Saturday, May 31, 2008

Comcast: A chain is only as strong...

| Armando Romeo |

What happened to Comcast few days ago made me think a lot.
They have been hijacked through dns, their site defaced
and they still don't know if the hackers have played something more elite before leaving the ugly message on the second biggest US ISP home page.

There's a really interesting blog post about the interview released by one of the two hackers known as Defiant and EBK.

I slept in my clothes, because the last time they came, I was in my underwear with my dong hanging out and shit

Their identity has been almost immediately discovered and they will probably have not a good summer.

Beside that, what is most interesting into this hack is that the vulnerability is not to blame to Comcast but to the Comcast's domain management console at Network Solutions.

So a completely different server under a completely different administrative domain.

This kind of hack is not new.
Domain hijacking is no more a last resort for hackers.
Above all for secured websites. It happened to hackerscenter and zone-h. (Yes sigh, audit your hosting panels before you hit Order button)

Domain registrar panels have vulnerabilities.
Hosting company's billing panels have vulnerabilities.
And these can be mount point for attacks to Hijacking DNS or gaining full access to the website server.

But, when I read about this story, I started wondering.
What happened if, instead of Comcast, they hacked a big merchant/retailer website?
Easily enough they could have collected some hundreds (if not more) of credit cards in few hours.
Comcast hijacking lasted only few hours (2 says Comcast), just because they called domain technical contact on the phone warning him about the ownage.

Next question is: considering the happenings above, is PCI certification still valuable for customers to measure a merchant safety level?
Probably not or not completely, and PCI is not to blame for this.

PCI compliance is pushing merchant websites security upwards, but there's no
way, no WAF or code review that can secure a website from attacks held through other administrative domains.

A chain is only as strong as its weakest link.
And the weakest link is not in our hands.
That's what we can learn from Comcast story.

Free Security Magazines