[ISN] Hushmail DNS Attack Blamed on Network Solutions

From: InfoSec News (isn@private)
Date: Sun May 01 2005 - 23:29:11 PDT


http://www.eweek.com/article2/0,1759,1791152,00.asp

By Ryan Naraine 
April 29, 2005 

Secure e-mail service provider Hushmail Communications plans to pursue 
a criminal investigation into a hacking attack that redirected users 
to a defaced Web site. The company pinned the blame for the breach 
squarely on the shoulders of domain name registrar Network Solutions.

Hushmail, which markets PGP-encrypted e-mail, file storage and vanity 
domain services, has opened a criminal investigation with the Royal 
Canadian Mounted Police in Vancouver to get to the bottom of a DNS 
server breach caused by a combination of social engineering, phishing 
and pharming tactics.

Brian Smith, chief technical officer at Hushmail Communications Corp., 
said in an interview with Ziff Davis Internet News that the attacker 
or attackers simply called the Network Solutions Inc. support center 
and gained access to enough customer account information to alter the 
Hushmail DNS (Domain Name System) settings.

"They used a name not associated with Hush Communications and was able 
to get information from Network Solutions," Smith said. Using the 
information collected from Network Solutions' customer service, Smith 
said the DNS information was changed to redirect users visiting the 
"hushmail.com" URL to a defaced Web site.

For a brief period, Hushmail's domain was either unavailable or 
appeared defaced with an image of Hushmail's logo with the following 
text: "The Secret Service is watching. - Agent Leth and Clown Jeet 3k 
Inc." Zone-H.org has archived a screenshot [1] of the defacement.

Smith said Network Solutions promised to investigate and issue a 
statement on the breach, but at press time Friday, Hushmail had yet to 
receive official communication from the Herndon, Va.-based registrar.

Network Solutions spokeswoman Susan Wade confirmed that the breach 
occurred as a result of certain weaknesses in the registrar's 
customer-service security measures but declined to provide specifics, 
citing customer privacy issues. 

"We're seriously investigating the incident. We are aware that a 
hacker temporarily altered this customer's [DNS records]. Our security 
team promptly rectified the situation," Wade told Ziff Davis Internet 
News.

She described the breach as an "isolated incident" and said Network 
Solutions would immediately institute "additional security measures to 
ensure it doesn't occur in the future."

"We've brought everyone in and gone over the procedures, and we've 
implemented some additional ones. I can't go into details for obvious 
reasons, but we are taking this very, very seriously," Wade added.

In addition to supporting RCMP's investigation in Vancouver, Wade said 
a separate criminal investigation is being launched in the United 
States. 

At Hushmail's end, Smith said the episode has been frustrating. "We're 
still waiting for a statement from Network Solutions. We were told by 
an employee that the attacker was given the DNS information over the 
telephone, but they've not sent anything official to us. I don't want 
to comment on what may or may not have happened at their end," Smith 
said.

For now, Hushmail is working to erase the negative perception of an 
e-mail security provider with a major server breach. "Initially, it 
was embarrassing but we're pleased that the users and the media have 
been very sympathetic to what happened here. To nontechnical users, it 
will take some explaining, but it's quite clear that this could have 
happened to anyone."

"The Internet as a whole is a notoriously nonsecure infrastructure. 
We're operating within that. This is a big worry for the entire 
Internet. That's why phishing, pharming and social engineering attacks 
have become a big issue," Smith said.

Hushmail has been upfront about the hacking attack, publishing a daily
log [2] with updates for users.

"To the best of our knowledge, the DNS issues caused by the caching of
the altered addresses should now have ceased. The correct addresses
should now have propagated across the Internet, and all users should
be able to access Hushmail," the latest entry says.

The company said there was no unauthorized access to any of the Hush
servers. "Data managed by Hush was not compromised. During this
period, e-mail sent to hushmail.com will not have been delivered,"  
Hushmail said.

Rick Fleming, chief technology officer at Texas-based security outfit
Digital Defense Inc., said the Hushmail nightmare points to a "major
weakness" in the way domain name registrars authenticate requests for
DNS changes.

"We'll continue to see these types of social engineering attacks
because it's becoming easier to impersonate someone and collect
information. There is definitely a weakness in the way the domain name
registrars handle authentication. If they don't have a way to
adequately identify who the domain owners are, these attacks will
continue to happen," Fleming said.

"What's to stop this from affecting a Yahoo or a Google? Nothing. The
underlying flaw is the domain name systems work. It's an implied
trusted relationship without any authentication or verification and
that needs to be fixed," Fleming said.

[1] http://www.zone-h.org/defacements/mirror/id=2309823/
[2] http://www.hushmail.com/login-status



_________________________________________
InfoSec News v2.0 - Coming Soon!
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Mon May 02 2005 - 17:56:16 PDT