Lowyat.NET : Malaysia's Tech Enthusiast Resource Community

Thursday, 28 August 2008 04:23 PM

Main Menu

Home

Lowyat Pricelists

Advertisements
Online Backup is Easy HP Coupons Web Hosting Malaysia

Syndicate

Discussion Forums

Active Threads	New Threads
Port Dickson Thread Version 5	Check TGV seat bookings...how?
PETA	PHP, AJAX, Flash, MySQL Development Service
Nintendo Kopitiam V13	Developing Blog Service
BirdieS~	how to solve?
IPOH THREAD ver23	PHP, AJAX, Flash, MySQL Development Service
å¤§å®¶å¦åŽè¯,come learn Chinese ver.005	[WTS/WTT]
Nikon D300/D700/D3 Thread V3	New Balance China Mask Week!
How many of u are willing to buy GOLDEN Numbe...	Vacancy : .Net Junior Programmer
BN wants Badawi out	[WTB] Bose On-Ear Headphone
[wts]4870 (gigabyte)	[WTS] Comics for sale (1990's collectors ...

Join our dedicated subforum for all the latest news and updates from the 2008 Summer Olympics

Happy, the prepaid mobile plan that's just nice. No fluff, just the things that you need at happy rates.

Free starter pack, per second billing, 8 cents SMS and 20% top up bonus! Say hello to U Mobile.

Whose fault is it?

(13 votes)

by Vijandren Ramadass

Thursday, 17 April 2008 01:07 PM

We've been getting a number of comments and emails questioning our recent article on UiTM's website being 'defaced' over the weekend. So we've decided to clear up our stand on it. We belive we knew exactly what happened, but chose not to disclose it as it might cause more havoc as other might attempt to exploit the loophole.

We say loophole, and not vulnerability because the actual servers are not compromised. A lot of comments we received have blamed MYNIC for the attack, as the DNS records for the domain were mysteriously pointing to the defaced page. Granted that the UiTM servers are said to be super secure, the blame had to lie elsewhere.

Well, DNS poisoning it was indeed - as mentioned in a number of blogs. However, the fault solely lied with UiTM as it was their DNS servers which were responding to open recursive requests.

DNS poisoning has been around since the 90's, but not until recently has it been used to direct users in a malicious way. While this attack might have been more "see what i can do" rather then a "i want to steal your credit card information" type of attack, it time for site administrators to start closing up their DNS servers before someone decides to poison it. TechWorld estimates that there are about 17 million DNS servers around the world vulnerable to DNS poisoning.

At the time of writing, UiTM's DNS Servers are still listening to open queries.

Comments

Name: Ben Harper	Comment: I wonder how UiTM could shamelessly claim to be a world-class university when it does not even figure in the list of 200 best universities in the world... And all engineers from UiTM I encountered in my professional life are totally half-baked...
Rated Article: Posted: 2008-05-11 18:37:24

Name: anonymous	Comment: Anyway, if UITM is sincere, they should lodge/escalate this case to MYCERT, and let the expert come out with the findings.
Rated Article: Posted: 2008-04-24 08:37:05

Name: Kaz

Comment:
Well, I'm not trying to take side here, but I do agree with kucau on the social engineering attack on MYNIC side story. It's dumb, but it has happen before with the company that i work with. A mere phone call from the company was enough for us to solicited information from them. Their arguments at that time was that we were calling from the registered phone number list for the said account. But what if any employee or anyone that has access to the phone system was calling for the information? See the problem there?

I also agree that the changing of IP address takes time.. (almost 1 week for us) but it does not rule that VR make a mistake by posting the story. Sure some of the remarks are one-sided, but there are lesson to be learned here, and only if the story is published that we can pinpoint the weak link to the system.

Rated Article:

Posted: 2008-04-21 11:24:31
IP Logged as: 219.94.114.170

Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14

Name: Sylar	Comment: i understand what kucau said, as i experienced the same kind of circumstances not long ago, and we already made report to http://www.mycert.org.my let them to investigate
Rated Article: Posted: 2008-04-21 09:40:42

Name: neurra	Comment: isn't the title supposed to be "Whose fault is it?"? ED Oops, back to grammar school it is for me. thanks for pointing it out!
Rated Article: Posted: 2008-04-18 19:14:40

Name: siah	Comment: kucau, are you one of the admins in Uitm? Or maybe one of the staff in Uitm? Am just curious because of the way you commented. You seemed to be pretty firm in your information on the incident plus abit too worked up with VR's post. Sorry if my question offended you. Am just passing by. run
Rated Article: Posted: 2008-04-18 11:59:46

Name: kucau

Comment:
Hi VR,

Rumor has it that the attacker was only using his social engineering skill to alter whois database on Mynic server. The attacker called up mynic to change UiTM MYNIC whois domain name record database by pretending he is one of Uitm Network Admins. Mynic`s personnel however did not verify his identity and obeyed to his "order". Smart!
If u did whois for uitm domain on the 13th of April, the primary and secondary NS for Uitm were respectively changed to dns1.000webhost.com (64.22.110.162) and dns2.000webhost.com (75.126.210.153).

Now VR, please tell me how this open recursive request may contribute to this attack, when the fault solely lie on Mynic?
Lemme quote your post about the "defacement" :

"But if you're a "World Class University", defacements like this should not happen, and should they happen, someone should at least look into it before some future graduate accidentally stumbles on the page and gets brain washed (pun intended).”

A lil bird told me drastic measures were taken by Uitm admins and the record on Mynic was reverted back ASAP. But, U should know update on the IP will take some time.

Now tell me VR how the hell this world class university can prevent this attack when they have no control over this kind of attack? You words were misleading and defamatory. If I were u, I will sincerely apologize rather than putting blame on the "open recursive request".

VR While it is entirely possible, its hard for us to run stories based on little bird speak.

1. We did check the whois for the domain as soon as we received the email. It all seemed very normal as it was pointing to uitm's servers.

2. However, when queried, we were getting mixed responses. I can agree with you that the UiTM admins might have fixed the records before we saw it, but based on the details available, we had to rule out that the MYNIC data was messed with.

3. Going back to the MYNIC argument, we really have no idea if indeed they were lax in releasing the information to a person who claimed to be a staff. I would think that it is unprecedented and foolish if that had happened. Considering that MYNIC has everything from phone numbers of the listed contacts, and a automated password recovery system - there is very little need for them to be resetting the password to a request over the phone without double checking the credentials of the caller. But unless there is solid evidence to back this up, its not right to speculate on it.

As i mentioned earlier, there are a lot of empty blanks that we do not want to speculate on. We ran the story based on the details we had on hand, and should we receive any concrete details that proof our initial conclusions wrong, we'll be more then glad to publish an apology.

We publish stories to induce awareness, not just for the sake of making someone look bad.

Rated Article:

Posted: 2008-04-17 23:48:01
IP Logged as: 60.53.61.23

Browser: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14

Comment on this article

< Prev		Next >

Clock