[AfrICANN-discuss] Fw: Re: Fw: AfrICANN Digest, Vol 27, Issue 17
Douglas Onyango
ondouglas at yahoo.com
Tue May 19 00:20:53 SAST 2009
Hi all,
As promised, below is my communication with The ccTLD management.
Regards,
Douglas onyango +256(0712)981329
If you are not part of the solution, your are part of the Problem.
--- On Mon, 5/18/09, Charles Musisi <cmusisi at cfi.co.ug> wrote:
From: Charles Musisi <cmusisi at cfi.co.ug>
Subject: Re: Fw: AfrICANN Digest, Vol 27, Issue 17
To: "Douglas Onyango" <ondouglas at yahoo.com>
Cc: "Noah Sematimba" <noah.sematimba at waridtel.co.ug>
Date: Monday, May 18, 2009, 2:53 PM
Hi Douglas --
There was this release sent out last week (13th) mostly to the concerned
individuals,
and also posted on the registry website.
The incident itself lasted not more than a few hours, and was repeated
the next
day. The cause was via intercept of login name & passwd info of a
registrar account holder
who has most these popular domain names, and I can count a few others
unrelated to
this one registrar. All the others had in them popular or common
names.
The actual date of the exploit was Monday 11th in the early hours of the
morning,
and was arrested in the early afternoon of that day.
There was a reoccurrence in the early morning of Tuesday which that was
fought off
within minutes. At that point we shut off all "modify" requests
to DNS data and had
all registrars comply with a secure way to submit modify requests.
From what we can tell, most global DNS hadn't even picked up the bad DNS
data from
the .ug root servers & secondary, but there were some well configured
names servers
who picked up this bad data. For instance, my own home ISP AFOL's DNS
didn't even
get to update itself with this poisonous DNS data, although that was
itself a flaw
in their DNS setup.
The immediate measure was to shut off any "modify" requests
from registry interface
for about 24 hours as we got a good grasp of extent of the
attack.
The measures in place right now include the following.
o- No modification for registrars (those who hold several domain names in
same account
under same login & passwd) are accepted apart from those from non
pre-registered public
IPs.
o- A delay of about just about one hour for modify requests.
We are also implementing a fresh security certificate.
The other measure we implemented internally was to restrict who could
make modify from
within. Up until that point we a little more than the necessary number of
our own
staff with access to a common admin interface where one can submit modify
requets. We even
had an flaw in that some past staff still had passwd info to modify DNS
data for certain
domain names.
We have also had a relaxed way in attending to requests for recovery of
domain passwds by
sending back answers via plain e-mail, and sending also copies of the
reply to a common
list!
We are implementing a new measure to require that passwds. are sent
encrypted, which will
obviously raise the bar for many. We'll take it slowly but ensure that
passwds are not
spread around.
Here is the release we sent out.
Best regards
-- RELEASE end out on the 13th --
Hello everyone --
This is a general notification to all registrants of .ug domain
names.
We have for the past few days been dealing with an apparent security
hole on the registry page --
http://registry.co.ug. We have identified
an exploit that allows unauthorized access to the administrative
section
of the registry website, and indeed someone has attempted to exploit
this hole. There has been no access to the actual zone file, and the
only
real disruption has been to a few popular domain names whose dns was
changed for a few hours.
Our team is fully on top of it and has plugged the exploit with a
temporary
work around, and also reversed all the unauthorized changes to DNS
that
we know of.
Our contingency plan has required that we temporary put down the
"Modify Domain name" function on the registry page. So, for
anyone with
urgent modifications to make, please send these directly to
registrar at cfi.co.ug and handle that from here.
The "Modify Domain Name" as well similar functions shall be
unavailable
for a few days as work on a long lasting term solution to this
exploit.
If you have urgent changes just send them to registrar at cfi.co.ug and
we promptly handles in quick way possible.
We sincerely apologize for this the inconvenience.
Regards
.ug Team
At 01:43 PM 5/18/2009, Douglas Onyango wrote:
Are you gents on this list? I
think its imperative that you make an official statement on
this.
