Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better! and 284 Other .PK Domains Hacked

Soulskill posted about 2 years ago | from the go-big-or-go-home dept.

Security 35

ryzvonusef writes with news that hackers have taken down the local Pakistan versions of many popular websites, including,, and 284 sites were affected in total. Many of the sites were defaced, and a group called Eboz is taking credit for the hack. According to TechCrunch, "The root of today’s attack, it seems, came via a breach of Pakistan’s TLD operator, PKNIC, which administers and registers all .pk domains. Looking at affected organizations via PKNIC’s look up, it appears that all the sites are now redirecting to two nameservers, and"

cancel ×


Sorry! There are no comments related to the filter you selected.

Difference? (2)

thej1nx (763573) | about 2 years ago | (#42081413)

And here I thought the Pakistani courts and religious leaders kept passing orders anyways to censor domains, based on hearsay about "immoral stuff" to be found on them . Doubt poor pakistani netizens could tell the difference here.

Its the TLD that was hacked (5, Insightful)

Anonymous Coward | about 2 years ago | (#42081419)

Blame the TLD operators, dont name google,etc who had no role in the hack

Re:Its the TLD that was hacked (1)

Anonymous Coward | about 2 years ago | (#42081461)

Blame the TLD operators, dont name google,etc who had no role in the hack

Sounds like an inside job to me. How many of the 284 sites belonged to non-Pakistani companies? Probably all of them.

Re:Its the TLD that was hacked (1)

thetoadwarrior (1268702) | about 2 years ago | (#42082531)

It's not that unbelievable that someone would hack in to take it out against US companies given there probably are a lot of people there that aren't happy with the US. Since they may view their government as being too friendly with the US and giving up their people to a country that doesn't have the greatest record of treating its prisoners well.

Re:Its the TLD that was hacked (4, Interesting)

Runaway1956 (1322357) | about 2 years ago | (#42081659)

I was sitting here scratching my head, wondering why all those sites were hosted by the same servers.

Re:Its the TLD that was hacked (1, Informative)

camcorder (759720) | about 2 years ago | (#42081889)

So in the first place, they wouldn't have registered those domains if they didn't trust on an operator. If someone hacked google and this way hacked my box, I can't blame Google for my losses right? I'm hacked, and my security hole is Google. So it's Google, Apple etc. hacked because their security hole is their domain operators. Google and most of the big web services, try to look local with local domains, translations, on the other hand they pay zero taxes to those governments, so it's also their mistake that they don't pay taxes to those governments with which they improve their IT infrastructure.

Taken down and defaced? (5, Insightful)

Anonymous Coward | about 2 years ago | (#42081421)

I'm not great at networking knowledge, but if you simply redirect to a new IP, is the site really defaced?

Re:Taken down and defaced? (3, Informative)

ark1 (873448) | about 2 years ago | (#42081547)

I'm not great at networking knowledge, but if you simply redirect to a new IP, is the site really defaced?

From the end user perspective, site may appear as defaced but the actual web page at {Google, MS,....} is not defaced.

PKNIC unable to respond, PR team in picknick. (1)

Anonymous Coward | about 2 years ago | (#42081429)

PKNIC unable to respond, PR team in picknick.

Re:PKNIC unable to respond, PR team in picknick. (1)

maxwell demon (590494) | about 2 years ago | (#42081635)

Well, if the support is via some .pk email address, any mails to support might also not reach their intended destination ...

Re:PKNIC unable to respond, PR team in picknick. (0)

Anonymous Coward | about 2 years ago | (#42085039)

I'm sure the phones being down [] did not help contacting the registry either.

Re:PKNIC unable to respond, PR team in picknick. (4, Funny)

History's Coming To (1059484) | about 2 years ago | (#42081923)

Problem in Karachi Not In Computer?

One might say... (2)

philip.paradis (2580427) | about 2 years ago | (#42081471)

One might say the entire TLD is PhuKed. The teachable moment here is that security rolls downhill, and depending on any single layer of public infrastructure, at least for authentication of who you're talking to without giving serious consideration to cryptographic concerns, is asking for trouble. This is still something that the world is failing at on, well, a global scale.

