<table cellspacing="0" cellpadding="0" border="0" ><tr><td valign="top" style="font: inherit;">Hi all,<br>As promised, below is my communication with The ccTLD management.<br><br>Regards,<br>Douglas onyango +256(0712)981329<br>
If you are not part of the solution, your are part of the Problem.<br><br>--- On <b>Mon, 5/18/09, Charles Musisi <i><cmusisi@cfi.co.ug></i></b> wrote:<br><blockquote style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"><br>From: Charles Musisi <cmusisi@cfi.co.ug><br>Subject: Re: Fw: AfrICANN Digest, Vol 27, Issue 17<br>To: "Douglas Onyango" <ondouglas@yahoo.com><br>Cc: "Noah Sematimba" <noah.sematimba@waridtel.co.ug><br>Date: Monday, May 18, 2009, 2:53 PM<br><br><div id="yiv1879742330">
Hi Douglas --<br><br>
There was this release sent out last week (13th) mostly to the concerned
individuals, <br>
and also posted on the registry website. <br><br>
The incident itself lasted not more than a few hours, and was repeated
the next<br>
day. The cause was via intercept of login name & passwd info of a
registrar account holder<br>
who has most these popular domain names, and I can count a few others
unrelated to<br>
this one registrar. All the others had in them popular or common
names.<br><br>
The actual date of the exploit was Monday 11th in the early hours of the
morning, <br>
and was arrested in the early afternoon of that day. <br><br>
There was a reoccurrence in the early morning of Tuesday which that was
fought off <br>
within minutes. At that point we shut off all "modify" requests
to DNS data and had <br>
all registrars comply with a secure way to submit modify requests.
<br><br>
From what we can tell, most global DNS hadn't even picked up the bad DNS
data from <br>
the .ug root servers & secondary, but there were some well configured
names servers <br>
who picked up this bad data. For instance, my own home ISP AFOL's DNS
didn't even <br>
get to update itself with this poisonous DNS data, although that was
itself a flaw<br>
in their DNS setup.<br>
<br>
The immediate measure was to shut off any "modify" requests
from registry interface <br>
for about 24 hours as we got a good grasp of extent of the
attack.<br><br>
The measures in place right now include the following.<br><br>
o- No modification for registrars (those who hold several domain names in
same account<br>
under same login & passwd) are accepted apart from those from non
pre-registered public <br>
IPs.<br><br>
o- A delay of about just about one hour for modify requests.<br><br>
We are also implementing a fresh security certificate.<br><br>
The other measure we implemented internally was to restrict who could
make modify from<br>
within. Up until that point we a little more than the necessary number of
our own<br>
staff with access to a common admin interface where one can submit modify
requets. We even<br>
had an flaw in that some past staff still had passwd info to modify DNS
data for certain <br>
domain names.<br><br>
We have also had a relaxed way in attending to requests for recovery of
domain passwds by<br>
sending back answers via plain e-mail, and sending also copies of the
reply to a common<br>
list! <br><br>
We are implementing a new measure to require that passwds. are sent
encrypted, which will<br>
obviously raise the bar for many. We'll take it slowly but ensure that
passwds are not<br>
spread around. <br><br>
Here is the release we sent out.<br><br><br>
Best regards<br><br><br>
-- RELEASE end out on the 13th --<br><br>
Hello everyone --<br><br>
This is a general notification to all registrants of .ug domain
names.<br><br>
We have for the past few days been dealing with an apparent security
<br>
hole on the registry page --
<a rel="nofollow" target="_blank" href="http://registry.co.ug/">
http://registry.co.ug</a>. We have identified <br>
an exploit that allows unauthorized access to the administrative
section<br>
of the registry website, and indeed someone has attempted to exploit
<br>
this hole. There has been no access to the actual zone file, and the
only<br>
real disruption has been to a few popular domain names whose dns was
<br>
changed for a few hours. <br><br>
Our team is fully on top of it and has plugged the exploit with a
temporary<br>
work around, and also reversed all the unauthorized changes to DNS
that<br>
we know of.<br><br>
Our contingency plan has required that we temporary put down the<br>
"Modify Domain name" function on the registry page. So, for
anyone with<br>
urgent modifications to make, please send these directly to <br>
registrar@cfi.co.ug and handle that from here.<br><br>
The "Modify Domain Name" as well similar functions shall be
unavailable <br>
for a few days as work on a long lasting term solution to this
exploit.<br><br>
If you have urgent changes just send them to registrar@cfi.co.ug and<br>
we promptly handles in quick way possible.<br><br>
We sincerely apologize for this the inconvenience. <br><br>
Regards<br><br>
.ug Team<br><br>
<br><br>
<br>
At 01:43 PM 5/18/2009, Douglas Onyango wrote:<br>
