DNS service provider Zone Edit suffers another major catastrophic crash
April 25, 2012
For the second time in less than two months, hundreds of thousands of web sites have been hit again by an unexplained outage at DNS services provider ZoneEdit, with users seeing from five to six full days of downtime on their email messages and their web infrastructure.
While the 603,000 customer domains ZoneEdit looks after were all apparently still resolving during the outage, users were unable to log into their accounts to make updates to their zones since last Friday.
"I have a static IP being changed by my service provider this week," one loyal customer blogged. "With only two days left before the change and potentially 500 to 1000 users being affected, I am left with very tough choices.
"I will give ZoneEdit until tomorrow morning before I find an alternative service or host the DNS myself."
Two days ago, the company's website went offline completely, again without explanation. This morning, however, the site returned and users reported that they could once again log in and use their services.
ZoneEdit, which is owned by the domain name registrar Dotster, has provided updates on Twitter, albeit only once or twice a day and without any insight into what the problem is or how long it will take to resolve.
In its most recent tweet, it states: "We understand the seriousness of this issue and its effect on you. We are truly sorry. We have every person possible working to resolve it, and as fast as possible."
Even with the problem apparently resolved, customers still do not know what happened. Users have also predictably taken to Twitter to vent their frustration-– not only regarding the downtime but also about the lack of communication from the company.
Some have even speculated that the website may have been the victim of an attack or a DoS (denial of service) attack from the outside.
ZoneEdit has been providing low-cost DNS resolution services since 2000. According to HosterStats, 150,000 domain names use its DNS to make their websites and email work.
The company did not respond to a request for comment. It's not the first time ZoneEdit has similar issues. About seven weeks ago, ZoneEdit was hit with a similar DoS attack that crippled its DNS services for a number of hours, and rendered 500 to 600 websites unavailable.
In other internet security news
Internet highjacking and pirating today isn't just a threat to your bank account or personal computer-- it's a serious problem of national security, says Congress, and now it wants to take immediate action while it still can.
To be sure, spies from other countries and organized criminals are already inside of virtually every U.S. company's network, and some firms don't even know about it. The U.S. government's top cybersecurity advisors widely agree that cyber criminals and internet terrorists already have the capability to take down the country's critical financial, energy and communications infrastructure.
"The reality is that our current infrastructure is being colonized, whether we like it or not" says Tom Kellerman, former commissioner of President Obama's cyber security council.
"Worse, is the fact that governments no longer have a monopoly on this capability, and that's really the frightening element here. There is code out there that puts it in anyone's hands," added Kellerman.
Using the web to take over our infrastructure, turn off our electricity or release dangerous toxins would amount to a full-fledged war against the country or countries who initiated such an action.
Much of America's critical infrastructure is currently owned by businesses. Gaining intelligence on cyber threats-- both in advance and after an attack has been launched, requires strong cooperation from companies and, often, from private individuals.
That's why Congress is taking up as many as six different new cyber bills this week that deal with that issue: improving the overall security of our core infrastructure, but without infringing on the privacy of corporations and the people that work in those companies. And it won't be easy, since we all know how privacy is a strong subject in the U.S.
There are some key differences between the bills, and lawmakers are furiously trying to merge them together. The bill most policy analysts focus on right now and is the likeliest to pass is the Cyber Intelligence Sharing and Protection Act (CISPA), introduced by Representative Mike Rogers, chairman of the House Intelligence Committee.
It passed his committee with strong bipartisan support (a 17-1 vote) in December 2011, and it has more than 100 co-sponsors on both sides of the aisle.
At the bill's core are direct incentives for private businesses that control core, critical infrastructure, particularly in the finance and energy sectors. Those businesses would receive some compelling tax breaks if they share related data with one another and the U.S. government about potential attacks.
To be specific, there are rules that would force them to strip out any non-crucial information from customers or business partners. A rival Senate bill, sponsored by Senator Joseph Lieberman, would instead mandate information sharing through government regulation.
Not surprisingly, that bill is also supported by President Barack Obama, but most speakers at the conference thought it had little chance of passing, nevertheless.
Critics have attacked all six bills both for being too lenient on privacy and for being too rigorous at the same time. The bills have been blasted by both civil liberties organizations, and, interestingly, those in the intelligence community.
"All six bills on the Hill are grossly insufficient," said Mike McConnell, formerly President Bush's national intelligence director. "We say we don't want to infringe on privacy rights or burden industry in any way, so the result is we don't do anything."
At a corporate security conference in March, FBI Director Robert Mueller warned attendees: "There are only two types of companies: those that have already been hacked, and those that will be soon."
McConnell thinks it will take a "catastrophic event" to force changes. "We are incredibly vulnerable," he said. "If we don't make our policy makers think about this seriously, we'll be dealing with something like 9/11."
Other countries and organized crime have more and better intelligence on U.S. citizens and businesses than the U.S. government itself does, in McConnell's view. That's a major policy dilemma, and something that all U.S. citizens should take very seriously.
