over a number of government domains, intercepting their email for an hour at a time and harvesting a ton of credentials that way and then using that access to move laterally through those organizations.

So this is a very, very serious attack and it's in an area where most people overlook. So hopefully now knowing this, you're going to go, you know, leave a like or comment down below, but then go and secure your registrar. In fact, you know what? Don't even leave the feedback, just go secure your registrar stuff first, then come back and maybe share your experience that'd be far more positive.

Let me know when you've done that, let me know what you think of this issue. Hit me up online at Mark NC A uh in the comments down below. And as always by email me at Mark N dot ca, I hope you are set up for a fantastic day.

We'll see you on the next episode of the show.

Share Tweet Share Share Email

Read next