News & Commentary

10:27 AM
John Zurawski, Authentify
John Zurawski, Authentify
Commentary
50%
50%

Does a Website’s IP Address Deserve the Same Protection as the Address on a Bank Statement?

With DNS server hacks on the rise banks must be on the watch for online account takeover attacks.

Political hacktivists have once again hijacked a prominent website. The attack vector, however, is surprising. They did it by fax. Yes – you read that correctly. A change request was faxed to the Domain Name Services (DNS) Registrar, who maintained the DNS server registry for the site. As a result, the IP addresses for the web servers hosting the Metasploit website, owned by Rapid 7, were redirected. The redirect delivered Web pages pushing a pro-Palestinian political agenda. The good news is that the intent was obvious and political as opposed to covertly malicious. Imagine being on an imitation website that a Web visitor believes is yours.

The list of recent DNS server hacks is growing. Several weeks ago, Google’s site in Malaysia was hacked by a Pakistani activist group. That hack was of the same variety as the one used to redirect the New York Times website just about a month ago. In these incidents, the hackers apparently spear phished login credentials from staffers at the registrar. Armed with those credentials, they accessed the DNS registries and changed the IP addresses to point at Web pages they controlled. I wonder how often this happens, and no one reports the incident or believes it was a mistake.

These DNS address change exploits are reminiscent of the first wave of financial account takeover and credit card fraud of about a decade ago. Fraudsters would surface mail or phone a financial institution with a request to change the address to which a statement was being mailed. Such a request used to be handled without much thought to validating the request with the account owner. Once the fraudster received a hard copy of a statement, it was not difficult to order checks, apply for additional credit cards and otherwise abuse the account and credit of the legitimate owner. It seems no successful hack ever dies; it simply evolves with the rest of the technology.

To counter the type of fraud initiated by pretext phone calls or mailings to financial institutions, the Gramm Leach Bliley Act included a section: 15 USC § 6821 - Privacy protection for customer information of financial institutions. This section specifically prohibited financial institutions from initiating and finalizing changes to address information without first confirming the request. The confirmation was required to be done via a communication channel other than the one through which the request was made. Effectively, if the request was via mail, call the account owner on the phone to verify the request. If the request was via phone call – mail a confirmation to the existing address and account owner. An alternative would be to reach the account owner at a different phone number trusted to belong to them. An example of this would be placing a call to their business phone in order to confirm the change request.

It is doubtful legislation is required to fight these DNS address hacks, but the hack is almost too easy. It may be time for website owners to apply pressure on their DNS registrars to confirm requests for IP address changes before they are made in production environments. Customers might want to inquire what levels of authentication are required for login to administrator accounts capable of making such changes. Many financial institutions automatically require a security review and a copy of a written security policy from their vendors providing online services.

There are other defenses, however. There are products that permit DNS servers and IP address resolution to be monitored in real time. It is also possible to lock the IP address for a domain name and limit the ability of the registrar or anyone else to make a change. Ask the registrar if adding phone-based, two-factor authentication to this locking function is available. There is a big advantage to this type of authentication process. You’ll be alerted if someone else is attempting to unlock your account.

If this can happen to an outlet for the largest property on the Web, it can happen to anyone. The cybercriminals have heavily targeted small and medium businesses for financial fraud. It would not be surprising to see this exploit migrate in that direction. Also likely, it’s just a matter of time before this type of exploit migrates from political to profit motives.

John Zurawski is the vice president of Authentify, which pioneered telephone-based-out-of-band authentication services, and offers online banking security services.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Byurcan
50%
50%
Byurcan,
User Rank: Author
11/19/2013 | 3:56:44 PM
re: Does a Website’s IP Address Deserve the Same Protection as the Address on a Bank Statement?
Carrier Pigeon.
Becca L
50%
50%
Becca L,
User Rank: Author
11/19/2013 | 3:06:32 PM
re: Does a Website’s IP Address Deserve the Same Protection as the Address on a Bank Statement?
Singing telegram.
Becca L
50%
50%
Becca L,
User Rank: Author
11/19/2013 | 3:05:16 PM
re: Does a Website’s IP Address Deserve the Same Protection as the Address on a Bank Statement?
I think the mindset goes, "Wow, our first fax in years - I knew we kept this thing around for a reason. Time to take action!"
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Author
11/19/2013 | 12:59:48 PM
re: Does a Website’s IP Address Deserve the Same Protection as the Address on a Bank Statement?
A fax? Wow. But the fact that the DNS registry didn't take the additional step to validate the change request is really the major issue. The DNS registrar really needs to improve its safeguards (and they also need to shut off their fax machine).
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
11/18/2013 | 7:06:09 PM
re: Does a Website’s IP Address Deserve the Same Protection as the Address on a Bank Statement?
Or a pay phone.
Becca L
50%
50%
Becca L,
User Rank: Author
11/18/2013 | 6:59:12 PM
re: Does a Website’s IP Address Deserve the Same Protection as the Address on a Bank Statement?
Next thing you know, a beeper will bring down a bank.
Becca L
50%
50%
Becca L,
User Rank: Author
11/18/2013 | 6:54:17 PM
re: Does a Website’s IP Address Deserve the Same Protection as the Address on a Bank Statement?
I have never heard of this issue before, nor did I realize this open information makes a site vulnerable to hacks... Interesting that anyone from a major corporation's homepage to a small blog are so hackable. Interesting, and frightening.
Byurcan
50%
50%
Byurcan,
User Rank: Author
11/18/2013 | 5:10:27 PM
re: Does a Website’s IP Address Deserve the Same Protection as the Address on a Bank Statement?
Amazing that a machine now as antiquated as a fax was used to facilitate this. The need for vigilance when it comes is greater than ever before.
bhardyip
50%
50%
bhardyip,
User Rank: Apprentice
11/18/2013 | 3:04:31 PM
re: Does a Website’s IP Address Deserve the Same Protection as the Address on a Bank Statement?
Yes, this issue is becoming amazingly complex. I've used something like www.ip-adress.com before to check the IP address of a website (or Whois for that matters) and it is amazingly simple to find these details. I can't blame websites for wanting to mask them now considering what has happened so far.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.