If you were a user of ICANN’s Centralized Zone Data Service back in 2014 you may wish to think about changing some passwords today.
ICANN has confirmed that a bunch of user names and hashed passwords that were stolen in November 2014 have turned up for sale on the black market.
The batch reportedly contains credentials for over 8,000 users.
ICANN said yesterday:
ICANN recently became aware that some information obtained in the spear phishing incident we announced in 2014 is being offered for sale on underground forums. Our initial assessment is that it is old data and that no new breach of our systems has occurred. The data accessed in the 2014 incident breach included usernames and hashed passwords for our Centralized Zone Data System (CZDS). Once the theft was discovered, we reset all user passwords, and urged users to do the same for any other accounts where they used the same passwords.
While CZDS users have all presumably already changed their CZDS passwords, if they are still using that same password for a non-CZDS web site they may want to think about changing it.
ICANN first announced the hack back in December 2014.
It said at the time that the Government Advisory Committee’s wiki, and a selection of other less interesting pages, had also been compromised.
The attackers got in after a number of ICANN staffers fell for a spear-phishing attack — a narrowly targeted form of phishing that was specifically aimed at them.
If you email with ICANN staff with any regularity you will have noticed that for the last several months your email subject lines get prefixed [EXTERNAL] before the staffer receives them.
That’s to help avoid this kind of attack being successful again.
The domain drop-catching arms race is heating up, with budget player Pheenix this week acquiring 300 more registrar accreditations from ICANN.
According to DI records, the company now has almost 500 registrar accreditations in its family.
More accreditations means more registry connections with which to attempt to acquire expired domains as they return to the available pool.
It also means that Pheenix’s dropnet (a word I just made up that sounds a bit like “botnet” in a pathetic attempt to coin a term for once in my career) is now a bit bigger than that of Web.com, the registrar pool behind Namejet and SnapNames.
It’s still a long way behind TurnCommerce, owner of DropCatch, which two weeks ago added a whopping 500 new accreditations, bringing its total to over 1,250.
An extra 300 accreditations would have cost Pheenix over $1 million in up-front ICANN fees and will incur ongoing fixed annual fees in excess of $1.2 million.
Go Daddy VP of domains Rich Merdinger has been appointed interim chair of the Domain Name Association, replacing Neustar’s Adrian Kinderis.
In a blog post, Merdinger said the DNA will become more “vocal” under its new leadership and outlined three priorities for 2017 — awareness, adoption and access.
He said the DNA will share ways businesses can pursue a strategy of “blending” TLD types in their online activities, promote domains as search engine optimization tools, and make it easier for DNA members to participate.
There will be a new series of DNA Virtual Town Hall meetings to facilliate communication. Merdinger wrote:
Expect to see a more vocal DNA – whether it is at the next virtual town hall or learning about new research on domain name strategies and their business impact. As Interim Chair, I will be working with our leadership team on ways to spotlight how domain names are being used strategically and tactically to support business objectives in 2017 and beyond.
He replaces Kinderis, formerly CEO of AusRegistry/ARI/Bombora, who is now, post-acquisition, VP of corporate development at Neustar.
Kinderis, DNA’s founding chair in April 2013, will remain on the DNA’s board of directors, representing Neustar.
It’s interesting that Merdinger’s appointment to chair is being linked with the DNA becoming more “vocal”.
While Merdinger certainly isn’t a shrinking violet, Kinderis, I’m sure he wouldn’t mind me saying, is one of the bluntest, mouthiest guys in the industry.
That said, GoDaddy has name recognition and has proven to be a bit of a headline magnet over the last decade or so.
It surely has a higher profile among would-be registrants — a big part of the DNA’s audience — than Neustar, which isn’t primarily a domain name company or even necessarily primarily an internet company.
The DNA will continue to operate without an in-house staff, having dumped its second executive director earlier this year in favor of outsourcing to a trade group management company, to cut costs.
Amazon has reversed, at least temporarily, its decision to yank its free list of the world’s most popular domains, after an outcry from researchers.
The daily Alexa list, which contains the company’s estimate of the world’s top 1 million domains by traffic, suddenly disappeared late last week.
The list was popular with researchers in fields such as internet security. Because it was free, it was widely used.
DI PRO uses the list every day to estimate the relative popularity of top-level domains.
After deleting the list, Amazon directed users to its Amazon Web Services portal, which had started offering the same data priced at $0.0025 per URL.
That’s not cheap. The cost of obtaining same data suddenly leaped from nothing to $912,500 per year, or $2,500 per day.
That’s beyond the wallets, I suspect, of almost every Alexa user, especially the many domain name tools providers (including yours truly) that relied on the data to estimate domain popularity.
Even scaling back usage to the top 100,000 URLs would be prohibitively expensive for most researchers.
While Amazon is of course free to price its data at whatever it thinks it is worth, no notice was given that the file was to be deleted, scuppering without warning goodness knows how many ongoing projects.
Some users spoke out on Twitter.
The quiet death of the @Alexa_Support top million sites is a grievous blow to internet researchers everywhere. $2500 per pull now.
— April King (@aprilmpls) November 21, 2016
Removing the top 1M list is a HUGE mistake. It was extremely useful to assess the impact of new security vulnerabilities. 🙁 @Alexa_Support
— Benjamin Beurdouche (@beurdouche) November 22, 2016
@Alexa_Support I'm disappointed, but I hope you reconsider. The Top 1M list is a standard reference in research. It's simply irreplaceable.
— Santiago Zanella (@xEFFFFFFF) November 22, 2016
I spent most of yesterday figuring out how to quickly rejigger DI PRO to cope with the new regime, but it seems I may have been wasting my time.
After an outcry from fellow researchers, Amazon has restored the free list. It said on Twitter:
Thanks to customer feedback, the top 1M sites is temporarily available again. We’ll provide notice before updating the file in the future
— Alexa Support (@Alexa_Support) November 22, 2016
It seems clear that the key word here is “temporarily”, and that the the restoration of the file may primarily be designed to give researchers more time to seek alternatives or wrap up their research.
Oracle has signed a deal to buy DNS services provider Dyn for an undisclosed amount probably in the nine-figure range.
The software giant said it plans to integrate Dyn’s services into its existing cloud computing platform. For the moment, existing Dyn customers are unaffected.
Dyn provides distributed DNS resolution services mainly to the enterprise market, where it has about 3,500 customers.
But it also provides redundant DNS to some TLD registries, notably Uniregistry.
Knowing how ruthlessly opportunistic Oracle can be when it comes to M&A, I have to wonder how much impact the recent denial of service attack against Dyn had on the timing of the deal being signed.
Dyn customers including Twitter and Netflix found themselves inaccessible for millions of North American internet users a couple of weeks ago.
Customers that may have been reconsidering their DNS options following the downtime may feel more reassured now that Dyn is about to become part of a much larger company.
While the acquisition price was not disclosed, it’s certainly going to be in the hundreds of millions.
Just six months ago, Dyn received $50 million in venture capital, following on from a $38 million round in 2012.