Well, that and taking perimeter security seriously in terms of access to critical components, and having short order failover to components with completely different codebases ready to roll into production for select services in the event of something nasty happening. These days, virtualization on multiple platforms running in parallel makes that easier, although it does have the effect of acting as a cost multiplier (sliding scale factor-wise) depending on what you're trying to make as bulletproof as possible.

TLDR = Security is hard. Be prepared to be compromised. Have alternate plans in place that assume at least one $major_thing is already silently compromised. Yeah, it's tough. Life is tough.

Re:One might say... (4, Interesting)

heypete (60671) | about 2 years ago | (#42081489)

I'd imagine the NIC could simply revert to a backup of their TLD zone and undo the changes -- the zone itself isn't infected and in need of purging, though the systems that can write to it may well be. I would hope that a NIC managing a national-level TLD has backups.

That said, how could any entity that relies on DNS have alternate plans to deal with this sort of thing? Its one thing to have off-site nameservers on a different network to provide some degree of fault tolerance for your own domain, but it's another thing if the TLD itself gets hosed and bad guys modify the zone to point at different nameservers. As far as I can tell there's no reasonable way for the holder of a domain name to prepare for the TLD getting compromised.

I hope this incident serves as a wakeup call for TLD owners everywhere so they can review their security policies.

Re:One might say... (1)

drinkypoo (153816) | about 2 years ago | (#42081531)

As far as I can tell there's no reasonable way for the holder of a domain name to prepare for the TLD getting compromised.

You will need additional names under other TLDs, and to advertise them to your users ahead of time. One common way to accomplish this to do it how google does it; no, not to have massive clusters everywhere, but to have multiple international domain names. If your site is translated, they can default to various languages, but all should permit selecting all languages without redirection to another domain.

Re:One might say... (1)

heypete (60671) | about 2 years ago | (#42081873)

Sure, one could have different TLD variants (e.g., but that isn't terribly useful in terms of continuing to offer service in the event of a TLD compromise: if the registry for your main domain gets borked some users may try a different TLD but most will simply give up -- how many people would try accessing Google under a different ccTLD? Same thing with email: if you have email at your domain and the TLD is hosed then emails can't automatically pick another TLD and try again -- if COM gets hacked, emails addressed to users aren't going to try or other Google domains.

It's one thing to prepare for failures at one's own domain (for example, having a "network status" page at a different TLD using different DNS servers, having administrative mail accounts on a secondary domain/TLD, etc.) but a compromised TLD is a catastrophic failure and there's no sensible technical way for anyone "downstream" (that is, domain holders) to mitigate such an issue in a way that would be seamless and automatic to users.

DNSSec (1)

magamiako1 (1026318) | about 2 years ago | (#42081535)

Could have solved this issue. Assuming keys wouldn't have been compromised in the process.

Re:DNSSec (1)

Anonymous Coward | about 2 years ago | (#42081793)

Well now that really depends doesn't it? Since the actual registrar was compromised, it could easily have been the machine that holds the key that they got into. In which case DNSSec bought squat. Depends on the attack.

Re:DNSSec (1)

GreyFish (156639) | about 2 years ago | (#42082019)

No it wouldn't of done - if you hack the registrar you can change the ds records as well as the ns records. dnssec makes no difference in this case. browser side certificate pinning and forcing sites to be https only would help - then the attackers wouldn't be able to set up fake sites. The real sites would still be broken tho!

Re:DNSSec (1)

magamiako1 (1026318) | about 2 years ago | (#42082065)

Actually, it would have--but only if the .pk private keys were not compromised in the process. Also, a quick change of keys in the root zone for .pk's DS keys would have invalidated the previous keys, resulting in the compromised keys being invalidated globally.

Whether or not the process exists to remove DS records quickly from the root zone, however, I'm not sure--I don't manage TLDs...

In other news sensationalism at an all time high (1)

Anonymous Coward | about 2 years ago | (#42081553)

"Oh we don't really have a story if we say the .pk TLD had a compromise of sorts that affected 284 domains. What big names were affected so we can put them in the headline?"


Anonymous Coward | about 2 years ago | (#42081701)

And death to the infidels !!

Aaaayyyyaaaaaayyyyaaaayyyyhgghghhghgh !!