<blockquote type="cite" class="cite" cite="">Are you gents on this list? I
think its imperative that you make an official statement on
this.<br><br>
I believe a communique admiting the attack, confirmation of service
restoration and the safe gurads you have in place to thwart any such
attacks in the future will work....................................................................................................................<br><br>
Douglas onyango +256(0712)981329<br>
If you are not part of the solution, your are part of the
Problem.<br><br>
--- On <b>Mon, 5/18/09, africann-request@afrinic.net
<i><africann-request@afrinic.net></i></b> wrote:<br>
<dl><br>
<dd>From: africann-request@afrinic.net
<africann-request@afrinic.net><br>
</dd><dd>Subject: AfrICANN Digest, Vol 27, Issue 17<br>
</dd><dd>To: africann@afrinic.net<br>
</dd><dd>Date: Monday, May 18, 2009, 1:00 PM<br><br>
</dd><dd>Send AfrICANN mailing list submissions to<br>
</dd><dd>
<a rel="nofollow">africann@afrinic.net</a><br>
<br>
</dd><dd>To subscribe or unsubscribe via the World Wide Web, visit<br>
</dd><dd>
<a rel="nofollow" target="_blank" href="https://lists.afrinic.net/mailman/listinfo.cgi/africann">
https://lists.afrinic.net/mailman/listinfo.cgi/africann</a><br>
</dd><dd>or, via email, send a message with subject or body 'help' to<br>
</dd><dd>
<a rel="nofollow">
africann-request@afrinic.net</a><br><br>
</dd><dd>You can reach the person managing the list at<br>
</dd><dd>
<a rel="nofollow">
africann-owner@afrinic.net</a><br><br>
</dd><dd>When replying, please edit your Subject line so it is more
specific<br>
</dd><dd>than "Re: Contents of AfrICANN digest..."<br><br>
<br>
</dd><dd>Today's Topics:<br><br>
</dd><dd> 1. Re: Google blames DNS insecurity for Web
site defacements<br>
</dd><dd> (Calvin Browne)<br>
</dd><dd> 2. Re: Google blames DNS insecurity for
Web site defacements (SM)<br>
</dd><dd> 3. Re: Google blames DNS insecurity for Web
site defacements<br>
</dd><dd> (Dr Paulos Nyirenda)<br>
</dd><dd> 4. Re: Google blames DNS insecurity for Web
site defacements<br>
</dd><dd> (Rebecca Wanjiku)<br>
</dd><dd> 5. Re: Google blames DNS insecurity for Web
site defacements<br>
</dd><dd> (Dr Paulos Nyirenda)<br>
</dd><dd> 6. Re: [afnog] [AfrICANN-discuss] Google blames DNS
insecurity<br>
</dd><dd> for Web site defacements (SM)<br>
</dd><dd> 7. Re: Google blames DNS insecurity for Web
site defacements<br>
</dd><dd> (Calvin Browne)<br>
</dd><dd> 8. Re: [afnog] [AfrICANN-discuss] Google blames DNS
insecurity<br>
</dd><dd> for Web site
defacements (Dr Yassin Mshana)<br><br>
<br>
</dd><dd>
----------------------------------------------------------------------<br>
<br>
</dd><dd>Message: 1<br>
</dd><dd>Date: Sun, 17 May 2009 11:42:19 +0200<br>
</dd><dd>From: Calvin Browne
<<a rel="nofollow">
calvin@orange-tree.alt.za</a>><br>
</dd><dd>Subject: Re: [AfrICANN-discuss] Google blames DNS insecurity for
Web<br>
</dd><dd> site defacements<br>
</dd><dd>To:
<a rel="nofollow">africann@afrinic.net</a><br>
</dd><dd>Message-ID: <1242553339.4867.1.camel@calvin-viao2><br>
</dd><dd>Content-Type: text/plain<br><br>
</dd><dd>On Sat, 2009-05-16 at 10:03 -0700, SM wrote:<br>
</dd><dd>> At 04:36 16-05-2009, Dr Yassin Mshana wrote:<br>
</dd><dd>> >Now we can see how end-to-end security measures by as
proposed <br>
</dd><dd>> >for/by DNSSEC could be handy.<br>
</dd><dd>> <br>
</dd><dd>> The news article doesn't contain any technical information to
<br>
</dd><dd>> determine whether DNSSEC would have prevented the issue. <br>
</dd><dd><SNIP><br>
</dd><dd>> The better question is to ask for a technical analysis of what
<br>
</dd><dd>> happened and what steps have been taken to prevent a
recurrence.<br>
</dd><dd>> <br>
</dd><dd>> Regards,<br>
</dd><dd>> -sm <br><br>
</dd><dd>I agree with this - the release is just way too short on details
to<br>
</dd><dd>understand what went wrong here.<br>
</dd><dd>More details are needed.<br><br>
</dd><dd>--Calvin<br><br>
<br><br>
</dd><dd>------------------------------<br><br>
</dd><dd>Message: 2<br>
</dd><dd>Date: Sun, 17 May 2009 13:58:06 -0700<br>
</dd><dd>From: SM
<<a rel="nofollow">sm@resistor.net</a>><br>
</dd><dd>Subject: Re: [AfrICANN-discuss] Google blames DNS insecurity for
Web<br>
</dd><dd> site defacements<br>
</dd><dd>To:
<a rel="nofollow">africann@afrinic.net</a><br>
</dd><dd>Message-ID:
<<a rel="nofollow">
6.2.5.6.2.20090517123645.03229590@resistor.net</a>><br>
</dd><dd>Content-Type: text/plain; charset="us-ascii";
format=flowed<br><br>
</dd><dd>At 02:42 17-05-2009, Calvin Browne wrote:<br>
</dd><dd>>I agree with this - the release is just way too short on details
to<br>
</dd><dd>>understand what went wrong here.<br>
</dd><dd>>More details are needed.<br><br>
</dd><dd>There are reports that the following web sites were
affected:<br><br>
</dd><dd>
<a rel="nofollow" target="_blank" href="http://www.google.co.ma/">www.google.co.ma</a>
<br><br>
</dd><dd>
<a rel="nofollow" target="_blank" href="http://www.aol.ug/">www.aol.ug</a><br>
</dd><dd>