I believe a communique admiting the attack, confirmation of service
restoration and the safe gurads you have in place to thwart any such
attacks in the future will work....................................................................................................................
Douglas onyango +256(0712)981329
If you are not part of the solution, your are part of the
Problem.
--- On Mon, 5/18/09, africann-request at afrinic.net
<africann-request at afrinic.net> wrote:
From: africann-request at afrinic.net
<africann-request at afrinic.net>
Subject: AfrICANN Digest, Vol 27, Issue 17
To: africann at afrinic.net
Date: Monday, May 18, 2009, 1:00 PM
Send AfrICANN mailing list submissions to
africann at afrinic.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.afrinic.net/mailman/listinfo.cgi/africann
or, via email, send a message with subject or body 'help' to
africann-request at afrinic.net
You can reach the person managing the list at
africann-owner at afrinic.net
When replying, please edit your Subject line so it is more
specific
than "Re: Contents of AfrICANN digest..."
Today's Topics:
1. Re: Google blames DNS insecurity for Web
site defacements
(Calvin Browne)
2. Re: Google blames DNS insecurity for
Web site defacements (SM)
3. Re: Google blames DNS insecurity for Web
site defacements
(Dr Paulos Nyirenda)
4. Re: Google blames DNS insecurity for Web
site defacements
(Rebecca Wanjiku)
5. Re: Google blames DNS insecurity for Web
site defacements
(Dr Paulos Nyirenda)
6. Re: [afnog] [AfrICANN-discuss] Google blames DNS
insecurity
for Web site defacements (SM)
7. Re: Google blames DNS insecurity for Web
site defacements
(Calvin Browne)
8. Re: [afnog] [AfrICANN-discuss] Google blames DNS
insecurity
for Web site
defacements (Dr Yassin Mshana)
----------------------------------------------------------------------
Message: 1
Date: Sun, 17 May 2009 11:42:19 +0200
From: Calvin Browne
<
calvin at orange-tree.alt.za>
Subject: Re: [AfrICANN-discuss] Google blames DNS insecurity for
Web
site defacements
To:
africann at afrinic.net
Message-ID: <1242553339.4867.1.camel at calvin-viao2>
Content-Type: text/plain
On Sat, 2009-05-16 at 10:03 -0700, SM wrote:
> At 04:36 16-05-2009, Dr Yassin Mshana wrote:
> >Now we can see how end-to-end security measures by as
proposed
> >for/by DNSSEC could be handy.
>
> The news article doesn't contain any technical information to
> determine whether DNSSEC would have prevented the issue.
<SNIP>
> The better question is to ask for a technical analysis of what
> happened and what steps have been taken to prevent a
recurrence.
>
> Regards,
> -sm
I agree with this - the release is just way too short on details
to
understand what went wrong here.
More details are needed.
--Calvin
------------------------------
Message: 2
Date: Sun, 17 May 2009 13:58:06 -0700
From: SM
<sm at resistor.net>
Subject: Re: [AfrICANN-discuss] Google blames DNS insecurity for
Web
site defacements
To:
africann at afrinic.net
Message-ID:
<
6.2.5.6.2.20090517123645.03229590 at resistor.net>
Content-Type: text/plain; charset="us-ascii";
format=flowed
At 02:42 17-05-2009, Calvin Browne wrote:
>I agree with this - the release is just way too short on details
to
>understand what went wrong here.
>More details are needed.
There are reports that the following web sites were
affected:
www.google.co.ma
www.aol.ug
www.bmw.co.ug
www.cisco.co.ug
www.cnn.co.ug
www.defenceuganda.mil.ug
www.google.ug
www.hotmail.ug
www.hotmail.co.ug
www.microsoft.ug
www.orange.ug
www.toshiba.co.ug
The nameservers for google.co.ma were changed on 9th May. The
domain
resolved to a different IP address. That brought visitors to a
web
site which wasn't hosted by Google. The .ug problem occurred
between
11 May and 13 May. This is not a case of DNS cache
poisoning. DNSSEC does not offer any protection against SQL
injection attacks.