Privacy advocates like the American Civil Liberties Union counter that the Rogers bill would kick off a free-for-all in sharing of customer records. The bill would "create a cybersecurity exception to all privacy laws and allow companies to share the private and personal data they hold on their American customers with the government," the ACLU wrote in a December letter to Rogers and others in Congress.
It added: "We will vigorously oppose this legislation as inconsistent with the long tradition of Americans' reasonable expectations of privacy." Yet other internet security professionals stressed that we have to rethink privacy in a world where hackers have already infiltrated all our systems and know everything about us.
"And let's get real here," said Kellerman. "Let's be honest about this. We have 100,000 Big Brothers. Meanwhile, the United States is fighting this with one hand behind its back. We have been juvenile about the discussion of privacy."
"This is an issue of leadership. If we don't take it seriously, we're going to have a serious attack," added Kellerman.
"We have to change our perspective on what's permissible and what's not," said Colonel Cedric Leighton, a former military intelligence officer with the U.S. Air Force. "It's not a lost cause, but only if we know what we're facing."
The bills aren't perfect, but even opponents of the Rogers bill said something needs to be done, and done fast. "We don't all have to agree on everything to do something," said Howard Schmidt, President Obama's current cybersecurity coordinator.
"We talk about it and talk about and talk about it, and all we're doing is just admiring the problem. We need the authority to do the things we've been talking about for quite a while," he added.
In other internet security news
Kaspersky Lab security researcher Costin Raiu has discovered a new Mac OS X trojan virus again. Called Backdoor.OSX.SabPub.a or just SabPub, for short, the new virus uses Java exploits to infect a Mac computer, then connects to a remote Web site, and wait for instructions that include taking screenshots of the user's Mac and executing commands.
"The Java exploits appear to be pretty standard, however, and they have been obfuscated using Zelix Klass Master, a flexible and quite powerful Java obfuscator," said Raiu. "This was obviously done in order to avoid detection from anti-malware products."
Raiu's new discovery comes as Mac users are on high alert over the Flashback Trojan, which reportedly infected over 600,000 Macs globally in the past few weeks. That exploit, which also uses Java, is capable of nabbing user passwords and other information from their Web browser or some applications.
Apple on Friday released a tool designed to remove Flashback from infected computers. Prior to that launch, it was believed that 270,000 Mac desktops were infected with the Trojan, down significantly from its height.
In a follow-up post on Securelist yesterday, Raiu provided a bit more information on SabPub to help differentiate it from Flashback. He reported that there are at least two SabPub variants in the wild today, including one that dates back to February.
The malware appears to be delivered through targeted attacks, which should limit its ability to make widespread incursions in a manner very similar to Flashback.
Raiu also reported that the malware appears to be spreading through Word documents that exploit the CVE-2009-0563 security vulnerability related to a stack-based buffer overflow in Office on the Mac.
"The most interesting thing here is the history of the second SabPub variant. In our virus collection, it is named 8958.doc." Raiu said. "This suggests that it was extracted from a Word document or was distributed as a Doc-file."
In other internet security news
The hacktivist and pressure group Anonymous has finally turned its attention to China, claiming to have defaced more than 480 websites over the past few days including several government sites, while urging Chinese hackers to join its cause.
Anonymous began its campaign in China with the launch of its Anonymous-China Twitter account, which seems to have began tweeting on or about March 30th. In a list posted to PasteBin, the group claims to have defaced close to 500 web sites, including several belonging to regional Chinese government organizations in areas such as Chengdu and Dalian.
In several other separate posts, Anonymous also claims to have hacked and leaked user names, password details, phone numbers and emails from various government sites. All the sites on the list we tried now appear to have been taken down, although the Wall Street Journal managed to take a screen grab showing the following message in English that reads:
"Dear Chinese government, you are not infallible, today websites are hacked, tomorrow it will be your vile regime that will fall. So expect us because we do not forgive, never. What you are doing today to your Great People, tomorrow will be inflicted to you. With no mercy."
According to the WSJ, the message also contained a link to an Anonymous site detailing how Chinese web users can bypass the Great Firewall, although at the time of writing this, the site appears to have been killed, most likely by Chinese government officials.
Not too happy with that, Anonymous also posted another message to PasteBin, urging the Chinese people to revolt. “So, we are writing this message to tell you that you should protest, you should be protesting and who has the skills for hacking and programming and design and other ‘computer things’ come to our IRC,” the note read.
This is the first major Anonymous campaign targeting China, which is somewhat strange given the government’s hardline stance on internet censorship and human rights-- two very strong issues guaranteed to get the group's immediate and undivided attention.
To be sure, the hacking of several minor regional government sites is unlikely to cause much consternation at Communist Party headquarters, and the group’s messages on PasteBin and posted on the defaced sites will largely have failed to reach their audience given that they were written in English.
Anonymous seems to be working on the latter issue, however, having sent a tweet out calling for help from would-be translators. Given China’s strict web controls on social media, it’s unlikely that the group will be able to broadcast its message on platforms such as Sina Weibo and Tencent Weibo, so for the time being it’ll have to stick to Twitter-– banned in China, and to the prospect of defacing even more websites in that country.
You can link to the Internet Security web site as much as you like.