[dns-operations] DNS hijack - AVG, Avira and WhatsApp sites affected - seems to be a registrar compromise

Dan York york at isoc.org
Thu Oct 10 16:18:34 UTC 2013


On 10/10/13 12:07 PM, "Marco Davids (SIDN)" <marco.davids at sidn.nl> wrote:

>On 10/10/13 5:43 PM, Dan York wrote:
>> there's nothing that DNSSEC or anything else could have done here
>Not entirely true. Some form of domain-locking might have helped. For
>instance, we offer a protection-service, called .nl-control, where we
>actually block any automated change until a few recognized
>representatives have given explicit permission, both orally and in

You're right. I should have been more clear.  There's nothing I can think
of that DNSSEC or any other *technology* related to the operations of the
DNS could really do, i.e. there's nothing that the *network* could really
do.   My initial thought on seeing the title of the link was... "oh, hey,
maybe this is a hijack that could have been prevented with DNSSEC - let me
take a look!"  Only to find that it was a (sadly "regular", it seems)
compromise at the registrar.

You're absolutely right that the *registrars* can do more to ensure that
these kind of changes don't get made without the appropriate authorization.

>But, having said that, I am still quite concerned about this relatively
>new trend. I'm afraid it won't stop here.

No, I suspect it won't.  :-(

It goes back to the attackers finding the weakest link - ex.
http://xkcd.com/538/ - and the ever present balance between user
convenience and security.  I understand the dilemma - a registrar wants to
make it relatively easy for a user to do a legitimate automatic password
reset should the account password be lost so that they aren't calling the
registrar's help desk.  On the other hand, you don't want to make it easy
enough that problems like this occur.


Dan York
Senior Content Strategist, Internet Society
york at isoc.org <mailto:york at isoc.org>   +1-802-735-1624
Jabber: york at jabber.isoc.org <mailto:york at jabber.isoc.org>
Skype: danyork   http://twitter.com/danyork


More information about the dns-operations mailing list