Regards,
-sm
------------------------------
Message: 3
Date: Mon, 18 May 2009 10:19:24 +0200
From: "Dr Paulos Nyirenda"
<paulos at sdnp.org.mw
>
Subject: Re: [AfrICANN-discuss] Google blames DNS insecurity for
Web
site defacements
To:
africann at afrinic.net,
afnog at afnog.org
Message-ID:
<
4A11362C.14108.491D29 at paulos.sdnp.org.mw>
Content-Type: text/plain; charset=US-ASCII
Greetings from Malawi.
We also saw attempts to alter DNS records on the .mw ccTLD on 13 May
2009 around midnight Malawi time. Attempts were made to alter DNS
records at the registry for 23 domains linked to major brands
including those listed by SM here. The attack attempt was on the SQL
server but they did not manage to alter our DNS.
I would also like to confirm that this does not seem to be a case of
DNS cache poisoning, it was an SQL level attack attempt on the
registry.
The attempt at .mw was to change the nameservers to hosts with names
of the form - crackers*.homelinux.com - where * is empty or an
integer. We saw the attack as coming from or via two or more networks
including those with network names: (a) *fdcservers on ARIN and (b)
TurkTelekom on RIPE.
Hope this gives additional technical information.
Regards,
Paulos
======================
Dr Paulos B Nyirenda
.mw ccTLD
http://www.registrar.mw
On 17 May 2009 at 13:58, SM wrote:
> At 02:42 17-05-2009, Calvin Browne wrote:
> >I agree with this - the release is just way too short on
details to
> >understand what went wrong here.
> >More details are needed.
>
> There are reports that the following web sites were
affected:
>
>
www.google.co.ma
>
>
www.aol.ug
>
www.bmw.co.ug
>
www.cisco.co.ug
>
www.cnn.co.ug
>
www.defenceuganda.mil.ug
>
www.google.ug
>
www.hotmail.ug
>
www.hotmail.co.ug
>
www.microsoft.ug
>
www.orange.ug
>
www.toshiba.co.ug
>
> The nameservers for google.co.ma were changed on 9th May.
The domain
> resolved to a different IP address. That brought visitors
to a web
> site which wasn't hosted by Google. The .ug problem
occurred between
> 11 May and 13 May. This is not a case of DNS cache
> poisoning. DNSSEC does not offer any protection against
SQL injection attacks.
>
> Regards,
> -sm
>
> _______________________________________________
> AfrICANN mailing list
>
AfrICANN at afrinic.net
>
https://lists.afrinic.net/mailman/listinfo.cgi/africann
------------------------------
Message: 4
Date: Mon, 18 May 2009 11:43:11 +0300
From: Rebecca Wanjiku
<
rebecca.wanjiku at gmail.com>
Subject: Re: [AfrICANN-discuss] Google blames DNS insecurity for
Web
site defacements
To:
paulos at sdnp.org.mw,
africann at afrinic.net
Message-ID:
<
607408db0905180143l1045aae2xe09446cc2cdf3001 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hi,
I hope the article would have had more details.
When I talked to Google rep in California, he said it happened at
.ug
registry level, which means there is nothing much he could tell
me.
When I talked to Musisi from .Ug he said that it was just a
minor
incident and that he did not think it was a story.
I tried to dig for more info but I was not getting anywhere.
I hope you all appreciate that there is a lot of secrecy; people
think
if they give you the info they will look insecure and it is easier
for
them to say; "I do not think that is a story".
regards
Becky
2009/5/18 Dr Paulos Nyirenda
<paulos at sdnp.org.mw
>:
>
> Greetings from Malawi.
>
> We also saw attempts to alter DNS records on the .mw ccTLD on 13
May
> 2009 around midnight Malawi time. Attempts were made to alter
DNS
> records at the registry for 23 domains linked to major
brands
> including those listed by SM here. The attack attempt was on the
SQL
> server but they did not manage to alter our DNS.
>
> I would also like to confirm that this does not seem to be a
case of
> DNS cache poisoning, it was an SQL level attack attempt on
the
> registry.