<a rel="nofollow" target="_blank" href="http://www.bmw.co.ug/">www.bmw.co.ug</a><br>
</dd><dd>
<a rel="nofollow" target="_blank" href="http://www.cisco.co.ug/">www.cisco.co.ug</a><br>
</dd><dd>
<a rel="nofollow" target="_blank" href="http://www.cnn.co.ug/">www.cnn.co.ug</a><br>
</dd><dd>
<a rel="nofollow" target="_blank" href="http://www.defenceuganda.mil.ug/">
www.defenceuganda.mil.ug</a><br>
</dd><dd>
<a rel="nofollow" target="_blank" href="http://www.google.ug/">www.google.ug</a><br>
</dd><dd>
<a rel="nofollow" target="_blank" href="http://www.hotmail.ug/">www.hotmail.ug</a><br>
</dd><dd>
<a rel="nofollow" target="_blank" href="http://www.hotmail.co.ug/">www.hotmail.co.ug</a>
<br>
</dd><dd>
<a rel="nofollow" target="_blank" href="http://www.microsoft.ug/">www.microsoft.ug</a>
<br>
</dd><dd>
<a rel="nofollow" target="_blank" href="http://www.orange.ug/">www.orange.ug</a><br>
</dd><dd>
<a rel="nofollow" target="_blank" href="http://www.toshiba.co.ug/">www.toshiba.co.ug</a>
<br><br>
</dd><dd>The nameservers for google.co.ma were changed on 9th May. The
domain <br>
</dd><dd>resolved to a different IP address. That brought visitors to a
web <br>
</dd><dd>site which wasn't hosted by Google. The .ug problem occurred
between <br>
</dd><dd>11 May and 13 May. This is not a case of DNS cache <br>
</dd><dd>poisoning. DNSSEC does not offer any protection against SQL
injection attacks.<br><br>
</dd><dd>Regards,<br>
</dd><dd>-sm <br><br>
<br><br>
</dd><dd>------------------------------<br><br>
</dd><dd>Message: 3<br>
</dd><dd>Date: Mon, 18 May 2009 10:19:24 +0200<br>
</dd><dd>From: "Dr Paulos Nyirenda"
<<a rel="nofollow">paulos@sdnp.org.mw</a>
><br>
</dd><dd>Subject: Re: [AfrICANN-discuss] Google blames DNS insecurity for
Web<br>
</dd><dd> site defacements<br>
</dd><dd>To:
<a rel="nofollow">africann@afrinic.net</a>,
<a rel="nofollow">afnog@afnog.org</a><br>
</dd><dd>Message-ID:
<<a rel="nofollow">
4A11362C.14108.491D29@paulos.sdnp.org.mw</a>><br>
</dd><dd>Content-Type: text/plain; charset=US-ASCII<br><br>
<br>
</dd><dd>Greetings from Malawi.<br><br>
</dd><dd>We also saw attempts to alter DNS records on the .mw ccTLD on 13 May
<br>
</dd><dd>2009 around midnight Malawi time. Attempts were made to alter DNS
<br>
</dd><dd>records at the registry for 23 domains linked to major brands <br>
</dd><dd>including those listed by SM here. The attack attempt was on the SQL
<br>
</dd><dd>server but they did not manage to alter our DNS.<br><br>
</dd><dd>I would also like to confirm that this does not seem to be a case of
<br>
</dd><dd>DNS cache poisoning, it was an SQL level attack attempt on the <br>
</dd><dd>registry.<br><br>
</dd><dd>The attempt at .mw was to change the nameservers to hosts with names
<br>
</dd><dd>of the form - crackers*.homelinux.com - where * is empty or an <br>
</dd><dd>integer. We saw the attack as coming from or via two or more networks
<br>
</dd><dd>including those with network names: (a) *fdcservers on ARIN and (b)
<br>
</dd><dd>TurkTelekom on RIPE.<br><br>
</dd><dd>Hope this gives additional technical information.<br><br>
</dd><dd>Regards,<br><br>
</dd><dd>Paulos<br>
</dd><dd>======================<br>
</dd><dd>Dr Paulos B Nyirenda<br>
</dd><dd>.mw ccTLD<br>
</dd><dd><a rel="nofollow" target="_blank" href="http://www.registrar.mw">http://www.registrar.mw</a><br><br>
<br>
</dd><dd>On 17 May 2009 at 13:58, SM wrote:<br><br>
</dd><dd>> At 02:42 17-05-2009, Calvin Browne wrote:<br>
</dd><dd>> >I agree with this - the release is just way too short on
details to<br>
</dd><dd>> >understand what went wrong here.<br>
</dd><dd>> >More details are needed.<br>
</dd><dd>> <br>
</dd><dd>> There are reports that the following web sites were
affected:<br>
</dd><dd>> <br>
</dd><dd>>
<a rel="nofollow" target="_blank" href="http://www.google.co.ma/">www.google.co.ma</a>
<br>
</dd><dd>> <br>
</dd><dd>>
<a rel="nofollow" target="_blank" href="http://www.aol.ug/">www.aol.ug</a><br>
</dd><dd>>
<a rel="nofollow" target="_blank" href="http://www.bmw.co.ug/">www.bmw.co.ug</a><br>
</dd><dd>>
<a rel="nofollow" target="_blank" href="http://www.cisco.co.ug/">www.cisco.co.ug</a><br>
</dd><dd>>
<a rel="nofollow" target="_blank" href="http://www.cnn.co.ug/">www.cnn.co.ug</a><br>
</dd><dd>>
<a rel="nofollow" target="_blank" href="http://www.defenceuganda.mil.ug/">
www.defenceuganda.mil.ug</a><br>
</dd><dd>>
<a rel="nofollow" target="_blank" href="http://www.google.ug/">www.google.ug</a><br>
</dd><dd>>
<a rel="nofollow" target="_blank" href="http://www.hotmail.ug/">www.hotmail.ug</a><br>
</dd><dd>>
<a rel="nofollow" target="_blank" href="http://www.hotmail.co.ug/">www.hotmail.co.ug</a>
<br>
</dd><dd>>
<a rel="nofollow" target="_blank" href="http://www.microsoft.ug/">www.microsoft.ug</a>
<br>
</dd><dd>>
<a rel="nofollow" target="_blank" href="http://www.orange.ug/">www.orange.ug</a><br>
</dd><dd>>
<a rel="nofollow" target="_blank" href="http://www.toshiba.co.ug/">www.toshiba.co.ug</a>
<br>
</dd><dd>> <br>
</dd><dd>> The nameservers for google.co.ma were changed on 9th May.
