Friday, January 2, 2009

Is it safe? Not if you're Jewish!

The fighting in Israel in the past days is having an impact on the cyber world as well. This time, two major Israeli sites - Ynet and Discount Bank have been defaced.

When the fighting between Israel and this-or-that Arab faction breaks out, as happens once every few months, national hackers from around the globe have an excuse to waging some cyber war. This time, a group of Morrocan hackers called "Team Evil" has mounted a successful attack against two major Israeli sites. The two sites are the site belonging to Discount Bank, one of Israel's largest banks, and the other is the English version of YNet, Israel's 2nd largest web portal, operated by Yedioth Aharonot, Israel's largest daily newspaper.

The defacement shows some graphic images of dead terrorists, accompanied by anti-Israeli text. At 1st, this was thought to be a simple deface, but turns out the hackers actually brute-forced the passwords to the accounts of the sites on the Israeli hosting provider and domain registrar DomainTheNet. this allowed the hackers to impersonate the account holders and modify the DNS records to point to another website, without ever actually penetrating the original website.

This sort of attack is much easier than cracking the original websites, which are very secure, but ironically, harder to resolve. DNS modifications take time to propagate throughout the world - as long as 48 hours, so it took quite a while until the hack got noticed. When it was fixed, again, it takes a while to propagate so currently, quite a lot of users will still get the defaced page and might continue to be affected for over a day.

This breach illustrates the importance of creating a complete security policy. A company can invest millions in securing it's web farm, but a minor overlooked password could lead to an effective attack. The lesson is simple - when securing a resource, we must take into consideration every aspect of its security. In this case, the person who created the domain account with DomainTheNet simply chose an insecure password (which is a secondary lesson in this case) but there are other, simpler ways to bypass security. For example, making changes to a domain directly with ISOC, Israel's Internet Society and main registrar involves submitting a request via a web form, and then completing the request by sending a fax. The web form has virtually no security, and forging a fax of this nature is also pretty easy. Another example: Many companies rely on Email a primary, or even the only way to communicate with customers. Hacking a user's mail account is usually pretty easy, either by using brute force or calling the ISP and resetting the password, and once you have someone's email, you can use that to reset passwords of most other accounts that the user has. In short, there's an old expression to keep in mind: The chain is only as strong as its weakest link!

1 comment:

Meir said...

Hi Ben Ari,
This was "Domain Hijacking"
Not defacement !!!