Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Security Communications Networking

Want To Hijack a Domain? Just Get a Fax Machine 162

msm1267 writes "Metasploit's HD Moore says hackers sent a spoofed DNS change request via fax to that the registrar accepted, leading to a DNS hijacking attack against the Metasploit and Rapid7 websites. The two respective homepages were defaced with a message left by the same hacker collective that claimed responsibility for a similar DNS attack against Network Solutions. Rapid7 said the two sites' DNS records have been locked down and they are investigating."
This discussion has been archived. No new comments can be posted.

Want To Hijack a Domain? Just Get a Fax Machine

Comments Filter:
  • "hack" (Score:5, Insightful)

    by Anonymous Coward on Friday October 11, 2013 @01:02PM (#45102805)

    Social engineering is not hacking to me.

    • Re:"hack" (Score:5, Insightful)

      by i_ate_god ( 899684 ) on Friday October 11, 2013 @01:05PM (#45102843)

      What is the difference between injecting code into a machine to make it do what you want, and injecting an idea into a human to make the human do what you want.

    • Getting cats out of trees isn't firefighting, but firefighters rescue cats all the time.

      Just because social engineering isn't hacking doesn't mean hackers can't do it.
      • Re:"hack" (Score:4, Insightful)

        by sumdumass ( 711423 ) on Friday October 11, 2013 @01:28PM (#45103095) Journal

        Hackers also go bowling and put bumper stickers on cars. But few call those activities hacking. Just like few call rescueing kittens- firefighting.

      • Do firefighters really do this? In all my life, I don't think I've ever seen a fire crew helping a cat down from a tree. I figure when the cat gets hungry, it'll find its way down.

        I thought this just came from cartoons, because fire is hard to animate, and you need to do something with the ladders, otherwise firemen wouldn't have been needed at all.

        • by Jawnn ( 445279 )

          Do firefighters really do this? In all my life, I don't think I've ever seen a fire crew helping a cat down from a tree.

          When I was still on the job, the chief of a neighboring department was known to have said, "Ever seen a cat skeleton in a tree? That's why we don't rescue cats."

        • by TheCarp ( 96830 )

          Problem for cats is they are better at climbing up than down and can easily get themselves in a predicament, unlike squirrels, they can't actually grip the tree while upside down. I have seen a cat climb up things, or use their claws to hang on things, but, never climb down, they jump down....and if they can't safely jump to a branch that gets them close enough to the ground, I could see them getting stuck.

          I say, "I could see" because I have never seen a cat actually get stuck in a tree. They seem to be sma

          • I grew up on a farm, and we had plenty of cats and squirrels around.

            Squirrels never cried when they were stuck in a tree, because they never were.

            Cats would occasionally cry, but would eventually climb down. Even at 15' to 20' above the ground, they were fine. Their instincts and learned abilities work fine. They can't grip very well going head first down a tree. It's more like a clawed running fall, only slowing themselves a little. :) If they're too high, they can climb down backwards, stopping to

    • It most certainly is. In fact, social engineering is quite often used by hackers. Sometimes they use it in conjunction with malicious code, sometimes they don't have to.

      • Re:"hack" (Score:4, Informative)

        by wagnerrp ( 1305589 ) on Friday October 11, 2013 @02:34PM (#45103733)
        Except that's called "cracking" or "conning", not "hacking". Infiltrating computer systems is only hacking in so far as you're writing code with which to do it. That's why "script kiddies" are not hackers.
        • You should look up the origin of the word hacker. It has nothing to do with computers.
          • Right, it's the general term for any end user who "hacks together" their own tools and devices, rather than buy a commercial product. It has nothing to do with good or bad, but merely refers to the free-form development process outside of typical engineering methods. As I said, computer hacking implies you're writing your own code (or etching your own hardware).
            • Hacking is any clever use of a technique or technology in a manner that isn't otherwise apparent. Furthermore The Request for Comments RFC 1392 amplifies this meaning as "[a] person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular." [] So if they were doing it to see if they could do it ... to understand the internal workings of the organization ... then they were hacking. Social Engineering [] is a long established branch of ha
              • I'm surprised you haven't been slammed with the "Mitnik wasn't a hacker!" posts. For the most part, he manipulated people, or as you said "Social Engineering skills".

                If someone used those same skills to relieve an old lady out of a large sum of money without any technology needing to be involved, he'd just be called a con artist. Same deal, but sometimes a different goal.

                • I wasn't slammed with such posts because Mitnick was a hacker. He was a smart hacker for the most part, but his addiction got the best of him. Real hackers don't spend months trying to brute force the passwd file when they can simply make a phone call and get on with their hacking. He used his access to hack. He gained that access through Social Engineering. This couldn't be more true to the initial MIT Hacker ethic, where they gained access to the hardware through all kinds of clever hacks so they cou
                  • I'm not arguing against that. You are correct. There are a lot of people that would argue against it, frequently on here.

                    Maybe the crowd here has changed a lot, or maybe they are realizing that he did more than ask politely for passwords.