The domain <br>
</dd><dd>> resolved to a different IP address. That brought visitors
to a web <br>
</dd><dd>> site which wasn't hosted by Google. The .ug problem
occurred between <br>
</dd><dd>> 11 May and 13 May. This is not a case of DNS cache <br>
</dd><dd>> poisoning. DNSSEC does not offer any protection against
SQL injection attacks.<br>
</dd><dd>> <br>
</dd><dd>> Regards,<br>
</dd><dd>> -sm <br>
</dd><dd>> <br>
</dd><dd>> _______________________________________________<br>
</dd><dd>> AfrICANN mailing list<br>
</dd><dd>>
<a rel="nofollow">AfrICANN@afrinic.net</a><br>
</dd><dd>>
<a rel="nofollow" target="_blank" href="https://lists.afrinic.net/mailman/listinfo.cgi/africann">
https://lists.afrinic.net/mailman/listinfo.cgi/africann</a><br><br>
<br><br>
<br>
</dd><dd>------------------------------<br><br>
</dd><dd>Message: 4<br>
</dd><dd>Date: Mon, 18 May 2009 11:43:11 +0300<br>
</dd><dd>From: Rebecca Wanjiku
<<a rel="nofollow">
rebecca.wanjiku@gmail.com</a>><br>
</dd><dd>Subject: Re: [AfrICANN-discuss] Google blames DNS insecurity for
Web<br>
</dd><dd> site defacements<br>
</dd><dd>To:
<a rel="nofollow">paulos@sdnp.org.mw</a>,
<a rel="nofollow">africann@afrinic.net</a><br>
</dd><dd>Message-ID:<br>
</dd><dd>
<<a rel="nofollow">
607408db0905180143l1045aae2xe09446cc2cdf3001@mail.gmail.com</a>><br>
</dd><dd>Content-Type: text/plain; charset=ISO-8859-1<br><br>
</dd><dd>Hi,<br><br>
</dd><dd>I hope the article would have had more details.<br>
</dd><dd>When I talked to Google rep in California, he said it happened at
.ug<br>
</dd><dd>registry level, which means there is nothing much he could tell
me.<br>
</dd><dd>When I talked to Musisi from .Ug he said that it was just a
minor<br>
</dd><dd>incident and that he did not think it was a story.<br>
</dd><dd>I tried to dig for more info but I was not getting anywhere.<br><br>
</dd><dd>I hope you all appreciate that there is a lot of secrecy; people
think<br>
</dd><dd>if they give you the info they will look insecure and it is easier
for<br>
</dd><dd>them to say; "I do not think that is a story".<br><br>
</dd><dd>regards<br>
</dd><dd>Becky<br><br>
</dd><dd>2009/5/18 Dr Paulos Nyirenda
<<a rel="nofollow">paulos@sdnp.org.mw</a>
>:<br>
</dd><dd>><br>
</dd><dd>> Greetings from Malawi.<br>
</dd><dd>><br>
</dd><dd>> We also saw attempts to alter DNS records on the .mw ccTLD on 13
May<br>
</dd><dd>> 2009 around midnight Malawi time. Attempts were made to alter
DNS<br>
</dd><dd>> records at the registry for 23 domains linked to major
brands<br>
</dd><dd>> including those listed by SM here. The attack attempt was on the
SQL<br>
</dd><dd>> server but they did not manage to alter our DNS.<br>
</dd><dd>><br>
</dd><dd>> I would also like to confirm that this does not seem to be a
case of<br>
</dd><dd>> DNS cache poisoning, it was an SQL level attack attempt on
the<br>
</dd><dd>> registry.<br>
</dd><dd>><br>
</dd><dd>> The attempt at .mw was to change the nameservers to hosts with
names<br>
</dd><dd>> of the form - crackers*.homelinux.com - where * is empty or
an<br>
</dd><dd>> integer. We saw the attack as coming from or via two or more
networks<br>
</dd><dd>> including those with network names: (a) *fdcservers on ARIN and
(b)<br>
</dd><dd>> TurkTelekom on RIPE.<br>
</dd><dd>><br>
</dd><dd>> Hope this gives additional technical information.<br>
</dd><dd>><br>
</dd><dd>> Regards,<br>
</dd><dd>><br>
</dd><dd>> Paulos<br>
</dd><dd>> ======================<br>
</dd><dd>> Dr Paulos B Nyirenda<br>
</dd><dd>> .mw ccTLD<br>
</dd><dd>>
<a rel="nofollow" target="_blank" href="http://www.registrar.mw">http://www.registrar.mw</a><br>
</dd><dd>><br>
</dd><dd>><br>
</dd><dd>> On 17 May 2009 at 13:58, SM wrote:<br>
</dd><dd>><br>
</dd><dd>>> At 02:42 17-05-2009, Calvin Browne wrote:<br>
</dd><dd>>> >I agree with this - the release is just way too short on
details to<br>
</dd><dd>>> >understand what went wrong here.<br>
</dd><dd>>> >More details are needed.<br>
</dd><dd>>><br>
</dd><dd>>> There are reports that the following web sites were
affected:<br>
</dd><dd>>><br>
</dd><dd>>>
<a rel="nofollow" target="_blank" href="http://www.google.co.ma/">www.google.co.ma</a>
<br>
</dd><dd>>><br>
</dd><dd>>>
<a rel="nofollow" target="_blank" href="http://www.aol.ug/">www.aol.ug</a><br>
</dd><dd>>>
