If you were a user of ICANN’s Centralized Zone Data Service back in 2014 you may wish to think about changing some passwords today.
ICANN has confirmed that a bunch of user names and hashed passwords that were stolen in November 2014 have turned up for sale on the black market.
The batch reportedly contains credentials for over 8,000 users.
ICANN said yesterday:
ICANN recently became aware that some information obtained in the spear phishing incident we announced in 2014 is being offered for sale on underground forums. Our initial assessment is that it is old data and that no new breach of our systems has occurred. The data accessed in the 2014 incident breach included usernames and hashed passwords for our Centralized Zone Data System (CZDS). Once the theft was discovered, we reset all user passwords, and urged users to do the same for any other accounts where they used the same passwords.
While CZDS users have all presumably already changed their CZDS passwords, if they are still using that same password for a non-CZDS web site they may want to think about changing it.
ICANN first announced the hack back in December 2014.
It said at the time that the Government Advisory Committee’s wiki, and a selection of other less interesting pages, had also been compromised.
The attackers got in after a number of ICANN staffers fell for a spear-phishing attack — a narrowly targeted form of phishing that was specifically aimed at them.
If you email with ICANN staff with any regularity you will have noticed that for the last several months your email subject lines get prefixed [EXTERNAL] before the staffer receives them.
That’s to help avoid this kind of attack being successful again.
There are now more than five million new gTLD domain names live in the DNS.
That’s according to zone files collated by ICANN, which I’m told show 5,002,252 names across the 597 new gTLD registries providing data.
That works out to a mean of 8,378 domains per TLD, a median of 1,254.
The largest zone file is .xyz, with 877,450 names. There’s at least 100 new gTLDs with only one domain in their zones.
Due to the way ICANN’s Centralized Zone Data Service works (or doesn’t work) with access rights expiring on a pretty much daily basis, it’s virtually impossible for a third party such as DI to count up zone file numbers across every new gTLD with 100% daily accuracy.
Today, DI PRO reports a count of 4,999,024 names.
The total number of zone file domains in this post was provided by ICANN, which does not have the same CZDS restrictions as the rest of us.
It’s 2014. Does anyone in the domain name business still fall for phishing attacks?
Apparently, yes, ICANN staff do.
ICANN has revealed that “several” staff members fell prey to a spear-phishing attack last month, resulting in the theft of potentially hundreds of user credentials and unauthorized access to at least one Governmental Advisory Committee web page.
According to ICANN, the phishers were able to gather the email passwords of staff members, then used them to access the Centralized Zone Data Service.
CZDS is the clearinghouse for all zone files belonging to new gTLD registries. The data it stores isn’t especially sensitive — the files are archives, not live, functional copies — and the barrier to signing up for access legitimately is pretty low.
But CZDS users’ contact information and login credentials — including, as a matter of disclosure, mine — were also accessed.
While the stolen passwords were encrypted, ICANN is still forcing all CZDS users to reset their passwords as a precaution. The organization said in a statement:
The attacker obtained administrative access to all files in the CZDS. This included copies of the zone files in the system, as well as information entered by users such as name, postal address, email address, fax and telephone numbers, username, and password. Although the passwords were stored as salted cryptographic hashes, we have deactivated all CZDS passwords as a precaution. Users may request a new password at czds.icann.org. We suggest that CZDS users take appropriate steps to protect any other online accounts for which they might have used the same username and/or password. ICANN is providing notices to the CZDS users whose personal information may have been compromised.
As a victim, this doesn’t worry me a lot. My contact details are all in the public Whois and published on this very web site, but I can imagine other victims might not want their home address, phone number and the like in the hands of ne’er-do-wells.
It’s the second time CZDS has been compromised this year. Back in April, a coding error led to a privilege escalation vulnerability that was exploited to view requests by users to new gTLD registries.
Also accessed by the phishers this time around were several pages on the GAC wiki, which is about as interesting as it sounds (ie, not very). ICANN said the only non-public information that was viewed was a “members-only index page”.
User accounts on the ICANN blog and its Whois information portal were also accessed, but apparently no damage was caused.
In summary, the hackers seem to have stolen quite a lot of information they could have easily obtained legitimately, along with some passwords that may allow them to cause further mischief if they can be decrypted.
It’s embarrassing for ICANN, of course, especially for the staff members gullible enough to fall for the attack.
While the phishers made their emails appear to come from ICANN’s own domain, presumably their victims would have had to click through to a web page with a non-ICANN domain in the address bar order to hand over their passwords.
That’s not the kind of practice you’d expect from the people tasked with running the domain name industry.
A bug which gave elevated privileges to new gTLD registries has taken out ICANN’s Centralized Zone Data Service for the best part of a day.
CZDS is the central clearinghouse for zone file data access requests. All new gTLD registries must participate. DI uses the data provided via the service to calculate registration numbers.
The service was turned off yesterday after registries noticed that they were able to view and approve pending requests made to rival registries and informed ICANN.
The site has been “currently undergoing maintenance” since at least 0200 UTC today. The bug was present from at least 2100 on Monday night, which was when I first heard about it.
ICANN tells me the move to take down the site yesterday was made out of “an abundance of caution” and that its techies are looking at the issue right now.
Talking to a few registries, it seems they were given super-user privileges.
They were able to review requests for zone file access made by users like DI to any new gTLD registry. They would have been able to approve such requests, registries tell me.
The contact information of the requesting party was also visible, they tell me.
I think in most cases this isn’t a big deal. I assume most CZDS users just blanket-request every file from every gTLD registry, but there could hypothetically be edge cases where a sensitive request was exposed.
For the avoidance of confusion, the bug would not have given anyone the ability to edit any zone files. CZDS is just a publishing clearinghouse, it has no functional role in the DNS.
Two other ICANN sites, the Global Domains Division portal and parts of MyICANN, both of which run on the Force.com platform, also currently appear to be down for maintenance, but it’s not currently clear if these issues are related.