How to keep out the DNS Hijackers

16th April 2019

Cath Goulding

Cath Goulding

If we needed further evidence of the importance of monitoring and securing the Domain Name Systems (DNS) of our businesses and infrastructure, it has now arrived. In the past few weeks there has been international alarm over a campaign of DNS hijacking that strongly appears to be state-sponsored. International infrastructure has been targeted, and the world’s top cyber security professionals are now trying to gather intelligence to better understand this alarming threat – and ensure we are protected against it.

DNS hijacking is not a new threat vector. It refers to the practice of ‘hijacking’ the DNS to intercept the data that passes between user and nameserver. It has been used previously to spread political messages – for example, eBay and Paypal were hijacked by the ‘Syrian Electronic Army’ for ‘denying Syrian citizens the ability to purchase online products’. It can also be an effective way for criminals to gather credentials from sites such as eBay; the criminal redirects the request to an almost-identical website and observes as users enter account names and passwords.

The most worrying incident of DNS hijacking in recent years was against a Brazilian bank in 2017, and extraordinary for its sophistication. The criminals redirected well-meaning customers to a website that looked identical to their bank, complete with SSL certification to ‘validate’ the security of the site. The criminals maintained control of the banking sites for five to six hours researchers now believe, and the cost of the damage is still unknown. The world was shaken – and so we are again.

Both the US and UK Governments have put out warnings over the current spate of DNS hijacking activity amid concern that this attack vector is now becoming a weapon in the arsenal of cyber warfare. The National Cyber Security Centre has confirmed it is currently investigating but has reassured that there are no compromised entities in the UK. We are working with NCSC in their investigations and can echo their reassurance.

The main body of targets appear to have been in the Middle East, but that doesn’t mean the spotlight won’t shift in time. This alarm gives us an impetus to pay more attention to the security of the DNS on which we rely, and to be reminded of the different, ingenious ways criminals can intercept data and hack systems.

Reassuringly, there are steps we can take to make DNS hijacking almost impossible. Following attempts on Nominet’s systems a number of years ago, we promptly implemented two factor authentication (2FA) across our systems and Domain Lock for our registrars.

While 2FA helps verify authenticity, Domain Lock is a tool by which registrars can literally ‘lock’ domains so that no changes can be made without thorough authentication of the domain name owner via 2FA. We have seen no activity since the introduction of these tools but will be using the current noise about DNS hijacking to remind any registrars not already signed up of best practice. Unfortunately, 2FA can be unpopular because it ‘slows down’ authentication. I imagine similar feelings were expressed when seatbelts were first made a legal requirement, but then they started saving lives and we rearranged our priorities. It’s time to do the same in regards cyber security.

And it is not just for registrars, businesses and Government to worry about the security – or vulnerability – of the DNS. Consumers also must take more care, especially as recent reports show that criminals are hijacking home routers as a means of getting into corporate systems. The rise in home working allows for access to remote organisations via home routers, and both companies and their employees need to make sure they are taking the proper precautions, using a VPN to add 2FA whenever staff are working outside the office.

The ubiquity of technology is dulling too many to the threats and risks that lurk online. This current alarm over DNS hijacking is a heady reminder of the importance of the DNS, both for the good guys and the bad. We must ensure we are all taking the necessary steps to keep ourselves, our businesses and our nations safe.

Find out more about Nominet’s Cyber Security Services. Read about Cath’s career in cyber security in her blog.