The Register reports that registrar logins hacked and 750 web addresses were compromised:
More than 750 domain names were hijacked through the internet's own systems, registrar Gandi has admitted.
Late last week, an unknown individual managed to get hold of the company's login to one of its technical providers, which then connects to no fewer than 27 other top-level domains, including .asia, .au, .ch, .jp and .se.
Using that login, the attacker managed to change the domain details on the official nameservers for 751 domains on a range of top-level domains, and redirect them all to a specific website serving up malware.
The changes went unnoticed for four hours until one [of] the registry operators reported the suspicious changes to Gandi. Within an hour, Gandi's technical team identified the problem, changed all the logins and started reverting the changes made – a process that took three-and-a-half hours, according to the company's incident report, published this week.
[...] "We sincerely apologize that this incident occurred," said its report. "Please be assured that our priority remains on the security of your data and that we will continue to protect your security and privacy in the face of ever-evolving threats."
(Score: 2) by kaszz on Saturday July 15 2017, @10:14AM (6 children)
Gandi - Headquarters in Paris, France. Founded in 1999.
gandi.net - Uses Apache.
They seem quite sane. Makes it more unclear how the breach happened.
(Score: 0) by Anonymous Coward on Saturday July 15 2017, @11:18AM
especially if you enable optional modules. Depending on their website configuration and active page technologies there could have been a lot of attack surface available. Assuming of course that it wasn't a simple phishing attack or password reuse exploit from credentials gained on another site.
(Score: 4, Interesting) by romlok on Saturday July 15 2017, @11:58AM (2 children)
It appears that the credentials were able to be intercepted, because the third-party site that Gandi used for administering those top-level domains was using plain HTTP.
From their incident report [gandi.net]:
(Score: 0) by Anonymous Coward on Saturday July 15 2017, @05:37PM
"Unfortunately, these security measures were only recently added, in 2016, by the technical partner in question and had not been identified at the date of our most recent security audit."
years too late. stupid fucks probably didn't have any trouble spending the money they were earning prior to 20 fucking 16.
(Score: 2) by kaszz on Saturday July 15 2017, @10:11PM
Obtained "surreptitiously" only made possible by http without the "s". And by 2013 ie Snowden all security people worth their salt should demand https as minimum. It occurred to me that a lot of trust to not peak or manipulate were put into ISPs and backbone providers for years. Then once Room 641A got out in 2006 it should have hinted everybody as to what was up. And by 2013 only braindeads could miss it.
But customers should have taken notice when http were being used. It's a dead giveaway if any login page uses it.
So to conclude: Inept security policy and customers results in breach, news at 11.
(Score: 2) by mcgrew on Saturday July 15 2017, @05:29PM (1 child)
That's because the submitter linked a shitty web site geared to adolescents. I added a better link below that answers your question.
Really, people, the Register is almost worthless for information. They leave stuff out of stories to make them more sensationalist.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 2) by kaszz on Saturday July 15 2017, @10:02PM
Most adults these days seem to be of the adolescent variant. Some even proud to be clueless ;-)
I recall some years ago people in a public radio program that were proud to have no clue how their electrical kitchen stove worked.
(Score: 2) by maxwell demon on Saturday July 15 2017, @11:48AM (1 child)
Continue? They obviously failed to protect their customers' security and privacy. If anything, they should promise to do better in the future.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by kaszz on Saturday July 15 2017, @10:34PM
What they mean is that they will continue to send bills to their customers and hope they are calmed enough to not do anything about this ;-)
Keep calm and send us money (tm),
(Score: 4, Informative) by mcgrew on Saturday July 15 2017, @05:27PM (1 child)
For those who would prefer a more accurate, less childish outlet, Helpnet Security [helpnetsecurity.com] has the story, only geared to adults rather than twelve year olds.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 2) by kaszz on Saturday July 15 2017, @10:32PM
So "SCRT" is a domain-name customer to the registrar "Gandi" which sends update requests to the "SWITCH" domain name service. The requests from Gandi to SWITCH are done using http?
If so, that is INCREDIBLY stupid.
Is there any other registrar domain service communications done over http?
SCRT seems to go for browser Strict-Transport-Security and implementing DNSSEC.