                    • If the crowd has changed it has changed for the worse. We may have made the transition from "Kevin Mitnick wasn't a hacker!" to "Kevin who?" ;-) Cheers!
        • I take it you aren't in the security field then, because social engineering is widely regarded as form of hacking. Saying that it isn't so doesn't change that one bit.

          • You would be correct that I'm not in the security field, of course you're missing the point that hacking does not directly have anything to do with computer security. Just because mainstream media decides to abuse a word out of ignorance, making it something "evil" and "bad", does not mean you have to as well.
            • That's a common misconception. I am in the IT security field, a senior network security engineer and consultant. I'm well steeped in the business, and I will tell you that you're wrong. I'm not drawing from mainstream media. I live it daily. I'm one of the guys who helps try to protect organizations from the black hats. Social engineering is every bit as much a part of what is known as 'hacking' (I hate the term btw, but it is what is is) as are active attacks, malware, and botnets.

    • Yet traditionally that's how a lot of "hackers" that you hear about have "hacked" into systems. But I know what you mean.
      • Re:"hack" (Score:5, Insightful)

        by hairyfeet ( 841228 ) <> on Friday October 11, 2013 @01:45PM (#45103291) Journal

        But we already HAD a word for that and it was not "hackers" it was con artists...or bunko men if you prefer a more gender specific term.

        If the guys here want to get all pedantic about the difference between virus and malware then why in God's green earth are we calling these guys hackers when they are doing the same shit that has been going on since before the fricking telephone? look up Bunko Bob, or Hod Bacon, guys have been doing cons for hundreds of years using nothing but their ability to manipulate the mark and this is no different and doesn't even require a computer,just the ability to sound professional and manipulate.

        This is NOT hacking folks, not even close. You might as well call a washing machine a jet engine for how far off the mark this is from actually hacking a system.

        • > But we already HAD a word for that and it was not "hackers" it was con artists..

          I think the distinction is in your last three words, "hacking a system".

          A con man or fraudster will get a _person_ to hand over their property.
          A hacker manipulates a _system_ to have it do something other than what it's supposed to do.
          TFA says:

          "The group was able to change the DNS records managed by Network Solutions for a number of security companies".

          They did a number of companies by exploiting NetSol's SYSTEM, not simply

      • by gl4ss ( 559668 )

        well.. many "traditional" famous hackers were pretty much just fraudsters in every sense of the word.

        people use fraud to get what they want because it works.

    • Social engineering is not hacking to me.

      Kevin Mitnick? Is that you?

    • by wjcofkc ( 964165 )
      I'm awfully surprised to see this comment modded up... especially on Slashdot. The crowd here should know that social engineering has always been an integral part of hacking. Penetration testers even use it. If I took a bunch of infected USB sticks and tossed them around the employee parking lot of a bank in the dark of the night, and then the next morning the bank employees say 'Yipee! Free thumb drives!' Then run inside and stick them in their computers as fast as they can like a bunch of idiots to see wh
    • I'm amazed this flaw still exists. It reminds me of back in the day, when NSI only accepted registrations via email. Changes could be forced by sending a sufficient number of change requests. We'd do it just to make sure the changes were accepted, since most of the time they'd screw it up. We'd send something like 20 requests. A few would be approved.

      You could move just about any domain to anywhere else, as long as you could forge the email header to be a legitimate contact.

      I never considered it a "ha

    • Neither is incompetence no behalf of the registrar.

    • by Hentes ( 2461350 )

      What's the difference? At the end of the day, they got what they wanted. Real hackers care about results, not methods.

  • legal crime (Score:4, Insightful)

    by schneidafunk ( 795759 ) on Friday October 11, 2013 @01:04PM (#45102827)

    What is the legal crime committed here, simply fraud?

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Counts as both wire fraud and CFAA violations

    • Fraud fore sure. Probably some computer hacking laws. Uttering a false statement. Possibly receipt of stolen goods. Depending on the value of the domain the theft could reach felony threshold. You could reach and say identify theft, but that's probably pushing it.

      Depends on how creative the DA feels like being, but I should think there's quite a few charges which could be applied here.

      • by TheCarp ( 96830 )

        > Uttering a false statement.

        Hey man, they were just taking after the example set by our political leaders!

  • by cyberpocalypse ( 2845685 ) on Friday October 11, 2013 @01:09PM (#45102883)

    There has been some commentary via mailing lists and Twitter feeds that this was not a big deal. Firstly, hats off to HD and his team, there was nothing they could have done about it. Secondly, this isn't to be taken lightly. Sure the attackers were minor script kiddies, but the reality is, the attack could have been extremely vicious. Consider an attacker replicating the content of the site and simply replacing the applications (nexpose, metasploit) with backdoored versions.

    Companies like Register and GoDaddy are lacking in the validation category. ANYONE can create fake identification using GIMP, Photoshop, etc., the fact they did not offer anything other than a fax request is mind bogglingly stupid. They should have called BACK the registrant's number to confirm the change request. But, companies would argue: "that would be costly" not even thinking of turning that kind of validation into say a business model: "for $10 extra per year..." when they should be doing it from the jump. (Neither here nor there) Personally, I hadn't been running any updates, but if I did, I would be going back, wiping my machines, and re-installing.
    • SSL certs would have battled against this. They cert wouldn't match when visiting the spoofed site.
      • SSL certs would have battled against this. They cert wouldn't match when visiting the spoofed site.

