The Internet Corporation for Assigned Names and Numbers (ICANN) was targeted circa Thanksgiving 2014, and it took a month for experts to reveal the weak point: Employee credentials. This revelation nips on the heels of the governments unveiling details on how agencies approve changes to root zones of the internet—via ICANN. For domains deemed “top level” by the government, nameserver network address changes come from ICANN secure emails. The connection between scores of US government agencies and ICANN mean that root zone records may have been accessed by the hackers. This is just one of many hosting nightmares to be reported in 2014.
According to media reports, the hackers created emailed that looked typical of ICANN communication. These types of phishing emails usually link to a faux website where users happily type in passwords and usernames, assuming the site is legitimate. Both ICANN and government agencies have kept mum (so far), but it’s very possible that a number of employees could have “given” hackers email access accidentally with this route.
Could This Have Been Prevented?
Unfortunately, something as simple as better security and two-factor authentication could have stopped this attack and many other connectivity issues reported around the world. However, two-factor processes aren’t foolproof according to The Next Web and other experts. While the benefit of multi-factor authentication has been highly recommended and is buzzing in tech circles, it’s (clearly) still not in effect—even in the most critical of agencies. In fact, a lack of two-factor (or more) authentication has been blamed for a bevy of 2014 breaches, such as those outlined by CU Times. This is becoming more and more troublesome as workers are using personal mobile devices to get into company networks (a side effect of the virtual office).
With the ICANN attack, administrative access was granted for Centralized Zone Data System (CZDS) files. These files had data that included IP addresses for servers, domain names, server names, emails, passwords, names, phone numbers and addresses. Basically anything that may have been entered or saved by employees has been potentially accessed by the hacker(s).
ICANN Haz Security…
According to ICANN, all passwords have been deactivated and they’ve urged “users take appropriate steps to protect any other online accounts for which they might have used the same username and/or password.” However, depending on potentially thousands of employees to follow this protocol is a poor fix. It’s also been reported that the ICANN blog, WHOIS and Wiki were also accessed. So far, nothing major has happened with WHOIS or the blog, although with Wiki a single person’s profile as well as the index for members only was looked at by hackers.
In early 2014, there were new security strategies put in place by ICANN, and it’s been reported that those have helped to minimize the breach. Back in April 2014, there was an issue with the system that led to admin access being granted to users. Following the recent November 2014 attack, ICANN says they’ve added even more security—but haven’t offered more information than that.
ICANN says, “We are providing information about this incident publicly, not just because of our commitment to openness and transparency, but also because sharing of cybersecurity information helps all involved asses threats to their system.” Of course, that doesn’t guarantee there won’t be another breach or issue.
There are many ways to keep your site secure, starting with selecting a reputable web host. There’s a lot you can do on your end—but only so much. Your web host also needs to prioritize security and be transparent when it comes to their systems, security and POA should an attack occur.