Hacking Group 'OurMine' Temporarily Redirected WikiLeaks DNS Service (theguardian.com) 83
An anonymous reader quotes the Guardian:
WikiLeaks suffered an embarrassing cyber-attack when Saudi Arabian-based hacking group OurMine took over its web address. The attack saw visitors to WikiLeaks.org redirected to a page created by OurMine which claimed that the attack was a response to a challenge from the organisation to hack them.
But while it may have been humiliating for WikiLeaks, which prides itself on technical competency, the actual âoehackâ appears to have been a low-tech affair: the digital equivalent of spray-painting graffiti on the front of a bank then claiming to have breached its security. The group appears to have carried out an attack known as "DNS poisoning" for a short while on Thursday morning. Rather than attacking WikiLeaks' servers directly, they have convinced one or more DNS servers...to alter their records. For a brief period, those DNS servers told browsers that wikileaks.org was actually located on a server controlled by OurMine.
But while it may have been humiliating for WikiLeaks, which prides itself on technical competency, the actual âoehackâ appears to have been a low-tech affair: the digital equivalent of spray-painting graffiti on the front of a bank then claiming to have breached its security. The group appears to have carried out an attack known as "DNS poisoning" for a short while on Thursday morning. Rather than attacking WikiLeaks' servers directly, they have convinced one or more DNS servers...to alter their records. For a brief period, those DNS servers told browsers that wikileaks.org was actually located on a server controlled by OurMine.
Re: (Score:3)
Wikileaks actually invited hackers to hack its site. So, I do not think that the hackers were malicious. If nothing else, they did Wikileaks a favor. If a bunch of hackers can do this, the NSA (and other intelligence agencies) can do much worse.
Plus, an intelligence service won't attack when it's invited to do so, it will only attack when Wikileaks is about to dump something that is important to them. In this age of short attention spans, timing can be crucial.
The same goes for Wikileaks. Wikileaks chooses
no DNSSEC so expect MITM (Score:4, Informative)
The Saudi authority have for a long time performed MITM on the nations whole population and companies such as Symantec have actively aided them.
If they had deployed DNSSec and I would have advised DANE then this would have been harder to perform.
https://www.icann.org/resources/pages/dnssec-qaa-2014-01-29-en
top tip try and enable it on your own domain !
https really? (Score:3)
Re: (Score:2)
Re: (Score:1)
The "I" circle vs the green lock indicates it is not an EV cert, and is typically how an HTTPS site looks when accepting your own certificate signed by another key you made your browser trust.
Google says you're wrong.
https://support.google.com/chrome/answer/95617?hl=en/ [google.com]
Re: (Score:2)
so either the screen shot is fake or they also managed to get hold of a certificate for wikileaks.org
Or more likely you misinterpreted the screenshot.
I see https://wikileaks.org./ [wikileaks.org.] I also see an exclamation mark beside it on the left. I also see the broken security icon to the right. No where do I see the characteristic green indication that most browsers will display when a certificate chain is trusted.
I'll bet they have a self signed certificate on the site.
Re: (Score:2)
Correction the shield indicates scripts from untrusted sources. But all the tell tales of the security session are missing. They didn't obtain a valid certificate for the site.
Re: (Score:1)
if you have control of the domain you can get a domain validated certificate. EFF's Let's Encrypt certificates use the ACME protocol to verify you have control of a domain: https://letsencrypt.org/docs/c... [letsencrypt.org]
Re: (Score:1)
"America's war's and terrorism other than the terrorists manage to kill a lot fewer "
That's because the American's are a lot more dangerous than any Muslim terrorist group could ever hope to be. The number one thing foreign countries or terrorist groups should never do is do anything that would really piss off the US public. Pissing off regular US citizens has never really paid off very well for those that did. Japans attack on Pearl Harbor killed less than 5000 people but this singular event put the US on
Re: (Score:3)
Because they don't actively adopt, encourage, and support a Nazi ideology? Or racist or religious hate in general? There's no double standard - one group actively goes way over any reasonable line, and the other at worst tolerates borderline postings by others -- if even that.
Nobody seized a domain. DailyStorme
Re: (Score:1)
Nazis are not a foreign entity interfering with US elections, Russia is. Nobody has proposed seizing or eliminating all Russian domain names for it.
Allowing their DNS to be poisoned indicates a lack (Score:2)
Allowing their DNS to be poisoned indicates a lack of technical proficiency regardless of whether the breach was their own. There are several easy to implement technologies to prevent this.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
And what CA that my browser trusts are you going to use to sign a domain you don't own?
To quote Brianna Keilar: "Most of them?" A lot of CAs offer instantly-issued DV certificates [wikipedia.org] now. All you have to do is place a verification file on the target domain, or create a special A record in the DNS, in order to prove to the CA that you control the domain. If I can manipulate the DNS such that wikileaks.org points at my server (even temporarily), I can get the CA to issue me a valid certificate for wikileaks.org. They're likely to revoke it once the tampering is discovered, but that could be many h
No DNSSEC, what did they expect? (Score:3, Informative)
Wikileaks doesn't have DNSSEC enabled, so it is trivial to poison caches. Granted, most users are not behind dnssec-validating resolvers, but this is changing...
Re: (Score:3)
I was about to post something along that lines.
Indeed, DNSSEC validation is not widespread, but it already improve security of the one that use it. Wikileaks can be blamed for boasting about security while missing this security feature.
Re: (Score:2)
Actually DNSSEC validation is common. Somewhere between 40% and 60% of lookups
world wide are validated as the biggest resolvers farm in the world do DNSSEC validation
and everyone using them has the answers validated. What isn't wide spread is domains
that are signed so despite the answers being sent to the validator they come out marked
as 'insecure', rather than 'secure' or in the case they are forged 'bogus'.
Every time a ISP turns on validation on their recursive servers large numbers of clients get
the ben
Why Make This Public? Way more useful to be tricki (Score:2)
If this were me, I'd log everyone requesting WikiLeaks and redirect most of them to the actual WikiLeaks. Then for those that ordered the secret sauce, some of them would see my own custom version of WikiLeaks (which would probably look just like the actual WikiLeaks, except the "upload leak" button would go to me instead.)
This would probably require some tricky DNS configuration [safaribooksonline.com], but it looks like BIND supports this. If they lost control of DNS, a bind configuration like that would make it way trickier to
Who's DNS was poisoned? (Score:2)
Who's DNS was poisoned? How localized was this attack? This is really key. Isn't DNS poisoning done against a LAN, or a single DNS server? It seems that this probably affected a very small number of people. It isn't really even a hack on Wikileaks, it is a hack on some ISP's DNS server. It makes you wonder what other sites they might have changed during that period of time.