Security firm gets punk'd: Could it happen to you?

Over Thanksgiving the Secunia.com site was defaced using a DNS hijacking technique that's simple and effective

When a security software vendor's site gets hijacked, you have to wonder who is safe -- and how it happened.

Here's the story. Last Thursday, people venturing to the main website of renowned security firm Secunia saw a strange defacement. Secunia.com sported a main page entitled "Hacked by TurkGuvenligi" with a graphic headed "Is?ms?z Kahramanlar Sunar..." (which is Turkish for "Anonymous Heroes Presents") and an image labeled "TurkGuvenligi Gel Babana" (Turkish for "TurkGuvenligi Come to Your Father"). TurkGuvenligi -- or someone using the name -- has been defacing sites for almost two years.

The defacement lasted about 70 minutes, according to the Secunia blog, before Secunia could get links to its main site back to normal, although the effects persisted for a couple of hours.

As with the Kaspersky download site hack six months ago, one of the pre-eminent security software companies got caught with its defenses down. While the Kaspersky attack used a SQL injection technique, this Secunia attack used something far more pernicious. Somebody apparently figured out how to get into the Secunia account with DirectNIC, Secunia's domain registrar, and simply changed the IP address for Secunia.com.

It's important to realize that this defacement didn't compromise Corporate Software Inspector or Personal System Inspector, Secunia's well-known software packages that scan PCs and report on applications that don't have the latest security patches. CSI and PSI work on a completely separate server, not associated with the company's Secunia.com main page. CSI and PSI use an HTTPS secure connection with a validated security certificate, and according to RC Primak on the AskWoody blog, Secunia has assured him "there are other levels of validation."

Nobody's released full details yet -- it's not at all clear we'll ever know exactly how it happened -- but here's what we know for sure.

Secunia.com is located at IP address 213.150.41.226. SANS Internet Storm Center reports the defaced site was at 81.95.49.32. According to a comment on the Secunia site, it looks like the IP address was switched about 23:40 UTC Wednesday night, and switched back about 01:50 UTC on Thursday morning. Because it can take upward of two hours to propagate a DNS entry change, the defacement appeared in different locations at different times.

Secunia's blog says, "We've been working with our registrar provider, DirectNIC, to identify the cause of the incident, during which we've learned that some other DirectNIC customers were affected by yesterdays attack and they all suffered a temporary redirection of traffic."

Thus, it appears as if TurkGuvenligi found a way to change DirectNIC's registration records for several sites late Wednesday night. I don't see any evidence of a high-tech hack, although it's possible DirectNIC's system was cracked electronically. Far more likely, statistically, is that TurkGuvenligi succeeded in a low-tech or social engineering approach. He may have simply talked his way into the system.

While all signs point to a simple defacement, there's a chance other, more dangerous things could've happened. In that 70-minute window, TurkGuvenligi owned the domain Secunia.com. Among other problems, email directed to anything @secunia.com went to TurkGuvenligi's mail server. It isn't hard to come up with several scenarios where that hijacking could haunt Secunia for years to come.

The bottom line: Know your domain registrar. Their problems are your problems.

This article, "Security firm gets punk'd: Could it happen to you?," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.

Join the discussion
Be the first to comment on this article. Our Commenting Policies