Pakistan’s domain registry provider PKNIC has posted an explanation of what it says happened when visits to a number of high-profile websites last weekend redirected to another page — in many cases to one with a photo of penguins and a message from someone called Eboz claiming responsibility. It says that during a security upgrade, a vulnerability opened up, which let someone breach four user accounts, which in turn impacted nine DNS records, leading to “several website addresses” being impacted. It doesn’t categorically rule it out, but it believes that there was no phishing attack carried out through the redirection. It says the issue causing the problem was reverted a few hours after it was discovered and PKNIC itself was not hacked.
Earlier reports put the number of total websites affected at 284 — we are asking PKNIC if that number is accurate.
Ironically, all of this appeared to happen because PKNIC was in the middle of a security upgrade. Citing the LinkedIn and Twitter password breaches, the registry’s executive chairman Ashar Nisar noted that PKNIC had been upgrading its site to protect against SQL injection attacks, installing “a more complex system” to do so:
“However, it inadvertently left open a vulnerability, under certain obscure conditions and contexts, that was used in the recent attack. As a result, in addition to a thorough investigation of our entire site and systems, we reverted to the simpler more robust model of filtering out everything unknown, instead of continuing to use the new system that had been tailored to the latest threats using more complicated algorithms.”
In effect, what PKNIC is now going back to doing is whitelisting approved domains and sites rather than blacklisting those that are deemed a threat. As Patrick Morley, the CEO of cybersecurity (and whitelisting) specialist Bit9 once described it, “The challenge with security is that it is hard because to create new threats is so easy that they pass right through” an existing blacklist security wall. So the solution is to trust only those that are known, which become part of a whitelist.
This doesn’t mean that PKNIC is not still searching for stronger solutions that will give it more domain flexibility in the future.
It says it is planning to “invite friendly hackers to test drive the security of our systems.” That will involve cash rewards for those successful at finding vulnerabilities for unfriendly hackers do. PKNIC says it will be announcing more details on this “shortly,” but notes that it will be similar to the competitions run by the likes of Google. Google put aside $2 million for hackers who help it troubleshoot its Chrome browser. Recently, a teenager won the top award of $60,000 for discovering an exploit.