×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google.com.pk and 284 Other .PK Domains Hacked

Soulskill posted about a year and a half ago | from the go-big-or-go-home dept.

Security 35

ryzvonusef writes with news that hackers have taken down the local Pakistan versions of many popular websites, including google.com.pk, apple.pk, microsoft.pk and yahoo.pk. 284 sites were affected in total. Many of the sites were defaced, and a group called Eboz is taking credit for the hack. According to TechCrunch, "The root of today’s attack, it seems, came via a breach of Pakistan’s TLD operator, PKNIC, which administers and registers all .pk domains. Looking at affected organizations via PKNIC’s look up, it appears that all the sites are now redirecting to two nameservers, dns1.freehostia.com and dns2.freehostia.com."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

35 comments

Difference? (2)

thej1nx (763573) | about a year and a half ago | (#42081413)

And here I thought the Pakistani courts and religious leaders kept passing orders anyways to censor domains, based on hearsay about "immoral stuff" to be found on them . Doubt poor pakistani netizens could tell the difference here.

Its the TLD that was hacked (5, Insightful)

Anonymous Coward | about a year and a half ago | (#42081419)

Blame the TLD operators, dont name google,etc who had no role in the hack

Re:Its the TLD that was hacked (1)

Anonymous Coward | about a year and a half ago | (#42081461)

Blame the TLD operators, dont name google,etc who had no role in the hack

Sounds like an inside job to me. How many of the 284 sites belonged to non-Pakistani companies? Probably all of them.

Re:Its the TLD that was hacked (1)

thetoadwarrior (1268702) | about a year and a half ago | (#42082531)

It's not that unbelievable that someone would hack in to take it out against US companies given there probably are a lot of people there that aren't happy with the US. Since they may view their government as being too friendly with the US and giving up their people to a country that doesn't have the greatest record of treating its prisoners well.

Re:Its the TLD that was hacked (4, Interesting)

Runaway1956 (1322357) | about a year and a half ago | (#42081659)

I was sitting here scratching my head, wondering why all those sites were hosted by the same servers.

Re:Its the TLD that was hacked (1, Informative)

camcorder (759720) | about a year and a half ago | (#42081889)

So in the first place, they wouldn't have registered those domains if they didn't trust on an operator. If someone hacked google and this way hacked my box, I can't blame Google for my losses right? I'm hacked, and my security hole is Google. So it's Google, Apple etc. hacked because their security hole is their domain operators. Google and most of the big web services, try to look local with local domains, translations, on the other hand they pay zero taxes to those governments, so it's also their mistake that they don't pay taxes to those governments with which they improve their IT infrastructure.

Taken down and defaced? (5, Insightful)

Anonymous Coward | about a year and a half ago | (#42081421)

I'm not great at networking knowledge, but if you simply redirect to a new IP, is the site really defaced?

Re:Taken down and defaced? (3, Informative)

ark1 (873448) | about a year and a half ago | (#42081547)

I'm not great at networking knowledge, but if you simply redirect to a new IP, is the site really defaced?

From the end user perspective, site may appear as defaced but the actual web page at {Google, MS,....} is not defaced.

PKNIC unable to respond, PR team in picknick. (1)

Anonymous Coward | about a year and a half ago | (#42081429)

PKNIC unable to respond, PR team in picknick.

Re:PKNIC unable to respond, PR team in picknick. (1)

maxwell demon (590494) | about a year and a half ago | (#42081635)

Well, if the support is via some .pk email address, any mails to support might also not reach their intended destination ...

Re:PKNIC unable to respond, PR team in picknick. (0)

Anonymous Coward | about a year and a half ago | (#42085039)

I'm sure the phones being down [slashdot.org] did not help contacting the registry either.

One might say... (2)

philip.paradis (2580427) | about a year and a half ago | (#42081471)

One might say the entire TLD is PhuKed. The teachable moment here is that security rolls downhill, and depending on any single layer of public infrastructure, at least for authentication of who you're talking to without giving serious consideration to cryptographic concerns, is asking for trouble. This is still something that the world is failing at on, well, a global scale.

Well, that and taking perimeter security seriously in terms of access to critical components, and having short order failover to components with completely different codebases ready to roll into production for select services in the event of something nasty happening. These days, virtualization on multiple platforms running in parallel makes that easier, although it does have the effect of acting as a cost multiplier (sliding scale factor-wise) depending on what you're trying to make as bulletproof as possible.