>
> The attempt at .mw was to change the nameservers to hosts with
names
> of the form - crackers*.homelinux.com - where * is empty or
an
> integer. We saw the attack as coming from or via two or more
networks
> including those with network names: (a) *fdcservers on ARIN and
(b)
> TurkTelekom on RIPE.
>
> Hope this gives additional technical information.
>
> Regards,
>
> Paulos
> ======================
> Dr Paulos B Nyirenda
> .mw ccTLD
>
http://www.registrar.mw
>
>
> On 17 May 2009 at 13:58, SM wrote:
>
>> At 02:42 17-05-2009, Calvin Browne wrote:
>> >I agree with this - the release is just way too short on
details to
>> >understand what went wrong here.
>> >More details are needed.
>>
>> There are reports that the following web sites were
affected:
>>
>>
www.google.co.ma
>>
>>
www.aol.ug
>>
www.bmw.co.ug
>>
www.cisco.co.ug
>>
www.cnn.co.ug
>>
www.defenceuganda.mil.ug
>>
www.google.ug
>>
www.hotmail.ug
>>
www.hotmail.co.ug
>>
www.microsoft.ug
>>
www.orange.ug
>>
www.toshiba.co.ug
>>
>> The nameservers for google.co.ma were changed on 9th
May. The domain
>> resolved to a different IP address. That brought
visitors to a web
>> site which wasn't hosted by Google. The .ug problem
occurred between
>> 11 May and 13 May. This is not a case of DNS
cache
>> poisoning. DNSSEC does not offer any protection
against SQL injection attacks.
>>
>> Regards,
>> -sm
>>
>> _______________________________________________
>> AfrICANN mailing list
>>
AfrICANN at afrinic.net
>>
https://lists.afrinic.net/mailman/listinfo.cgi/africann
>
>
> _______________________________________________
> AfrICANN mailing list
>
AfrICANN at afrinic.net
>
https://lists.afrinic.net/mailman/listinfo.cgi/africann
>
--
Best regards,
Becky
254 720318925
beckyit.blogspot.com
------------------------------
Message: 5
Date: Mon, 18 May 2009 11:09:01 +0200
From: "Dr Paulos Nyirenda"
<paulos at sdnp.org.mw
>
Subject: [AfrICANN-discuss] Re: Google blames DNS insecurity for
Web
site defacements
To: Rebecca Wanjiku
<
rebecca.wanjiku at gmail.com>,
africann at afrinic.net
,
afnog at afnog.org
Message-ID:
<
4A1141CD.6779.767C85 at paulos.sdnp.org.mw>
Content-Type: text/plain; charset=ISO-8859-1
Our intention in contributing to this was not to write an
"article".
We simply wanted to contribute additional technical information so as
to assit to increase awareness and provide additional details on the
incident.
Regards,
Paulos
======================
Dr Paulos B Nyirenda
.mw ccTLD
http://www.registrar.mw
On 18 May 2009 at 11:43, Rebecca Wanjiku wrote:
> Hi,
>
> I hope the article would have had more details.
> When I talked to Google rep in California, he said it happened
at .ug
> registry level, which means there is nothing much he could tell
me.
> When I talked to Musisi from .Ug he said that it was just a
minor
> incident and that he did not think it was a story.
> I tried to dig for more info but I was not getting
anywhere.
>
> I hope you all appreciate that there is a lot of secrecy; people
think
> if they give you the info they will look insecure and it is
easier for
> them to say; "I do not think that is a story".
>
> regards
> Becky
>
> 2009/5/18 Dr Paulos Nyirenda
<paulos at sdnp.org.mw
>:
> >
> > Greetings from Malawi.
> >
> > We also saw attempts to alter DNS records on the .mw ccTLD
on 13 May
> > 2009 around midnight Malawi time. Attempts were made to
alter DNS
> > records at the registry for 23 domains linked to major
brands
> > including those listed by SM here. The attack attempt was
on the SQL
> > server but they did not manage to alter our DNS.