<a rel="nofollow" target="_blank" href="http://www.bmw.co.ug/">www.bmw.co.ug</a><br>
</dd><dd>>>
<a rel="nofollow" target="_blank" href="http://www.cisco.co.ug/">www.cisco.co.ug</a><br>
</dd><dd>>>
<a rel="nofollow" target="_blank" href="http://www.cnn.co.ug/">www.cnn.co.ug</a><br>
</dd><dd>>>
<a rel="nofollow" target="_blank" href="http://www.defenceuganda.mil.ug/">
www.defenceuganda.mil.ug</a><br>
</dd><dd>>>
<a rel="nofollow" target="_blank" href="http://www.google.ug/">www.google.ug</a><br>
</dd><dd>>>
<a rel="nofollow" target="_blank" href="http://www.hotmail.ug/">www.hotmail.ug</a><br>
</dd><dd>>>
<a rel="nofollow" target="_blank" href="http://www.hotmail.co.ug/">www.hotmail.co.ug</a>
<br>
</dd><dd>>>
<a rel="nofollow" target="_blank" href="http://www.microsoft.ug/">www.microsoft.ug</a>
<br>
</dd><dd>>>
<a rel="nofollow" target="_blank" href="http://www.orange.ug/">www.orange.ug</a><br>
</dd><dd>>>
<a rel="nofollow" target="_blank" href="http://www.toshiba.co.ug/">www.toshiba.co.ug</a>
<br>
</dd><dd>>><br>
</dd><dd>>> The nameservers for google.co.ma were changed on 9th
May. The domain<br>
</dd><dd>>> resolved to a different IP address. That brought
visitors to a web<br>
</dd><dd>>> site which wasn't hosted by Google. The .ug problem
occurred between<br>
</dd><dd>>> 11 May and 13 May. This is not a case of DNS
cache<br>
</dd><dd>>> poisoning. DNSSEC does not offer any protection
against SQL injection attacks.<br>
</dd><dd>>><br>
</dd><dd>>> Regards,<br>
</dd><dd>>> -sm<br>
</dd><dd>>><br>
</dd><dd>>> _______________________________________________<br>
</dd><dd>>> AfrICANN mailing list<br>
</dd><dd>>>
<a rel="nofollow">AfrICANN@afrinic.net</a><br>
</dd><dd>>>
<a rel="nofollow" target="_blank" href="https://lists.afrinic.net/mailman/listinfo.cgi/africann">
https://lists.afrinic.net/mailman/listinfo.cgi/africann</a><br>
</dd><dd>><br>
</dd><dd>><br>
</dd><dd>> _______________________________________________<br>
</dd><dd>> AfrICANN mailing list<br>
</dd><dd>>
<a rel="nofollow">AfrICANN@afrinic.net</a><br>
</dd><dd>>
<a rel="nofollow" target="_blank" href="https://lists.afrinic.net/mailman/listinfo.cgi/africann">
https://lists.afrinic.net/mailman/listinfo.cgi/africann</a><br>
</dd><dd>><br><br>
<br><br>
</dd><dd>-- <br>
</dd><dd>Best regards,<br><br>
</dd><dd>Becky<br><br>
</dd><dd>254 720318925<br><br>
</dd><dd>beckyit.blogspot.com<br><br>
<br>
</dd><dd>------------------------------<br><br>
</dd><dd>Message: 5<br>
</dd><dd>Date: Mon, 18 May 2009 11:09:01 +0200<br>
</dd><dd>From: "Dr Paulos Nyirenda"
<<a rel="nofollow">paulos@sdnp.org.mw</a>
><br>
</dd><dd>Subject: [AfrICANN-discuss] Re: Google blames DNS insecurity for
Web<br>
</dd><dd> site defacements<br>
</dd><dd>To: Rebecca Wanjiku
<<a rel="nofollow">
rebecca.wanjiku@gmail.com</a>>,
<a rel="nofollow">africann@afrinic.net</a>
,<br>
</dd><dd>
<a rel="nofollow">afnog@afnog.org</a><br>
</dd><dd>Message-ID:
<<a rel="nofollow">
4A1141CD.6779.767C85@paulos.sdnp.org.mw</a>><br>
</dd><dd>Content-Type: text/plain; charset=ISO-8859-1<br><br>
<br>
</dd><dd>Our intention in contributing to this was not to write an
"article". <br>
</dd><dd>We simply wanted to contribute additional technical information so as
<br>
</dd><dd>to assit to increase awareness and provide additional details on the
<br>
</dd><dd>incident.<br><br>
</dd><dd>Regards,<br><br>
</dd><dd>Paulos<br>
</dd><dd>======================<br>
</dd><dd>Dr Paulos B Nyirenda<br>
</dd><dd>.mw ccTLD<br>
</dd><dd><a rel="nofollow" target="_blank" href="http://www.registrar.mw">http://www.registrar.mw</a><br><br>
<br>
</dd><dd>On 18 May 2009 at 11:43, Rebecca Wanjiku wrote:<br><br>
</dd><dd>> Hi,<br>
</dd><dd>> <br>
</dd><dd>> I hope the article would have had more details.<br>
</dd><dd>> When I talked to Google rep in California, he said it happened
at .ug<br>
</dd><dd>> registry level, which means there is nothing much he could tell
me.<br>
</dd><dd>> When I talked to Musisi from .Ug he said that it was just a
minor<br>
</dd><dd>> incident and that he did not think it was a story.<br>
</dd><dd>> I tried to dig for more info but I was not getting
anywhere.<br>
</dd><dd>> <br>
</dd><dd>> I hope you all appreciate that there is a lot of secrecy; people
think<br>
</dd><dd>> if they give you the info they will look insecure and it is
