DNS hijacking: Government needs to step in
By Gabey Goh July 5, 2013
- Gov mandate needed in order to accelerate industry adoption of better DNS security measures
- Increasing interest in DNS security solutions from corporate entities
THINGS are back to normal after the Domain Name System (DNS) hijacking of ‘.com.my’ domains in the early hours of Monday (July 1) by what appeared to be hackers protesting the mistreatment of Bangladeshi workers in Malaysia.
Initial reports (including DNA’s own) described the attack as a DNS poisoning as only the Google DNS appeared to be affected, but it was later revealed by Vijandren Ramadass, founder of Lowyat.NET, that the issue was not isolated to Google DNS.
In a statement released on Tuesday (July 2), the registrar for the ‘.my’ top level domain MYNIC Bhd admitted its servers had been compromised, which led to search queries for certain websites being redirected to temporary sites deliberately set up to give the false impression that the websites concerned had been hacked.
As pointed out by DNA reader kar2on: “The difference is that a poison affects just one DNS resolving service, but a hijack affects all DNS resolution services, simply because MyNIC was compromised.”
Kaspersky Lab also issued a statement informing customers that the incident had no impact on its Malaysian-based web resources.
“The attack appears to have resulted in an unauthorised update of DNS data for many – if not all – of the domain names registered by MYNIC. The altered DNS records were then propagated to the DNS servers of various Internet service providers, including Google,” the statement said.
MarkMonitor (Kaspersky Lab’s domain registrar) detected the problem, contacted MYNIC’s specialists and helped Kaspersky Lab roll back all changes. The name servers for the affected .my domains, including kaspersky.my, have been restored to their original settings.
The security firm’s web security experts immediately conducted a thorough investigation of Kaspersky.my following the attack and concluded that: no servers or resources were breached; the attack did not result in any unauthorised access to resources on the Kaspersky.my website; and no sensitive data or websites belonging to Kaspersky Lab were compromised during the incident, the firm said.
Industry regulator the Malaysian Communications and Multimedia Commission (MCMC) and the police have also set up a team to investigate the incident, which is similar to an attack that was carried out by the same group on Kenya’s domain registrar in April.
Responding to emailed queries from Digital News Asia (DNA), Mohd Noor Amin (pic), chairman of the International Telecommunication Union's International Multilateral Partnership Against Cyber Threat (ITU-IMPACT) said that the agency does not monitor any country’s networks as that falls under the purview of the national cybersecurity agency of individual countries.
He added that the Malaysian Government together with its agencies the MCMC and CyberSecurity Malaysia (CSM) would take the lead on this matter and may request assistance from ITU-IMPACT.
“Should they make a request to ITU-IMPACT, we can assist through our agreement with Interpol and our collaboration with the United Nations Office on Drugs and Crimes to assist in the investigation of this attack,” he said.
Noor Amin noted that as the cybersecurity-executing arm of the ITU, the agency is currently providing services to the governments of the 145 countries. However, should a private organisation require assistance, it can make the request via its respective government and ITU-IMPACT can then render assist.
“We also see that one of the key areas today under attack is the Critical National Information Infrastructure (CNII). In many countries, these critical sectors could be private or public-private partnerships. As such, ITU-IMPACT will extend our services to these critical sectors to ensure that our member countries are able to prevent, defend against and mitigate these attacks,” he added.
Next Page: Addressing the DNS vulnerability issue