Re: [dane] domain hijacking

"Ken O'Driscoll" <ken@wemonitoremail.com> Wed, 12 April 2017 19:53 UTC

Return-Path: <ken@wemonitoremail.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6467512778E for <dane@ietfa.amsl.com>; Wed, 12 Apr 2017 12:53:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.793
X-Spam-Level:
X-Spam-Status: No, score=-1.793 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=wemonitoremail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RbLr7bL0ka4r for <dane@ietfa.amsl.com>; Wed, 12 Apr 2017 12:53:03 -0700 (PDT)
Received: from mail.wemonitoremail.com (mail.wemonitoremail.com [78.47.26.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1987E124B0A for <dane@ietf.org>; Wed, 12 Apr 2017 12:53:02 -0700 (PDT)
X-WeMonitorEmail-From: ken@wemonitoremail.com
X-WeMonitorEmail-VirusCheck: Clean
Received: from auth (localhost [127.0.0.1]) by mail.wemonitoremail.com (8.14.4/8.14.4/inbound) with ESMTP id v3CJqjG1027528 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <dane@ietf.org>; Wed, 12 Apr 2017 20:52:47 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wemonitoremail.com; s=mail; t=1492026767; bh=OxhyUSK4pIaF2VAE7j/9BvnHiP7Sq0vFCZiaA27F0nY=; h=Subject:From:To:Date; b=jrtKtMKSnU2DHh2TqKL84UmcxCx9aPV/z5sFo+Mc2bbPM9UIzzhz1zPVJspnbzhDy b53QN5IGngG3QdQGlBeFHIsAaOSqtBIpDznuuZz6YtlMNiODxz9HCpYWscVNO0PLR2 nwU1jr+aulFGrauuf3n9QxQuCf5ippMQuSeusRGE=
Message-ID: <1492026764.4157.21.camel@wemonitoremail.com>
From: "Ken O'Driscoll" <ken@wemonitoremail.com>
To: dane@ietf.org
Date: Wed, 12 Apr 2017 20:52:44 +0100
In-Reply-To: <CAAFsWK35neS7t_ZXHiTgSuc4wU4dWzEdAxFCzK+k11drvcOOkA@mail.gmail.com>
References: <CAAFsWK35neS7t_ZXHiTgSuc4wU4dWzEdAxFCzK+k11drvcOOkA@mail.gmail.com>
Organization: We Monitor Email
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24)
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dane/tFAusIVSy6GstMUIsvugkx5Jtzg>
Subject: Re: [dane] domain hijacking
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Apr 2017 19:53:04 -0000

On Wed, 2017-04-12 at 11:50 -0700, Wei Chuang wrote:
> Hi dane folks,
> 
> There recently was an article in Wired about how a banking site was
> domain hijacked:
> https://www.wired.com/2017/04/hackers-hijacked-banks-entire-online-operat
> ion/
> via a DNS registry account hijacking.  I was wondering if DNSSEC can
> protect against such hijackings (and thereby protect DANE records).
[...snip...]

Hi Wei,

My first post to this list!

My understanding of that incident is that the attackers compromised the .br registry and from there reassigned the nameservers, thus redirecting traffic to their rogue server.

DANE or indeed DNSSEC isn't intended to prevent that type of attack, where the attacker has complete control of the domain name at a registry level, including the ability to change NS records and delete DS records. Essentially, in such cases the attacker follows the same procedure the legitimate registrant would follow to disable DNSSEC while changing nameservers.

There are other technologies and strategies available to mitigate the risk of such attacks, but if the registry is compromised then DNSSEC etc. can just be disabled so any scheme involving re-signing DS records can be overcome.

Ken.
-- 
Ken O'Driscoll / We Monitor Email
t: +353 1 254 9400 | w: www.wemonitoremail.com