easier for<br>
</dd><dd>> them to say; "I do not think that is a story".<br>
</dd><dd>> <br>
</dd><dd>> regards<br>
</dd><dd>> Becky<br>
</dd><dd>> <br>
</dd><dd>> 2009/5/18 Dr Paulos Nyirenda
<<a rel="nofollow">paulos@sdnp.org.mw</a>
>:<br>
</dd><dd>> ><br>
</dd><dd>> > Greetings from Malawi.<br>
</dd><dd>> ><br>
</dd><dd>> > We also saw attempts to alter DNS records on the .mw ccTLD
on 13 May<br>
</dd><dd>> > 2009 around midnight Malawi time. Attempts were made to
alter DNS<br>
</dd><dd>> > records at the registry for 23 domains linked to major
brands<br>
</dd><dd>> > including those listed by SM here. The attack attempt was
on the SQL<br>
</dd><dd>> > server but they did not manage to alter our DNS.<br>
</dd><dd>> ><br>
</dd><dd>> > I would also like to confirm that this does not seem to be
a case of<br>
</dd><dd>> > DNS cache poisoning, it was an SQL level attack attempt on
the<br>
</dd><dd>> > registry.<br>
</dd><dd>> ><br>
</dd><dd>> > The attempt at .mw was to change the nameservers to hosts
with names<br>
</dd><dd>> > of the form - crackers*.homelinux.com - where * is empty or
an<br>
</dd><dd>> > integer. We saw the attack as coming from or via two or
more networks<br>
</dd><dd>> > including those with network names: (a) *fdcservers on ARIN
and (b)<br>
</dd><dd>> > TurkTelekom on RIPE.<br>
</dd><dd>> ><br>
</dd><dd>> > Hope this gives additional technical information.<br>
</dd><dd>> ><br>
</dd><dd>> > Regards,<br>
</dd><dd>> ><br>
</dd><dd>> > Paulos<br>
</dd><dd>> > ======================<br>
</dd><dd>> > Dr Paulos B Nyirenda<br>
</dd><dd>> > .mw ccTLD<br>
</dd><dd>> >
<a rel="nofollow" target="_blank" href="http://www.registrar.mw">http://www.registrar.mw</a><br>
</dd><dd>> ><br>
</dd><dd>> ><br>
</dd><dd>> > On 17 May 2009 at 13:58, SM wrote:<br>
</dd><dd>> ><br>
</dd><dd>> >> At 02:42 17-05-2009, Calvin Browne wrote:<br>
</dd><dd>> >> >I agree with this - the release is just way too
short on details to<br>
</dd><dd>> >> >understand what went wrong here.<br>
</dd><dd>> >> >More details are needed.<br>
</dd><dd>> >><br>
</dd><dd>> >> There are reports that the following web sites were
affected:<br>
</dd><dd>> >><br>
</dd><dd>> >>
<a rel="nofollow" target="_blank" href="http://www.google.co.ma/">www.google.co.ma</a>
<br>
</dd><dd>> >><br>
</dd><dd>> >>
<a rel="nofollow" target="_blank" href="http://www.aol.ug/">www.aol.ug</a><br>
</dd><dd>> >>
<a rel="nofollow" target="_blank" href="http://www.bmw.co.ug/">www.bmw.co.ug</a><br>
</dd><dd>> >>
<a rel="nofollow" target="_blank" href="http://www.cisco.co.ug/">www.cisco.co.ug</a><br>
</dd><dd>> >>
<a rel="nofollow" target="_blank" href="http://www.cnn.co.ug/">www.cnn.co.ug</a><br>
</dd><dd>> >>
<a rel="nofollow" target="_blank" href="http://www.defenceuganda.mil.ug/">
www.defenceuganda.mil.ug</a><br>
</dd><dd>> >>
<a rel="nofollow" target="_blank" href="http://www.google.ug/">www.google.ug</a><br>
</dd><dd>> >>
<a rel="nofollow" target="_blank" href="http://www.hotmail.ug/">www.hotmail.ug</a><br>
</dd><dd>> >>
<a rel="nofollow" target="_blank" href="http://www.hotmail.co.ug/">www.hotmail.co.ug</a>
<br>
</dd><dd>> >>
<a rel="nofollow" target="_blank" href="http://www.microsoft.ug/">www.microsoft.ug</a>
<br>
</dd><dd>> >>
<a rel="nofollow" target="_blank" href="http://www.orange.ug/">www.orange.ug</a><br>
</dd><dd>> >>
<a rel="nofollow" target="_blank" href="http://www.toshiba.co.ug/">www.toshiba.co.ug</a>
<br>
</dd><dd>> >><br>
</dd><dd>> >> The nameservers for google.co.ma were changed on 9th
May. The domain<br>
</dd><dd>> >> resolved to a different IP address. That brought
visitors to a web<br>
</dd><dd>> >> site which wasn't hosted by Google. The .ug
problem occurred between<br>
</dd><dd>> >> 11 May and 13 May. This is not a case of DNS
cache<br>
</dd><dd>> >> poisoning. DNSSEC does not offer any protection
against SQL injection attacks.<br>
</dd><dd>> >><br>
</dd><dd>> >> Regards,<br>
</dd><dd>> >> -sm<br>
</dd><dd>> >><br>
</dd><dd>> >> _______________________________________________<br>
</dd><dd>> >> AfrICANN mailing list<br>
</dd><dd>> >>
<a rel="nofollow">AfrICANN@afrinic.net</a><br>
</dd><dd>> >>
<a rel="nofollow" target="_blank" href="https://lists.afrinic.net/mailman/listinfo.cgi/africann">
https://lists.afrinic.net/mailman/listinfo.cgi/africann</a><br>
