July 8th, 2008
ICANN says registrar was hacked
Two weeks after ICANN’s own domains were hijacked by Turkish hackers, the International Corporation for Assigned Names and Numbers says it was its registrar — not ICANN’s servers themselves — that were attacked.
On June 26, a number of ICANN sites popped up with this message:
You think that you control the domains but you don’t! Everybody knows wrong. We control the domains including ICANN! Don’t you believe us?”
On July 3, ICANN offered this explanation:
As has been widely reported, a number of domain names, including icann.com and iana.com were recently redirected to different DNS servers, allowing a group to provide visitors to those domains with their own website.
The domains in question are used only as mirrors for ICANN and IANA’s main websites. The organizations’ actual websites at icann.org and iana.org were unaffected.
The DNS redirect was a result of an attack on ICANN’s registrar’s systems. A full, confidential, security report from that registrar has since been provided to ICANN with respect to this attack.
It would appear the attack was sophisticated, combining both social and technological techniques, but was also limited and focused. The redirect was noticed and corrected within 20 minutes; however it may have taken anywhere up to 48 hours for the redirect to be entirely removed from the Internet.
ICANN is confident that the lessons learned and new security measures since introduced will ensure there is not a repeat of this situation in future. ICANN’s Security and Stability Advisory Committee (SSAC) is considering the issue of access to domain names through registrars as a priority research topic. The results of that work will be made available through the usual channels.
In a separate and unrelated incident a few days later, attackers used a very recent exploit in popular blogging software Wordpress to target the ICANN blog. The attack was noticed immediately and the blog taken offline while an analysis was run. That analysis pointed to an automated attack. The blogging software has since been patched and no wider impact (except the disappearance of the blog while the analysis was carried out) was noted.
In response to the attacks, ICANN has started an internal review of its existing security procedures to see if there are any lessons that can be learnt and to make any improvements necessary. Full reports on both incidents have been provided to law enforcement agencies.
