Exploits of a Mom: Little Bobby Tables http://xkcd.com/327/ XKCD Web Comic …
* And it looks like … we haven’t ALL learned to sanitize our database inputs …
Some sites are still not accessible to many on Monday.
Leading sites impacted:
United Parcel Service(UPS) www.UPS.com first recorded 16:00 EDT 9-4-2011
(To contact UPS via Toll Free Number 800 782 7892)
National Geographic http://www.nationalgeographic.com/ first recorded 16:04 EDT 9-4-2011
UK Register http://www.theregister.co.uk/ first recorded 15:58 EDT 9-4-2011
The DNS redirection hack against a company like UPS has the potential to disrupt world commerce.
Other major Internet Web Sites Were Blocked Sunday.
The sites were blocked when hackers infiltrated the DNS records of major websites redirecting them to the hacker’s landing page.
People trying to access UPS could not reach the worldwide provider of shipping using www.UPS.com.
Leading sites impacted:
United Parcel Service(UPS) www.UPS.com 16:00 EDT 9-4-2011
National Geographic http://www.nationalgeographic.com/ 16:04 EDT 9-4-2011
UK Register http://www.theregister.co.uk/ 15:58 EDT 9-4-2011
A hacker group calling itself TurkGuvenligi has declared September 4th, 2011 World Hacker Day.
The extent of the cyber attack has not been determined as reports of other downed sites continue.
Attacks appear to be DNS redirections.
UPS dot COM DNS lookup on Labor Day Monday 09-05-2011
* I don’t think yumurtakabugu.com is really the DNS Server(s) for UPS.COM.
The Domain Name System (DNS) is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most importantly, it translates domain names meaningful to humans into the numerical identifiers associated with networking equipment for the purpose of locating and addressing these devices worldwide.
An often-used analogy to explain the Domain Name System is that it serves as the phone book for the Internet by translating human-friendly computer hostnames into IP addresses. For example, the domain name www.example.com translates to the addresses 126.96.36.199 (IPv4) and 2620:0:2d0:200::10 (IPv6).
The Domain Name System makes it possible to assign domain names to groups of Internet resources and users in a meaningful way, independent of each entity’s physical location. Because of this, World Wide Web (WWW) hyperlinks and Internet contact information can remain consistent and constant even if the current Internet routing arrangements change or the participant uses a mobile device. Internet domain names are easier to remember than IP addresses such as 188.8.131.52 (IPv4) or 2001:db8:1f70::999:de8:7648:6e8 (IPv6). Users take advantage of this when they recite meaningful Uniform Resource Locators (URLs) and e-mail addresses without having to know how the computer actually locates them.
The Domain Name System distributes the responsibility of assigning domain names and mapping those names to IP addresses by designating authoritative name servers for each domain. Authoritative name servers are assigned to be responsible for their particular domains, and in turn can assign other authoritative name servers for their sub-domains. This mechanism has made the DNS distributed and fault tolerant and has helped avoid the need for a single central register to be continually consulted and updated.
DNS was not originally designed with security in mind, and thus has a number of security issues.
One class of vulnerabilities is DNS cache poisoning, which tricks a DNS server into believing it has received authentic information when, in reality, it has not.
DNS responses are traditionally not cryptographically signed, leading to many attack possibilities; the Domain Name System Security Extensions (DNSSEC) modifies DNS to add support for cryptographically signed responses. There are various extensions to support securing zone transfer information as well.
Even with encryption, a DNS server could become compromised by a virus (or for that matter a disgruntled employee) that would cause IP addresses of that server to be redirected to a malicious address with a long TTL. This could have far-reaching impact to potentially millions of Internet users if busy DNS servers cache the bad IP data. This would require manual purging of all affected DNS caches as required by the long TTL (up to 68 years).
Some domain names can spoof other, similar-looking domain names. For example, “paypal.com” and “paypa1.com” are different names, yet users may be unable to tell the difference when the user’s typeface (font) does not clearly differentiate the letter l and the numeral 1. This problem is more serious in systems that support internationalized domain names, since many character codes in ISO 10646, may appear identical on typical computer screens. This vulnerability is occasionally exploited in phishing.
Techniques such as forward-confirmed reverse DNS can also be used to help validate DNS results.
* More detailed information … http://www.pcworld.com/businesscenter/article/239501/turkish_hackers_strike_websites_with_dns_hack.html
Turkish Hackers Strike Websites With DNS Hack
By Jeremy Kirk, IDG News
A Turkish hacking group managed to tamper with Internet addressing records over the weekend, redirecting dozens of websites belonging to companies including Microsoft, UPS and Vodafone to a different web pages controlled by the hackers.
According to Zone-H, a website that tracks defacements, 186 websites were redirected to a page controlled by “Turkguvenligi.” A message on the redirect page read: “4 Sept. We Turkguvenligi declare this day as World Hackers Day – Have fun h4ck y0u.”
All of the websites were registered through NetNames, which is part of NBT group. NetNames provides DNS (Domain Name System) services for the websites, which is the system used to translates a domain name into an IP address that can be called into a web browser.
Turkguvenligi managed to hack NetName’s DNS servers through a SQL injection attack, which involves putting commands into a web-based form to see if the back-end database responds. If those commands aren’t scanned for malicious code, an attacker could gain access to the system.
In the case of NetNames, Turkguvenligi put a redelegation order into the company’s system and changed the address of the master DNS servers that served data for the websites, according to a statement from NetNames. The attack occurred around 9 p.m. BST on Sunday.
“The rogue name server then served incorrect DNS data to redirect legitimate web traffic intended for customer web sites through to a hacker holding page branded Turkguvenligi,” the statement read. “The illegal changes were reversed quickly to bring service back to the customers impacted and the accounts concerned have been disabled to block any further access to the systems.”
The hack accomplished by Turkguvenligi is a powerful one. Although it appears the goal of the group was just to vandalize the sites for a while, the group could have set up lookalike sites for the real ones, tricking users into thinking they were on the legitimate site and possibly stealing logins and passwords.
(more at the link above.)
“Little Bobby Tables attack” a name for SQL Injection attacks according to: http://en.wikipedia.org/wiki/SQL_injection
* which by the way already has this attack listed under Known real-world examples
In September, 2011, Turkish Hackers accessed the nets DNS records and changed Entries redirecting users to a site set up by them which was in place for a period of 3 hours
* How’d that get updated so fast? Anyway you’d think that with all the “stack smashing” and SQLI attacks history that every OS and SQL would be fixed already to prevent arbitrary code from being injected to an OS, and invalid / unauthorized data from being injected into a database. A database as important as to be used for Domain Name Service (DNS) lookups.
TurkGuvlenligi HACKED Web Page (DNS Redirection)
Alan Spicer Marine Telecom and WiFiYacht.net
communications @ marinetelecom.net