Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security The Internet

Hacking Group 'OurMine' Temporarily Redirected WikiLeaks DNS Service (theguardian.com) 83

An anonymous reader quotes the Guardian: WikiLeaks suffered an embarrassing cyber-attack when Saudi Arabian-based hacking group OurMine took over its web address. The attack saw visitors to WikiLeaks.org redirected to a page created by OurMine which claimed that the attack was a response to a challenge from the organisation to hack them.

But while it may have been humiliating for WikiLeaks, which prides itself on technical competency, the actual âoehackâ appears to have been a low-tech affair: the digital equivalent of spray-painting graffiti on the front of a bank then claiming to have breached its security. The group appears to have carried out an attack known as "DNS poisoning" for a short while on Thursday morning. Rather than attacking WikiLeaks' servers directly, they have convinced one or more DNS servers...to alter their records. For a brief period, those DNS servers told browsers that wikileaks.org was actually located on a server controlled by OurMine.

This discussion has been archived. No new comments can be posted.

Hacking Group 'OurMine' Temporarily Redirected WikiLeaks DNS Service

Comments Filter:
  • by F.Ultra ( 1673484 ) on Saturday September 02, 2017 @06:19PM (#55130129)
    I'm more interested in the point that the screenshot from the link shows a https link so either the screen shot is fake or they also managed to get hold of a certificate for wikileaks.org
    • so either the screen shot is fake or they also managed to get hold of a certificate for wikileaks.org

      Or more likely you misinterpreted the screenshot.

      I see https://wikileaks.org./ [wikileaks.org.] I also see an exclamation mark beside it on the left. I also see the broken security icon to the right. No where do I see the characteristic green indication that most browsers will display when a certificate chain is trusted.

      I'll bet they have a self signed certificate on the site.

      • Correction the shield indicates scripts from untrusted sources. But all the tell tales of the security session are missing. They didn't obtain a valid certificate for the site.

    • by Monkier ( 607445 ) *

      if you have control of the domain you can get a domain validated certificate. EFF's Let's Encrypt certificates use the ACME protocol to verify you have control of a domain: https://letsencrypt.org/docs/c... [letsencrypt.org]

  • Allowing their DNS to be poisoned indicates a lack of technical proficiency regardless of whether the breach was their own. There are several easy to implement technologies to prevent this.

    • They didn't poison the wikileaks DNS servers, they poisoned some ISP:s DNS servers AFAIK. The link in the screen shot also depicts a https address so I wonder if this really was accepted by any modern browser?!
      • Or forget that, they did poison the wikileaks DNS: "An OurMine spokesperson confirmed to the Guardian that the attack was DNS poisoning, carried out through hacking Wikileaks’ domain provider."
  • by Anonymous Coward on Saturday September 02, 2017 @07:19PM (#55130323)

    Wikileaks doesn't have DNSSEC enabled, so it is trivial to poison caches. Granted, most users are not behind dnssec-validating resolvers, but this is changing...

    • I was about to post something along that lines.

      Indeed, DNSSEC validation is not widespread, but it already improve security of the one that use it. Wikileaks can be blamed for boasting about security while missing this security feature.

      • Actually DNSSEC validation is common. Somewhere between 40% and 60% of lookups
        world wide are validated as the biggest resolvers farm in the world do DNSSEC validation
        and everyone using them has the answers validated. What isn't wide spread is domains
        that are signed so despite the answers being sent to the validator they come out marked
        as 'insecure', rather than 'secure' or in the case they are forged 'bogus'.

        Every time a ISP turns on validation on their recursive servers large numbers of clients get
        the ben

  • If this were me, I'd log everyone requesting WikiLeaks and redirect most of them to the actual WikiLeaks. Then for those that ordered the secret sauce, some of them would see my own custom version of WikiLeaks (which would probably look just like the actual WikiLeaks, except the "upload leak" button would go to me instead.)

    This would probably require some tricky DNS configuration [safaribooksonline.com], but it looks like BIND supports this. If they lost control of DNS, a bind configuration like that would make it way trickier to

  • Who's DNS was poisoned? How localized was this attack? This is really key. Isn't DNS poisoning done against a LAN, or a single DNS server? It seems that this probably affected a very small number of people. It isn't really even a hack on Wikileaks, it is a hack on some ISP's DNS server. It makes you wonder what other sites they might have changed during that period of time.

Civilization, as we know it, will end sometime this evening. See SYSNOTE tomorrow for more information.

Working...