        Except for the part where if you control the domain registration you can have a new SSL cert issued within minutes.

    • Personally, I hadn't been running any updates, but if I did, I would be going back, wiping my machines, and re-installing.

      DNS hijacking has nothing to do with server access.

    • by Zedrick ( 764028 )
      I'm not quite sure about the ICANN regulations, but with some TLD's a signed fax is a valid request- ie if a registrar get a fax (or letter) demanding DNS changes (or EPP-codes), the registrar *have to* do what's asked without "being troublesome" and calling back etc. It has nothing to do with cost. Stupid? Sure. But not the registrars fault.
  • Resolved (Score:5, Funny)

    by al3 ( 1285708 ) on Friday October 11, 2013 @01:14PM (#45102933)

    "The DNS hijacking attack was resolved within an hour, Moore said."

    Is that a DNS joke?

    • "The DNS hijacking attack was resolved within an hour, Moore said."

      Is that a DNS joke?

      Well, the resolution may take 24 - 48 hours to reach your part of the world ...

    • by Anonymous Coward

      I get it - I dig [] that pun!

  • Really by fax? (Score:4, Interesting)

    by yakatz ( 1176317 ) on Friday October 11, 2013 @01:19PM (#45102999) Homepage Journal
    The only evidence actually quoted that the attack was by faxed change request is the defaced website. Do we trust the "hackers" that much that we believe they made the change by sending a fax? Could the group be giving a red herring []?
  • by Minwee ( 522556 ) <> on Friday October 11, 2013 @01:27PM (#45103085) Homepage

    It's "Canadian Hacking". Instead of breaking into someone's computers and maliciously altering their data, you just call them up or send a note to ask politely if they would do it to themselves.

    You'd be surprised at how often it works, eh?

    • by nine-times ( 778537 ) <> on Friday October 11, 2013 @02:40PM (#45103779) Homepage

      Honestly, it does work a lot. I work in IT and have had to help clients get control of various kinds of accounts to which they have lost usernames, passwords, and other vital information. You know, things like, "A previous employee bought our domain name and set up the DNS for us using his personal account. His name is on the account. We don't know what the associated email address is. We certainly don't have the password. We've tried contacting this ex-employee, and found that his phone number doesn't work anymore."

      And really, you'd be surprised what you can get if you call up, sound professional and honest, and just ask people to help you out. Domain registrations are generally kind of a pain in the butt, but even those usually just require some faxed documentation. I've had some accounts (not domain registrations) where the support basically said, "Oh, you're supposed to have access? Let me just reset the password for you." It's pretty disturbing. But then I also legitimately need to do this sort of thing all the time because businesses rarely pay any attention to these things.

      • It works well outside of IT. The customer is always right (bullshit) approach to managing or diffusing situations often lead to people being overly helpful and bending the rules, especially if you can voice despair.

        A few classic lines:
        - I wasn't told a case number. They'll put me on hold for half an hour again.
        - Those guys just transferred me to you!
        - Look I've been on the phone to you all day and you guys have given me a complete run around!

        When people feel customers have been dicked around by their own s

    • by rueger ( 210566 )
      Actually, we learned this technique from our colonial overlords. Then again, some Canadian companies aren't dumb enough to act on that's sent to them... []
  • by Anonymous Coward

    I recently moved. As I called the various utilities to tell them to cancel my service few of them asked for any kind of identification except my address. I other words in could easily shut off anyone's gas, electricity, internet service

    On the other hand it's pretty nice to live in a society with so much trust

  • In 1999/2000 all we had to do to get a dns change from network solutions was fax in a request with a company letter head. They would change the new clients DNS to use and off we went.

  • by Tridus ( 79566 ) on Friday October 11, 2013 @01:59PM (#45103413) Homepage

    I had to do this recently for a legitimate reason. A friend had bought a small hobby type operation (including the domain), but the old owner forgot to change the domain ownership over and dropped off the grid. It wasn't really a problem until we wanted to change hosting providers, at which point we couldn't update the DNS settings.

    Since we actually had control of the domain, I used the account that was listed as the admin contact to send an email to the registrar explaining the situation and asking if they could change the info for us. Without any validation whatsoever they sent me the username and password (apparently stored in clear text) for the account, allowing me to do anything I wanted with it.

    Thankfully I don't use that registrar for my own stuff. I expected at least to have to show some proof of ownership or something.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Which registrar was this? I would like to know so that I can avoid them in the future.

  • just to steal an internet domain?

    • Funny story, we have an ancient system at work which we can remotely administer via a 28.8k modem. Our office upgraded everything to VoIP and ripped out all the telephone lines. All but one ... and would you know it it's an unused fax machine.

  • Defaced implies that they were changed on the server. That didn't happen. The domain was hijacked and the replacement pages were put up on another server.

Nondeterminism means never having to say you are wrong.