belgian and dutch dns webservers under attack

the 9th of july both the webserver of the belgian .be and the dutch .nl operators were attacked, without any certainty (at least publicly) that the two attacks were linked

at first sight the defacement of the webserver of the belgian (which is responsable for the operation of the .be extension) seems to be just a defacement and dns said that they had taken all the necessary steps which is by one resetting the clean code that was kept elsewhere but the main problem is that the securityproblem (they were using PHP and because of the problem one can suppose there was a mistake or non-patched securityhole somewhere - even in a library. Changing the code only makes sure that there are no other backdoors or code that has been changed somewhere, but one needs always to find the securityproblem and retake a clean code before the hacker revisits the site and re-uses the securityhole even if there is no defacement

the dutch operator of .NL was less luckily because the hackers could even go a lot further and place malware on the server and steal enough authentifications to oblige them to change the passwords of all the users resellers

but they should remember - just as the resellers of ssl certificates - that any mistake in their code or webservices will be used against them without much hesitation and may have serious reputation and security repercussions - this means in fact that less is better (because less complex and less code to control) and a separation between marketing and operational websites should be strictly seperated

they could start with putting a vulnerability watcher application and a WAF to stop the attacks

they could also test their sites with metasploit and let a real penetration tester do some real tests

before somebody with even more experience and tools than the defacer takes his time and experience and uses the same neglicence to go slowly from part ot part of the network untill they get the business jewels

oh they will say, that will never happen,  no but the first signal was sent out, that you could be hacked and maybe penetrated, hackers don't need to know more

The comments are closed.