> >
> > I would also like to confirm that this does not seem to be
a case of
> > DNS cache poisoning, it was an SQL level attack attempt on
the
> > registry.
> >
> > The attempt at .mw was to change the nameservers to hosts
with names
> > of the form - crackers*.homelinux.com - where * is empty or
an
> > integer. We saw the attack as coming from or via two or
more networks
> > including those with network names: (a) *fdcservers on ARIN
and (b)
> > TurkTelekom on RIPE.
> >
> > Hope this gives additional technical information.
> >
> > Regards,
> >
> > Paulos
> > ======================
> > Dr Paulos B Nyirenda
> > .mw ccTLD
> >
http://www.registrar.mw
> >
> >
> > On 17 May 2009 at 13:58, SM wrote:
> >
> >> At 02:42 17-05-2009, Calvin Browne wrote:
> >> >I agree with this - the release is just way too
short on details to
> >> >understand what went wrong here.
> >> >More details are needed.
> >>
> >> There are reports that the following web sites were
affected:
> >>
> >>
www.google.co.ma
> >>
> >>
www.aol.ug
> >>
www.bmw.co.ug
> >>
www.cisco.co.ug
> >>
www.cnn.co.ug
> >>
www.defenceuganda.mil.ug
> >>
www.google.ug
> >>
www.hotmail.ug
> >>
www.hotmail.co.ug
> >>
www.microsoft.ug
> >>
www.orange.ug
> >>
www.toshiba.co.ug
> >>
> >> The nameservers for google.co.ma were changed on 9th
May. The domain
> >> resolved to a different IP address. That brought
visitors to a web
> >> site which wasn't hosted by Google. The .ug
problem occurred between
> >> 11 May and 13 May. This is not a case of DNS
cache
> >> poisoning. DNSSEC does not offer any protection
against SQL injection attacks.
> >>
> >> Regards,
> >> -sm
> >>
> >> _______________________________________________
> >> AfrICANN mailing list
> >>
AfrICANN at afrinic.net
> >>
https://lists.afrinic.net/mailman/listinfo.cgi/africann
> >
> >
> > _______________________________________________
> > AfrICANN mailing list
> >
AfrICANN at afrinic.net
> >
https://lists.afrinic.net/mailman/listinfo.cgi/africann
> >
>
>
>
> --
> Best regards,
>
> Becky
>
> 254 720318925
>
> beckyit.blogspot.com
------------------------------
Message: 6
Date: Mon, 18 May 2009 02:37:28 -0700
From: SM
<sm at resistor.net>
Subject: Re: [afnog] [AfrICANN-discuss] Google blames DNS
insecurity
for Web site defacements
To:
paulos at sdnp.org.mw,
africann at afrinic.net,
afnog at afnog.org
Message-ID:
<
6.2.5.6.2.20090518021836.03543338 at resistor.net>
Content-Type: text/plain; charset="us-ascii";
format=flowed
Hi Paulos,
At 01:19 18-05-2009, Dr Paulos Nyirenda wrote:
>We also saw attempts to alter DNS records on the .mw ccTLD on 13
May
>2009 around midnight Malawi time. Attempts were made to alter
DNS
>records at the registry for 23 domains linked to major
brands
>including those listed by SM here. The attack attempt was on the
SQL
>server but they did not manage to alter our DNS.
If you are still seeing attempts or you would like to follow up on
this, please email me off-list. For what it is worth, there has
also
been attempts against other ccTLDs outside the AfriNIC region over
the last month.
>The attempt at .mw was to change the nameservers to hosts with
names
>of the form - crackers*.homelinux.com - where * is empty or
an
>integer. We saw the attack as coming from or via two or more
networks
>including those with network names: (a) *fdcservers on ARIN and
(b)
>TurkTelekom on RIPE.
Thanks for providing the information. Hopefully other ccTLDs in
the
region reading will have a better understanding of the
"attack" and
take whatever action they deem appropriate. Note that the
nameservers used for the google.co.ma "attack" were
different (run by
a hosting provider in the Seattle (ARIN)).
