Thousands of websites exposed in hack attack
BEN GRUBB AND ASHER MOSES
Thousands of Australian websites are vulnerable to being taken over by hackers following a break-in at Australian domain registrar and web host Distribute.IT, security experts say.
It comes as the hacker group LulzSec followed up yesterday's attack on the CIA's website by today releasing 62,000 email addresses and passwords.
A number of the leaked login details related to .com.au addresses and several government departments and councils.
Distribute.IT was hacked on Saturday in a "deliberate, premeditate and targeted attack", the company said.
Almost an entire week has elapsed since then and the company has still been unable to get its website online, explain what happened or notify customers of any stolen data.
It is unclear exactly how many Australian websites are hosted by Distribute.IT or how many domain names it manages, but Fairfax Media has seen a list of hundreds of customers and this is understood to be just the top of the iceberg with thousands affected.
Complaints have already begun pouring in from affected businesses who are suffering as a result of the break-in.
'Killed my business'
"This new outage has probably killed my business, with over 40 of my clients running a special promotion on the web this weekend that is going to be a total bomb," wrote a user on the Whirlpool forums.
Another wrote: "They've been going down far too often these last few months ... My business can't sustain any more downtime."
Ty Miller, chief technology officer at security firm Pure Hacking, said thousands of Australian websites were vulnerable to having their domain names redirected to malicious sites as a result of the hacking incident.
In addition to this, Miller said, those companies that had their websites hosted on Distribute.IT's servers were vulnerable to every piece of their data being stolen, including databases containing credit card information and usernames and passwords.
"A domain registrar is where you go to buy your domain name and basically they control where your [Domain Name System] server is so if I hacked into Distribute.IT I could hijack potentially thousands of websites by redirecting their DNS to a malicious site rather than the actual site," said Miller.
"The people who are hosted [by Distribute.IT] are also at risk but also their data is at risk as well because they could potentially have their websites defaced and their data in any databases compromised - they can have usernames and passwords stolen."
Owned by Evil
When the hacker initially broken in it defaced Distribute.IT's website with the message "OWNED BY EVIL AT EFNET YOU MOTHER flappERS". Evil is the same hacker who recently broken into the University of Sydney's website. In that instance Evil said they had hacked into the university from Brazil for money.
The company said it was "unsure on any data loss" and that its office communications - including phone and email - had been affected. It added that it was "confident of providing authorities with usable information" to try and locate the hacker.
Distribute.IT's phone line went unanswered today and its website now redirects to a blog where the company is updating customers on its progress in investigating the hack.
However, Miller and many others have criticised the company for failing to provide adequate detail, comparing it to Sony waiting a week before informing customers their accounts were exposed in the PlayStation Network attack.
Customers have also been criticising the company on the Whirlpool forums.
"The lack of communication is the biggest drama. I have to face my customers as I do but they don't tell us what is going on inconsiderate pricks they just throw us to the sharks. I am over it," wrote one.
James Turner, security analyst at IBRS, was more sympathetic towards Distribute.IT.
"Their customers are hurting and so the organisation is trying to use its finite resources to strike a balance between: identifying the full extent of the problems, fixing them, communicating with stakeholders, and ensuring that they are not overlooking anything along the way," he said.
"And they're handling this crisis on top of everything that goes with the normal running of a business."
On Tuesday it said staff were working through all of its computer servers "one-by-one" to check for any problems. It said customers who had dedicated servers "should ensure that all administrative passwords to their servers" be changed.
"Wolfcat", who appeared to be a customer of Distribute.IT, said on the Australian broadband forum Whirlpool on Sunday June 5 that Distribute's email server and web hosting was slow and intermittent. Since then a number of odd outages have occurred on the Distribute network.
"... This is getting ridiculous, Distribute seem to be spending more and more time down, but at least they are spending the same amount of time telling people what is going on... which is none," Wolfcat said.
The last update to Distribute.IT's blog, posted last night, said that most of Distribute's services had been brought back online but that there were still more to do.
"Engineers advise they are down to the final server required to restore normal client domain, SSL, SMS, etc functionality," the company said, referring to customers being able to control their .au domain names as well as being able to complete other functions.
It said it would take between 24 and 48 hours before those services resumed. Data recovery on its shared services - which host many websites - was "continuing". "This is also a very long and complicated process and we are unable to give a definitive ETA".
A "large number" of customers who managed their own dedicated computer servers hosted at the company were now "fully operational", it said, "although we do note there are a couple that are still experiencing some issues".
Highlights risks of the cloud
Miller said that companies were rushing to put all of their information into the internet "cloud" without understanding that by connecting their databases to the internet they were exposing themselves to risks of serious attacks.
"If you're hosting your system in the same location as a random forum that's not being managed properly, if that forum gets hacked then that provides the attacker with a pretty good foothold to start hacking all of the other systems hosted at that hosting provider," he said.
Separately, in the email login details dump released by LulzSec overnight, both Australian personal email account details and a number of government addresses were exposed. These accounts included AusAID, the Victorian Department of Childhood and Early Education, Emergency Services Telecommunications Authority in Victoria and several local councils in NSW and Victoria.
A number of Australian university email logins were also exposed.
Alastair MacGibbon, a former Australian Federal Police cyber crime officer who now runs his own security consultancy, said the series of attacks by LulzSec highlighted that people and corporations needed to pay far more attention to their responsibilities around protecting personal information.
But he warned against glorifying the group and rejected LulzSec's justifications that it was hacking companies for "fun" and to draw attention to poor security.
"If the pickpocket says yeah I did it for fun what would you say to them? There is no doubt that what they and all the other compromises show is that we have a lot of room for improvement, but you don't thank the people who are breaking the law as part of that process and you certainly don't celebrate those people," MacGibbon said.
"The people they're harming by releasing this information isn't the big corporations - they're harming the people whose details they're actually putting online."
Are all systems vulnerable?
Some have suggested that the recent hack attacks prove that there is no security and that all systems are vulnerable. MacGibbon and Miller disagreed with this to an extent.
"There are hundreds of millions, billions of connected computers; of course they're going to find vulnerabilities in that. I don't think it shows the whole system is dead," said MacGibbon.
Miller said that LulzSec were exploiting flaws in software that hadn't been patched yet - known as 0days - and there was often little companies could do to prevent these from being exploited.
"It doesn't mean the security industry is a farce ... you can be secure it's just that there's always going to be a way around it," he said.
- Sydney Morning Herald