</dd><dd>> ><br>
</dd><dd>> ><br>
</dd><dd>> > _______________________________________________<br>
</dd><dd>> > AfrICANN mailing list<br>
</dd><dd>> >
<a rel="nofollow">AfrICANN@afrinic.net</a><br>
</dd><dd>> >
<a rel="nofollow" target="_blank" href="https://lists.afrinic.net/mailman/listinfo.cgi/africann">
https://lists.afrinic.net/mailman/listinfo.cgi/africann</a><br>
</dd><dd>> ><br>
</dd><dd>> <br>
</dd><dd>> <br>
</dd><dd>> <br>
</dd><dd>> -- <br>
</dd><dd>> Best regards,<br>
</dd><dd>> <br>
</dd><dd>> Becky<br>
</dd><dd>> <br>
</dd><dd>> 254 720318925<br>
</dd><dd>> <br>
</dd><dd>> beckyit.blogspot.com<br><br>
<br><br>
<br>
</dd><dd>------------------------------<br><br>
</dd><dd>Message: 6<br>
</dd><dd>Date: Mon, 18 May 2009 02:37:28 -0700<br>
</dd><dd>From: SM
<<a rel="nofollow">sm@resistor.net</a>><br>
</dd><dd>Subject: Re: [afnog] [AfrICANN-discuss] Google blames DNS
insecurity<br>
</dd><dd> for Web site defacements<br>
</dd><dd>To:
<a rel="nofollow">paulos@sdnp.org.mw</a>,
<a rel="nofollow">africann@afrinic.net</a>,
<a rel="nofollow">afnog@afnog.org</a><br>
</dd><dd>Message-ID:
<<a rel="nofollow">
6.2.5.6.2.20090518021836.03543338@resistor.net</a>><br>
</dd><dd>Content-Type: text/plain; charset="us-ascii";
format=flowed<br><br>
</dd><dd>Hi Paulos,<br>
</dd><dd>At 01:19 18-05-2009, Dr Paulos Nyirenda wrote:<br>
</dd><dd>>We also saw attempts to alter DNS records on the .mw ccTLD on 13
May<br>
</dd><dd>>2009 around midnight Malawi time. Attempts were made to alter
DNS<br>
</dd><dd>>records at the registry for 23 domains linked to major
brands<br>
</dd><dd>>including those listed by SM here. The attack attempt was on the
SQL<br>
</dd><dd>>server but they did not manage to alter our DNS.<br><br>
</dd><dd>If you are still seeing attempts or you would like to follow up on
<br>
</dd><dd>this, please email me off-list. For what it is worth, there has
also <br>
</dd><dd>been attempts against other ccTLDs outside the AfriNIC region over
<br>
</dd><dd>the last month.<br><br>
</dd><dd>>The attempt at .mw was to change the nameservers to hosts with
names<br>
</dd><dd>>of the form - crackers*.homelinux.com - where * is empty or
an<br>
</dd><dd>>integer. We saw the attack as coming from or via two or more
networks<br>
</dd><dd>>including those with network names: (a) *fdcservers on ARIN and
(b)<br>
</dd><dd>>TurkTelekom on RIPE.<br><br>
</dd><dd>Thanks for providing the information. Hopefully other ccTLDs in
the <br>
</dd><dd>region reading will have a better understanding of the
"attack" and <br>
</dd><dd>take whatever action they deem appropriate. Note that the <br>
</dd><dd>nameservers used for the google.co.ma "attack" were
different (run by <br>
</dd><dd>a hosting provider in the Seattle (ARIN)).<br><br>
</dd><dd>Regards,<br>
</dd><dd>-sm <br><br>
<br><br>
</dd><dd>------------------------------<br><br>
</dd><dd>Message: 7<br>
</dd><dd>Date: Mon, 18 May 2009 11:55:11 +0200<br>
</dd><dd>From: Calvin Browne
<<a rel="nofollow">
calvin@orange-tree.alt.za</a>><br>
</dd><dd>Subject: Re: [AfrICANN-discuss] Google blames DNS insecurity for
Web<br>
</dd><dd> site defacements<br>
</dd><dd>To:
<a rel="nofollow">paulos@sdnp.org.mw</a>,
<a rel="nofollow">africann@afrinic.net</a><br>
</dd><dd>Cc: <a rel="nofollow">afnog@afnog.org</a><br>
</dd><dd>Message-ID: <1242640511.8066.18.camel@calvin-viao2><br>
</dd><dd>Content-Type: text/plain<br><br>
</dd><dd>On Mon, 2009-05-18 at 10:19 +0200, Dr Paulos Nyirenda wrote:<br>
</dd><dd>> Greetings from Malawi.<br>
</dd><dd><SNIP><br>
</dd><dd>> it was an SQL level attack attempt on the <br>
</dd><dd>> registry.<br>
</dd><dd><SNIP><br><br>
</dd><dd>Paulos,<br><br>
</dd><dd>thanks for this information. I guess it was only time preventing<br>
</dd><dd>registries being an attack vector.<br><br>
</dd><dd>--Calvin<br><br>
<br><br>
</dd><dd>------------------------------<br><br>
</dd><dd>Message: 8<br>
</dd><dd>Date: Mon, 18 May 2009 10:55:47 +0100<br>
</dd><dd>From: Dr Yassin Mshana
<<a rel="nofollow">
ymshana2003@gmail.com</a>><br>
</dd><dd>Subject: Re: [afnog] [AfrICANN-discuss] Google blames DNS
insecurity<br>
</dd><dd> for Web site
defacements<br>
</dd><dd>To:
<a rel="nofollow">africann@afrinic.net</a><br>
</dd><dd>Message-ID:<br>
</dd><dd>
<<a rel="nofollow">