TLDR = Security is hard. Be prepared to be compromised. Have alternate plans in place that assume at least one $major_thing is already silently compromised. Yeah, it's tough. Life is tough.

Re:One might say... (4, Interesting)

heypete (60671) | about a year and a half ago | (#42081489)

I'd imagine the NIC could simply revert to a backup of their TLD zone and undo the changes -- the zone itself isn't infected and in need of purging, though the systems that can write to it may well be. I would hope that a NIC managing a national-level TLD has backups.

That said, how could any entity that relies on DNS have alternate plans to deal with this sort of thing? Its one thing to have off-site nameservers on a different network to provide some degree of fault tolerance for your own domain, but it's another thing if the TLD itself gets hosed and bad guys modify the zone to point at different nameservers. As far as I can tell there's no reasonable way for the holder of a domain name to prepare for the TLD getting compromised.

I hope this incident serves as a wakeup call for TLD owners everywhere so they can review their security policies.

Re:One might say... (1)

drinkypoo (153816) | about a year and a half ago | (#42081531)

As far as I can tell there's no reasonable way for the holder of a domain name to prepare for the TLD getting compromised.

You will need additional names under other TLDs, and to advertise them to your users ahead of time. One common way to accomplish this to do it how google does it; no, not to have massive clusters everywhere, but to have multiple international domain names. If your site is translated, they can default to various languages, but all should permit selecting all languages without redirection to another domain.

Re:One might say... (1)

heypete (60671) | about a year and a half ago | (#42081873)

Sure, one could have different TLD variants (e.g. example.com/net/org/us/co.uk/etc.), but that isn't terribly useful in terms of continuing to offer service in the event of a TLD compromise: if the registry for your main domain gets borked some users may try a different TLD but most will simply give up -- how many people would try accessing Google under a different ccTLD? Same thing with email: if you have email at your domain and the TLD is hosed then emails can't automatically pick another TLD and try again -- if COM gets hacked, emails addressed to @gmail.com users aren't going to try @googlemail.com or other Google domains.

It's one thing to prepare for failures at one's own domain (for example, having a "network status" page at a different TLD using different DNS servers, having administrative mail accounts on a secondary domain/TLD, etc.) but a compromised TLD is a catastrophic failure and there's no sensible technical way for anyone "downstream" (that is, domain holders) to mitigate such an issue in a way that would be seamless and automatic to users.

DNSSec (1)

magamiako1 (1026318) | about a year and a half ago | (#42081535)

Could have solved this issue. Assuming keys wouldn't have been compromised in the process.

Re:DNSSec (1)

Anonymous Coward | about a year and a half ago | (#42081793)

Well now that really depends doesn't it? Since the actual registrar was compromised, it could easily have been the machine that holds the key that they got into. In which case DNSSec bought squat. Depends on the attack.

Re:DNSSec (1)

GreyFish (156639) | about a year and a half ago | (#42082019)

No it wouldn't of done - if you hack the registrar you can change the ds records as well as the ns records. dnssec makes no difference in this case. browser side certificate pinning and forcing sites to be https only would help - then the attackers wouldn't be able to set up fake sites. The real sites would still be broken tho!

Re:DNSSec (1)

magamiako1 (1026318) | about a year and a half ago | (#42082065)

Actually, it would have--but only if the .pk private keys were not compromised in the process. Also, a quick change of keys in the root zone for .pk's DS keys would have invalidated the previous keys, resulting in the compromised keys being invalidated globally.

Whether or not the process exists to remove DS records quickly from the root zone, however, I'm not sure--I don't manage TLDs...

In other news sensationalism at an all time high (1)

Anonymous Coward | about a year and a half ago | (#42081553)

"Oh we don't really have a story if we say the .pk TLD had a compromise of sorts that affected 284 domains. What big names were affected so we can put them in the headline?"

ALL YOUR SITES ARE BELONG TO TALIBAN !! (0, Troll)

Anonymous Coward | about a year and a half ago | (#42081701)

And death to the infidels !!

Aaaayyyyaaaaaayyyyaaaayyyyhgghghhghgh !!

