[dns-operations] zdnet blog: ICANN and IANA's domains hijacked by Turkish hacking group

Greene, Mahlon mgreene at ezecastle.com
Wed Jul 2 20:46:33 UTC 2008

Defacing the website; instead of directly attacking actually critical systems:

My guess, likely for two reasons.

The public announcement that they were able to accomplish it is embarrassing and is their ego trip, likely their primary reason for doing this in the first place.

The secondary reason, they likely think that there'll be less repercussions if their caught since there was no critical impact...it could be argued by their lawyers (if it ever came to that) that they didn't do very much.

The scary part to me is; page code changing....NOT just what it says on the screen but what they could accomplish withOUT changing the font printed to screen.

What if they didn't actually make web site changes that were visually
Consequential, but instead inserted back end code that tracked, logged and collected the content that passed through the other temp space behind the site.   Data collection at IANA or ICANN could produce some very useful information...perhaps even escalate to falsifying important information
Such as contact emails, or collecting epp keys, etc.  Not to mention the more obvious cr. Card information that might pass through here on registrations or donations.

Of course....if they intended something that malicious...I doubt they'd have
Been dumb enough to announce their success in compromising these sites....

How would it look if members of the oarc community got hit on identity theft?

-----Original Message-----
From: dns-operations-bounces at lists.oarci.net [mailto:dns-operations-bounces at lists.oarci.net] On Behalf Of Florian Weimer
Sent: Wednesday, July 02, 2008 6:26 AM
To: Duane Wessels
Cc: dns-operations at lists.oarci.net
Subject: Re: [dns-operations] zdnet blog: ICANN and IANA's domains hijacked by Turkish hacking group

* Duane Wessels:

> Seems like these guys could have taken over the (real) official
> names if they'd wanted to.

Actually, they did (with first seen/last seen timestamps):

2008-06-26 14:45:15  2008-06-26 15:23:01  iana-servers.net  NS  ns1.atspace.com
2008-06-26 14:45:15  2008-06-26 15:23:01  iana-servers.net  NS  ns2.atspace.com

This is about as worse as it can get--control of iana-servers.net
indirectly affects iana-servers.org, icann.org, and then int and other
TLDs.  Glue and caching may have prevented an immediate global impact,
but the attackers seems to have focused on web defacements, instead of
attempting to cause real mayhem.

Of course, DNSSEC would not have stopped the ICANN hijacks, but the
impact of such an event would not have reached the int TLD in a DNSSEC

Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99
dns-operations mailing list
dns-operations at lists.oarci.net

NOTICE:  The information contained in this transmission is privileged, confidential, and intended only for the use of the individual or entity named above.  If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or the taking of any action in reliance on the contents of this transmission is strictly prohibited.  If you have received this transmission in error, please notify Eze Castle Integration, Inc. by e-mail and destroy the original message and all copies.  Thank you.

More information about the dns-operations mailing list