Baidu defaced by ICA after DNS hijacking

by Steve Ragan - Jan 12 2010, 23:25

The Iranian Cyber Army (ICA), not a month after attacking Twitter, has hit again, this time altering the DNS of China’s largest search engine Baidu. For two to three hours, Baidu was altered to display the ICA markings, until administrators were able to reverse the changes.

Like the Twitter attack, the Baidu attack is political and offered no malicious payloads to those viewing the defacement. While the basics of how Twitter was compromised are all but public record, at this time there are only guesses as to how Baidu managed to get a face lift.

The crew at Praetorian Prefect noted that the defacement pointed the Baidu site to a server in Texas hosted by the Planet, and speculated that “…the changes were initially made at [the] .com level, most likely through Register.com to point the Baidu.com domain name to DNS servers controlled by the attackers.”  [Praetorian Prefect]

Aside from the fact that Baidu has returned to normal, officials in China are keeping silent on the DNS hijacking.

It’s interesting to note that this is the second time a major site has been defaced for political means. Another interesting observation is that both defacements were the result of unauthorized access to DNS controls, and not because of a flaw in the site’s code.

In the Twitter attack, while not confirmed by the micro-blogging service itself, the DNS hijacking took place because of a compromised email account used by a Twitter staffer. This account was used to order DNS changes from Twitter's DNS provider Dyn Inc. Shortly after the Twitter DNS hijack, Dyn Inc. altered their authentication process, and removed the ability to request or reset passwords via email.

It is entirely possible that the Register.com account was compromised in some fashion, but Register.com will not discuss the matter. If so, this moves the discussion forward on the debate over access control within critical infrastructure.

"Historically, we've seen attacks directed at domain name registrars and registries as well as infrastructure providers like DNS services...The DNS attacks on Twitter and now Baidu.com tell us is that as companies become more reliant on the web, they need to be especially careful in how they manage their domain names both technically and administratively," Frederick Felman, the Chief Marketing Officer for MarkMonitor told The Tech Herald.

"One of the strongest security measures is locking the name at the registry level and prohibiting automated changes to any of the information. This action eliminates the risk of registry or registrar hacks." 

Ten years ago, a username and password worked well when securing access to domain information or DNS records, now there are calls for stronger methods of protection, including layered authentication protocols.

"Another key plank in any domain name management and security strategy is a contingency plan that addresses the best methods for responding to an attack of this sort," added Felman.

We asked Felman for his thoughts as to why DNS attacks seem to be more common, over the exploit and deface methods of the past. "Hackers are opportunists and seek to exploit the most vulnerable point in any system.  In this case, they're seeing weaknesses in the Domain Naming System and the technical infrastructure that directs users to websites," he said.  

We'll update this story as more information becomes available.

Around the Web

comments powered by Disqus