Took them long enough (1)

LordDfg (1828962) | about 2 years ago | (#42081835)

It's not secret Pakistan infrastructure isn't secure as it should be, I am actually quite surprised not one targeted Pakistan before. I guess it wasn't a good idea to attack Israel but in this case it was just old champ saying hi,

hack Pakistan’s TLD operator, PKNIC... (1)

submit your site (2780471) | about 2 years ago | (#42082011)

O my god. how can possible it. hack,, and with many domain. this domain top TLD & top label domain. it is very bad for all.

Hey, Boo-boo! (0)

Anonymous Coward | about 2 years ago | (#42082145)

Someone stole our pic-a-nic basket!

Freehostia (1)

TheStonepedo (885845) | about 2 years ago | (#42082247)

Would blocking port 53 by default on free subdomains prevent such hijacking?
I cannot think of a legitimate reason one would need a free DNS server beyond those that already exist with stated goals of minimizing/preventing DNS-based censorship.

Re:Freehostia (1)

DamonHD (794830) | about 2 years ago | (#42082743)

Are you saying people like me that have always hosted their own DNS, since the Internet became available to us (~1992 here), should now have to stop doing so?



Re:Freehostia (1)

TheStonepedo (885845) | about 2 years ago | (#42083049)

Let's pretend for the sake of argument you are one of the good guys - I believe you, but how can an even-less-technical user be sure?
Could something be done during routing traffic in the internet at large to block port 53 for an IP address or a range of IP addresses when there is reason to believe malicious redirection is occurring?
Is protecting a mostly-non-technical majority from falling for DNS-based bait-and-switch tricks worth having to appeal an occasional false positive?

Outside of the scope of TFS:
What do you do with your DNS?

Re:Freehostia (1)

DamonHD (794830) | about 2 years ago | (#42083183)

My DNS is often colocated with my Web sites and other services that it supports: forcing me to separate them would add nothing to end-user security in reaching me, and would likely lower reliability and increase costs.

Specialised and high-volume sites will also want to do things such as geo- and load- sensitive DNS and constraining innovation in that area by constraining DNS providers is unlikely to be helpful for the end user (ie would result in slower and less reliable service).

Entire IP addresses can be blackholed (blocked) if they are misbehaving, and delegation to misbehaving DNS servers can be stopped, though because of cacheing (etc) the latter may be slow to take effect.



Re:Freehostia (0)

Anonymous Coward | about 2 years ago | (#42088381)

The correct way is to prevent unauthorized people from editing the TLD root. What does it even mean to block port 53 on a free subdomain? Maybe you mean residential subnets or something. Anyway, the attacker could just as easily have done a DoS by changing the NS records for everything to, or deleting the whole lot, or just buying a couple instances on something so they would have super-secure ultra-legit corporate enterprise-class IPs from which to host the malicious DNS servers, assuming they didn't do that already.

Using port blocking (and NAT) to transition the internet from a mesh system to a broadcast system by dictating who can listen for requests (or otherwise do "server" stuff) on what service doesn't actually improve security at all; it just changes the way attacks are done, at the cost of one of the best features of the internet. If the (probably incompetent) .pk ccTLD operators had protected the critical network infrastructure with which they were charged, this problem would not have occurred.

On the other hand, the more the internet becomes a broadcast system, the more network resources (and permissions on your own connection!) are capitalized, which does nothing but increase service provider margins.

What did they expect? (0)

Anonymous Coward | about 2 years ago | (#42082615)

From a nation that lets its "ally" blow up citizens because they're near someone who might look a bit like a terrorist? and are both in USA (0)

Anonymous Coward | about 2 years ago | (#42087581)

This TLD has no whois server, but you can access the whois database at

Copyright notice on is outdated: 1995-2008 PKNIC SRS,Inc.

GeoIP Country Edition: US, United States

GeoIP Country Edition: US, United States

Any theories?

Hmm. (1)

Meski (774546) | about 2 years ago | (#42089417)

And the world at large complained when they fixed it.

Agree (0)

Anonymous Coward | about 2 years ago | (#42091191)

Yeah, I agree that actually the name servers were changed pointing to some and

It was basically D.N.S Hacking. The data stored with Google was not compromised. and hence was safe.

Read more about how and other .PK domains were hacked. Click here - How and other .PK domains were hacked. []

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?