Go Daddy has rushed out a fix to a security bug in its web site that could have allowed attackers to steal valuable domain names.
Security engineer Dylan Saccomanni found several “cross site request forgery” holes January 17, which he said could be used to “edit nameservers, change auto-renew settings and edit the zone file entirely”.
He reported it to Go Daddy (evidently with some difficulty) and blogged it up, with attack code samples, January 18. Go Daddy reportedly patched its site the following day.
A CSRF vulnerability is where a web site fails to adequately validate data submitted via HTTP POST. Basically, in this case Go Daddy apparently wasn’t checking whether commands to edit name servers, for example, were being submitted via the correct web site.
Mitigating the risk substantially, attackers would have to trick the would-be victim domain owner into filling out a web form on a different site, while they were simultaneously logged into their Go Daddy accounts, in order to exploit the vulnerability, however.
In my experience, Go Daddy times out logged-in sessions after a period, reducing the potential attack window.
Being phishing-aware would also reduce your chance of being a victim.
I’m not aware of any reports of domains being lost to this attack.
It’s 2014. Does anyone in the domain name business still fall for phishing attacks?
Apparently, yes, ICANN staff do.
ICANN has revealed that “several” staff members fell prey to a spear-phishing attack last month, resulting in the theft of potentially hundreds of user credentials and unauthorized access to at least one Governmental Advisory Committee web page.
According to ICANN, the phishers were able to gather the email passwords of staff members, then used them to access the Centralized Zone Data Service.
CZDS is the clearinghouse for all zone files belonging to new gTLD registries. The data it stores isn’t especially sensitive — the files are archives, not live, functional copies — and the barrier to signing up for access legitimately is pretty low.
But CZDS users’ contact information and login credentials — including, as a matter of disclosure, mine — were also accessed.
While the stolen passwords were encrypted, ICANN is still forcing all CZDS users to reset their passwords as a precaution. The organization said in a statement:
The attacker obtained administrative access to all files in the CZDS. This included copies of the zone files in the system, as well as information entered by users such as name, postal address, email address, fax and telephone numbers, username, and password. Although the passwords were stored as salted cryptographic hashes, we have deactivated all CZDS passwords as a precaution. Users may request a new password at czds.icann.org. We suggest that CZDS users take appropriate steps to protect any other online accounts for which they might have used the same username and/or password. ICANN is providing notices to the CZDS users whose personal information may have been compromised.
As a victim, this doesn’t worry me a lot. My contact details are all in the public Whois and published on this very web site, but I can imagine other victims might not want their home address, phone number and the like in the hands of ne’er-do-wells.
It’s the second time CZDS has been compromised this year. Back in April, a coding error led to a privilege escalation vulnerability that was exploited to view requests by users to new gTLD registries.
Also accessed by the phishers this time around were several pages on the GAC wiki, which is about as interesting as it sounds (ie, not very). ICANN said the only non-public information that was viewed was a “members-only index page”.
User accounts on the ICANN blog and its Whois information portal were also accessed, but apparently no damage was caused.
In summary, the hackers seem to have stolen quite a lot of information they could have easily obtained legitimately, along with some passwords that may allow them to cause further mischief if they can be decrypted.
It’s embarrassing for ICANN, of course, especially for the staff members gullible enough to fall for the attack.
While the phishers made their emails appear to come from ICANN’s own domain, presumably their victims would have had to click through to a web page with a non-ICANN domain in the address bar order to hand over their passwords.
That’s not the kind of practice you’d expect from the people tasked with running the domain name industry.
Amazon is now the proud owner of the .secure new gTLD, after much smaller competing applicant Artemis Internet withdrew its bid.
Coincidentally, the settlement of the contention set came just yesterday, the day before Artemis took its .trust — which I’ve described as a “backup plan” — to sunrise.
I assume .secure was settled with a private deal. I’ve long suspected Artemis — affiliated with data escrow provider NCC Group — had its work cut out to win an auction against Amazon.