627b2fd0905180255s29aee58blf86d12d8cb47ee92@mail.gmail.com</a>><br>
</dd><dd>Content-Type: text/plain; charset="utf-8"<br><br>
</dd><dd>Hi there,<br>
</dd><dd>Now we are talking at last....is is or is there not a security
issue?<br><br>
</dd><dd>There have been a number of calls for a detailed technical
description of<br>
</dd><dd>what happened. Can someone in the technical side of activities please
spare<br>
</dd><dd>some minutes to educate us the concerned
non-technical-users?<br><br>
</dd><dd>That would help to alleviate the "fear of the unknown" that
might be<br>
</dd><dd>spreading among the user community.<br><br>
</dd><dd>That will be much appreciated.<br><br>
</dd><dd>Cheers<br><br>
<br>
</dd><dd>2009/5/18 SM
<<a rel="nofollow">sm@resistor.net</a>><br>
<br>
</dd><dd>> Hi Paulos,<br>
</dd><dd>> At 01:19 18-05-2009, Dr Paulos Nyirenda wrote:<br>
</dd><dd>><br>
</dd><dd>>> We also saw attempts to alter DNS records on the .mw ccTLD
on 13 May<br>
</dd><dd>>> 2009 around midnight Malawi time. Attempts were made to
alter DNS<br>
</dd><dd>>> records at the registry for 23 domains linked to major
brands<br>
</dd><dd>>> including those listed by SM here. The attack attempt was on
the SQL<br>
</dd><dd>>> server but they did not manage to alter our DNS.<br>
</dd><dd>>><br>
</dd><dd>><br>
</dd><dd>> If you are still seeing attempts or you would like to follow up
on this,<br>
</dd><dd>> please email me off-list. For what it is worth, there has
also been<br>
</dd><dd>> attempts against other ccTLDs outside the AfriNIC region over
the last<br>
</dd><dd>> month.<br>
</dd><dd>><br>
</dd><dd>> The attempt at .mw was to change the nameservers to hosts
with names<br>
</dd><dd>>> of the form - crackers*.homelinux.com - where * is empty or
an<br>
</dd><dd>>> integer. We saw the attack as coming from or via two or more
networks<br>
</dd><dd>>> including those with network names: (a) *fdcservers on ARIN
and (b)<br>
</dd><dd>>> TurkTelekom on RIPE.<br>
</dd><dd>>><br>
</dd><dd>><br>
</dd><dd>> Thanks for providing the information. Hopefully other
ccTLDs in the region<br>
</dd><dd>> reading will have a better understanding of the
"attack" and take whatever<br>
</dd><dd>> action they deem appropriate. Note that the nameservers
used for the<br>
</dd><dd>> google.co.ma "attack" were different (run by a hosting
provider in the<br>
</dd><dd>> Seattle (ARIN)).<br>
</dd><dd>><br>
</dd><dd>><br>
</dd><dd>> Regards,<br>
</dd><dd>> -sm<br>
</dd><dd>> _______________________________________________<br>
</dd><dd>> AfrICANN mailing list<br>
</dd><dd>>
<a rel="nofollow">AfrICANN@afrinic.net</a><br>
</dd><dd>>
<a rel="nofollow" target="_blank" href="https://lists.afrinic.net/mailman/listinfo.cgi/africann">
https://lists.afrinic.net/mailman/listinfo.cgi/africann</a><br>
</dd><dd>><br><br>
<br><br>
</dd><dd>-- <br>
</dd><dd>c/o DFID-Nigeria<br>
</dd><dd>No. 10 Bobo Street<br>
</dd><dd>Maitama<br>
</dd><dd>Abuja<br>
</dd><dd>Nigeria<br><br>
</dd><dd>Skype: yassinmshana1<br>
</dd><dd>Mobile: +234-803 970 5117<br><br>
</dd><dd>Do You really NEED TO PRINT THIS? Sure?<br>
</dd><dd>-------------- next part --------------<br>
</dd><dd>An HTML attachment was scrubbed...<br>
</dd><dd>URL:
<a rel="nofollow" target="_blank" href="https://lists.afrinic.net/pipermail/africann/attachments/20090518/6b4f1615/attachment.htm">
https://lists.afrinic.net/pipermail/africann/attachments/20090518/6b4f1615/attachment.htm</a>
<br><br>
</dd><dd>------------------------------<br><br>
</dd><dd>_______________________________________________<br>
</dd><dd>AfrICANN mailing list<br>
</dd><dd><a rel="nofollow">AfrICANN@afrinic.net</a>
<br>
</dd><dd>
<a rel="nofollow" target="_blank" href="https://lists.afrinic.net/mailman/listinfo.cgi/africann">
https://lists.afrinic.net/mailman/listinfo.cgi/africann</a><br><br>
<br>
</dd><dd>End of AfrICANN Digest, Vol 27, Issue 17<br>
</dd><dd>****************************************<br><br>
</dd></dl></blockquote>
<p>
--<br>
charles musisi; computer frontiers international
limited; <br>
tel: +256 31 230 1800 or +254 41 456 4200; fax: +256 41 434 0456; <br>
cell-phone: +256 77 270 7096; skype id: cmusisi; website:
<a rel="nofollow" target="_blank" href="http://www.cfi.co.ug/">www.cfi.co.ug</a>
</p></div></blockquote></td></tr></table><br>