Took them long enough (1)

LordDfg (1828962) | about a year and a half ago | (#42081835)

It's not secret Pakistan infrastructure isn't secure as it should be, I am actually quite surprised not one targeted Pakistan before. I guess it wasn't a good idea to attack Israel but in this case it was just old champ saying hi,

hack Pakistan’s TLD operator, PKNIC... (1)

submit your site (2780471) | about a year and a half ago | (#42082011)

O my god. how can possible it. hack google.com.pk, apple.pk, microsoft.pk and yahoo.pk with many domain. this domain top TLD & top label domain. it is very bad for all.

Hey, Boo-boo! (0)

Anonymous Coward | about a year and a half ago | (#42082145)

Someone stole our pic-a-nic basket!

Freehostia (1)

TheStonepedo (885845) | about a year and a half ago | (#42082247)

Would blocking port 53 by default on free subdomains prevent such hijacking?
I cannot think of a legitimate reason one would need a free DNS server beyond those that already exist with stated goals of minimizing/preventing DNS-based censorship.

Re:Freehostia (1)

DamonHD (794830) | about a year and a half ago | (#42082743)

Are you saying people like me that have always hosted their own DNS, since the Internet became available to us (~1992 here), should now have to stop doing so?

Rgds

Damon

Re:Freehostia (1)

TheStonepedo (885845) | about a year and a half ago | (#42083049)

Let's pretend for the sake of argument you are one of the good guys - I believe you, but how can an even-less-technical user be sure?
Could something be done during routing traffic in the internet at large to block port 53 for an IP address or a range of IP addresses when there is reason to believe malicious redirection is occurring?
Is protecting a mostly-non-technical majority from falling for DNS-based bait-and-switch tricks worth having to appeal an occasional false positive?

Outside of the scope of TFS:
What do you do with your DNS?

Re:Freehostia (1)

DamonHD (794830) | about a year and a half ago | (#42083183)

My DNS is often colocated with my Web sites and other services that it supports: forcing me to separate them would add nothing to end-user security in reaching me, and would likely lower reliability and increase costs.

Specialised and high-volume sites will also want to do things such as geo- and load- sensitive DNS and constraining innovation in that area by constraining DNS providers is unlikely to be helpful for the end user (ie would result in slower and less reliable service).

Entire IP addresses can be blackholed (blocked) if they are misbehaving, and delegation to misbehaving DNS servers can be stopped, though because of cacheing (etc) the latter may be slow to take effect.

Rgds

Damon

Re:Freehostia (0)

Anonymous Coward | about a year ago | (#42088381)

The correct way is to prevent unauthorized people from editing the TLD root. What does it even mean to block port 53 on a free subdomain? Maybe you mean residential subnets or something. Anyway, the attacker could just as easily have done a DoS by changing the NS records for everything to 0.0.0.0, or deleting the whole lot, or just buying a couple instances on something so they would have super-secure ultra-legit corporate enterprise-class IPs from which to host the malicious DNS servers, assuming they didn't do that already.

Using port blocking (and NAT) to transition the internet from a mesh system to a broadcast system by dictating who can listen for requests (or otherwise do "server" stuff) on what service doesn't actually improve security at all; it just changes the way attacks are done, at the cost of one of the best features of the internet. If the (probably incompetent) .pk ccTLD operators had protected the critical network infrastructure with which they were charged, this problem would not have occurred.

On the other hand, the more the internet becomes a broadcast system, the more network resources (and permissions on your own connection!) are capitalized, which does nothing but increase service provider margins.

What did they expect? (0)

Anonymous Coward | about a year and a half ago | (#42082615)

From a nation that lets its "ally" blow up citizens because they're near someone who might look a bit like a terrorist?

google.com.pk and pknic.net.pk are both in USA (0)

Anonymous Coward | about a year ago | (#42087581)

whois google.com.pk
This TLD has no whois server, but you can access the whois database at
http://www.pknic.net.pk/

Copyright notice on http://www.pknic.net.pk/ is outdated: 1995-2008 PKNIC SRS,Inc.

geoiplookup google.com.pk
GeoIP Country Edition: US, United States

geoiplookup pknic.net.pk
GeoIP Country Edition: US, United States

Any theories?

Agree (0)

Anonymous Coward | about a year ago | (#42091191)

Yeah, I agree that actually the name servers were changed pointing to some dns1.freehostia.com and dns2.freehostia.com.

It was basically D.N.S Hacking. The data stored with Google was not compromised. and hence was safe.

Read more about how Google.com.pk and other .PK domains were hacked. Click here - How Google.com.pk and other .PK domains were hacked. [pakblogger.net]

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...