It’s a shame, in a way. Artemis was one of the few new gTLD applicants that had actually sketched out plans for something quite technologically innovative.
Artemis’ .secure was to be a “trust mark” for a high-priced managed security service. It wasn’t really about selling domain names in volume at all.
The company had done a fair bit of outreach work, too. As long ago as July 2013, around 30 companies had expressed their interest in signing up as anchor tenants.
But, after ICANN gave Amazon a get-out-of-jail-free card by allowing it to amend its “closed generic” gTLD applications, it looked increasingly unlikely Artemis would wind up owning the gTLD it was essentially already pre-selling.
In February this year, it emerged that it had acquired the rights to .trust from Deutsche Post, which had applied for the gTLD unopposed.
This Plan B was realized today when .trust began its contractually mandated sunrise period.
Don’t expect many brands to apply for their names during sunrise, however — .trust’s standard registration policies are going to make cybersquatting non-existent.
Not only will .trust registrants have their identities manually vetted, but there’s also a hefty set of security standards — 123 pages (pdf) of them at the current count — that registrants will have to abide by on an ongoing basis in order to keep their names.
As for Amazon, its .secure application, as amended, is just as vague as all of its other former bids for closed, single-registrant generic strings (to the point where I often wonder if they’re basically still just closed generics).
It’s planning to deploy a small number of names to start with, managed by its own intellectually property department. After that, its application all gets a bit hand-wavey.
If you have an account at NameCheap, now might be a good time to think about changing your password.
According to the registrar, hackers based in Russia are using a haul of a reported 4.5 billion username/password combinations to attempt to break into its customers’ accounts.
Some attempts have been successful, NameCheap warned.
The attackers are using credentials stolen from third-party sources in a large-scale, automated attempt to log in to user accounts, disguised as regular users, the company said in a blog post.
The vast majority of these login attempts have been unsuccessful as the data is incorrect or old and passwords have been changed. As a precaution, we are aggressively blocking the IP addresses that appear to be logging in with the stolen password data. We are also logging these IP addresses and will be exporting blocking rules across our network to completely eliminate access to any Namecheap system or service, as well as making this data available to law enforcement.
While the vast majority of these logins are unsuccessful, some have been successful. To combat this, we’ve temporarily secured the Namecheap accounts that have been affected and are currently contacting customers involved requesting they improve the security for these accounts.
Affected users have been emailed, the company said.
NameCheap suspects the attack is linked to a reported cache of 1.2 billion unique username/password combinations amassed by a hacker group from databases vulnerable to SQL injection.
The registrar pointed out that its own systems haven’t been hacked. Customers should only be vulnerable if they use the same username and password at NameCheap as they use on other sites.
ICANN expects its RADAR registrar database to be offline for “at least two weeks” following the discovery of a security vulnerability that exposed users’ login names and encrypted passwords.
ICANN seems to have been quick to act and to disclose the hack.
The attack happened last weekend and ICANN was informed about it by an “internet user” on Tuesday May 27, according to an ICANN spokesperson. RADAR was taken offline and the problem disclosed late May 28.
The spokesperson added that “we do not believe the user is affiliated with a current or previously accredited registrar.”
ICANN isn’t disclosing the nature of the vulnerability, but said RADAR will be offline for some time for a security audit. The spokesperson told DI in an email:
It will be at least two weeks. It is more important to complete a thorough security assessment of the site than to rush this process. First of all, we’re keeping the system offline until we complete a thorough audit of the system. We are also currently engaged in a security review of all systems and procedures at ICANN to assess and implement ongoing improvements as appropriate.
RADAR is a database used by registrars to coordinate stuff like emergency contacts and IP address whitelisting for bulk Whois access.
The downtime is not expected to impact registrants, according to ICANN. The spokesperson said: “Nothing that occurred has raised any concerns that registrants could or would be adversely affected.”