Regards,
-sm
------------------------------
Message: 7
Date: Mon, 18 May 2009 11:55:11 +0200
From: Calvin Browne
<
calvin at orange-tree.alt.za>
Subject: Re: [AfrICANN-discuss] Google blames DNS insecurity for
Web
site defacements
To:
paulos at sdnp.org.mw,
africann at afrinic.net
Cc: afnog at afnog.org
Message-ID: <1242640511.8066.18.camel at calvin-viao2>
Content-Type: text/plain
On Mon, 2009-05-18 at 10:19 +0200, Dr Paulos Nyirenda wrote:
> Greetings from Malawi.
<SNIP>
> it was an SQL level attack attempt on the
> registry.
<SNIP>
Paulos,
thanks for this information. I guess it was only time preventing
registries being an attack vector.
--Calvin
------------------------------
Message: 8
Date: Mon, 18 May 2009 10:55:47 +0100
From: Dr Yassin Mshana
<
ymshana2003 at gmail.com>
Subject: Re: [afnog] [AfrICANN-discuss] Google blames DNS
insecurity
for Web site
defacements
To:
africann at afrinic.net
Message-ID:
<
627b2fd0905180255s29aee58blf86d12d8cb47ee92 at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Hi there,
Now we are talking at last....is is or is there not a security
issue?
There have been a number of calls for a detailed technical
description of
what happened. Can someone in the technical side of activities please
spare
some minutes to educate us the concerned
non-technical-users?
That would help to alleviate the "fear of the unknown" that
might be
spreading among the user community.
That will be much appreciated.
Cheers
2009/5/18 SM
<sm at resistor.net>
> Hi Paulos,
> At 01:19 18-05-2009, Dr Paulos Nyirenda wrote:
>
>> We also saw attempts to alter DNS records on the .mw ccTLD
on 13 May
>> 2009 around midnight Malawi time. Attempts were made to
alter DNS
>> records at the registry for 23 domains linked to major
brands
>> including those listed by SM here. The attack attempt was on
the SQL
>> server but they did not manage to alter our DNS.
>>
>
> If you are still seeing attempts or you would like to follow up
on this,
> please email me off-list. For what it is worth, there has
also been
> attempts against other ccTLDs outside the AfriNIC region over
the last
> month.
>
> The attempt at .mw was to change the nameservers to hosts
with names
>> of the form - crackers*.homelinux.com - where * is empty or
an
>> integer. We saw the attack as coming from or via two or more
networks
>> including those with network names: (a) *fdcservers on ARIN
and (b)
>> TurkTelekom on RIPE.
>>
>
> Thanks for providing the information. Hopefully other
ccTLDs in the region
> reading will have a better understanding of the
"attack" and take whatever
> action they deem appropriate. Note that the nameservers
used for the
> google.co.ma "attack" were different (run by a hosting
provider in the
> Seattle (ARIN)).
>
>
> Regards,
> -sm
> _______________________________________________
> AfrICANN mailing list
>
AfrICANN at afrinic.net
>
https://lists.afrinic.net/mailman/listinfo.cgi/africann
>
--
c/o DFID-Nigeria
No. 10 Bobo Street
Maitama
Abuja
Nigeria
Skype: yassinmshana1
Mobile: +234-803 970 5117
Do You really NEED TO PRINT THIS? Sure?
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
https://lists.afrinic.net/pipermail/africann/attachments/20090518/6b4f1615/attachment.htm
------------------------------
_______________________________________________
AfrICANN mailing list
AfrICANN at afrinic.net
https://lists.afrinic.net/mailman/listinfo.cgi/africann
End of AfrICANN Digest, Vol 27, Issue 17
****************************************
--
charles musisi; computer frontiers international
limited;
tel: +256 31 230 1800 or +254 41 456 4200; fax: +256 41 434 0456;
cell-phone: +256 77 270 7096; skype id: cmusisi; website:
www.cfi.co.ug
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.afrinic.net/pipermail/africann/attachments/20090518/9b56d667/attachment-0001.htm
More information about the AfrICANN
mailing list