(2013 Top 10 Story) Malaysian sites hit by DNS poisoning

(Originally published July 1, 2012)
Without a doubt, this was the most high-profile security breach in 2013, and the most widespread in terms of visibility and general impact. It also illustrated how far behind the industry here remains in safeguarding networks and adopting the latest global industry standards.
 
The golden rule for security has never been about completely locking down a system, but rather, making it so difficult to break through that it is deemed not worth the effort by those with malicious or mischievous intent. At the moment, it is still easy enough to be worth the effort. – Gabey Goh

• Malaysian domain names poisoned by hacktivists protesting treatment of Bangladeshi workers in Malaysia
• Incident shores up case for alternative DNS systems such as Namecoin

[Updated with additional comments]
[NOTE: It has also been pointed out that technically -- see readers' comments below -- this was a DNS hijack]

SEARCH queries involving Malaysian domain names were poisoned this morning, leading visitors to temporary sites with a message from what appears to be a hacker protesting against the treatment of Bangladeshi workers in the country.
 
Affected sites included Dell Malaysia (.com.my), all Microsoft sites on the .my suffix -- notably MSN Malaysia (.com.my), Skype Malaysia (.com.my) and Bing Malaysia (.com.my) -- as well as antivirus site Kaspersky (.com.my). Google Malaysia (.com.my), YouTube Malaysia (.com.my) and a few other .my domain sites.
 
Redirected users were greeted with a new homepage (see image), with the following statement:

“HackeD By TiGER-M@TE
#Bangladeshi HackeR
Hello malaysia, you think you are more advanced than us? Respect our workers, we will respect you!
Running it since 2007 :)”

Speaking to Digital News Asia (DNA) about the incident, Dhillon Kannabhiran, chief executive officer and founder of IT security conference Hack In The Box, confirmed that the affected sites have not been hacked or defaced, but rather this was a case of users being redirected to temporary sites.
 
“Think of it like I changed the actual phone number tied to an entry in your address book, so when you call the entry that says 'Office', instead of calling the office, it dials 1300-GOATSE instead,” he explained.
 
When contacted for comment on the matter, a Google Malaysia spokesman noted that “this sort of DNS hijacking is not in Google's hands.”
 
“Our engineers got in touch with Malaysian authorities as soon as we detected DNS hijacking of google.com.myyoutube.com.my and blogger.com.my this morning," he said.

Leigh Wong, communications lead at Microsoft Malaysia, confirmed that a number of URLs ending with the .my Top Level Domain (TLD) suffix are currently being redirected to an external third-party website.
 
“This has impacted several Malaysian company URLs with the .my suffix, including Microsoft Malaysia’s www.microsoft.com.my," he said.
 
At this time, Wong said, the company has no evidence that any customer or partner data has been affected. So far, simple URLs ending with “.my” are affected and www.microsoft.com/malaysia is still fully operational.
 
“We are working with the relevant authorities and industry partners to resolve this matter quickly. We will keep the public updated via our Facebook page and Twitter,” he added.  

Responding to DNA’s queries, Dr Amirudin Abdul Wahab (pic), chief executive officer of CyberSecurity Malaysia, said the agency was currently working closely with the respective authorities and administrators to address the issue.
 
“As opposed to a simple defacement of a website, this is a more complicated attack related to DNS poisoning or DNS Spoofing, where the attacker redirects a victim to a different site, in this case to a defacement site. This incident is not related to malware infection but issue related to DNS configuration,” he added.
 
When asked if the hacker's IP address can be traced to reveal where this attack originated from, Amirudin said that the agency was still working on tracing the attack and could not confirm the total number of affected websites or whether all of them have been restored at this point.

In a post by Vijandren Ramadass, founder of Lowyat.NET, he noted that: “At time of writing, none of the online banking sites have been poisoned, but it is a very real possibility that they could be until this issue is resolved. If you have to conduct any online transactions, please ensure that the security certificate for the online banking site you are visiting is valid before keying in your personal details (if you choose to stick to Google DNS servers that is).”
 
Vijandren, who is monitoring the situation, also reported that the issue is not isolated to the Google DNS.
 
“We have checked and MSN (.com.my) records have been poisoned across other DNS servers as well (Level 3 and OpenDNS). We believe now that the MYNIC registry itself has been compromised, and as such, all the domain on the .MY suffix are now at risk of malicious attacks," he said.
 
Cybersecurity’s Amirudin added that users should make sure the DNS setting on their PC or device is set to their respective ISP's own DNS to ensure they are not compromised.
 
In addition, he offered the following tips for users:

• Always update and upgrade computer/ devices application and software to the latest patch.

• Avoid untrustworthy websites and always check for security certification for e-commerce or online banking/ financial sites.

• Verify legitimate sites by checking the site's security certification.

• Install antivirus software and make sure its signatures are updated to the latest version.

“MyCERT is also in the midst of preparing the advisory alert. Once done, we will upload it in the MyCERT website for the public to access,” said Amirudin.

According to Hack In The Box’s Dhillon, this incident shores up the argument for pushing through proposals such as Namecoin, an alternative distributed DNS based on the Bitcoin software. It extends Bitcoin to add transactions for registering, updating and transferring names.
 
“The idea behind this is to provide an alternative to the existing DNS system where names can be taken from their owners by groups that control the DNS servers,” he said.
 
“To have a 'cost' attached to maintaining DNS records is so that you can't poison it when there's a block chain attached,” he added.

Dhillon also pointed to Domain Name System Security Extensions (DNSSEC), a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks.
 
It is a set of extensions to DNS that provides to DNS clients (resolvers), origin authentication of DNS data, authenticated denial of existence, and data integrity.
 
“Had more domains adopted DNSSEC, that could have helped mitigate the severity and extent of the DNS poisoning,” he said. "Although if indeed MyNIC got compromised, which would seem to be the attacker's modus operandi based on articles on Softpedia, then DNSSEC wouldn't really help. If I own the registrar, then I can pretty much do anything I want."
 
Due to on-going developments with this issue, Malaysian Communications And Multimedia Commission (MCMC) was unable to respond to DNA’s requests for comments at time of writing.

UPDATE: DNS poisoning: MYNIC admits servers compromised

For more technology news and the latest updates, follow @dnewsasia on Twitter or Like us on Facebook.