Teenage hackers temporarily hijacked and defaced several Comcast Web sites and redirected user e-mail in an exploit that appears to expose fundamental weaknesses in the Internet's Domain Name System. The hackers, known as Defiant and EBK, apparently used "social engineering" -- persuading insiders to hand over account information -- to break into Comcast's account at domain registrar Network Solutions.
Comcast.net -- Comcast's main Web site -- was down for more than two hours, sporting a pink-on-white message that "KYROGENIX Defiant and EBK RoXed COMCAST sHouTz To VIRUS Warlock elul21 coll1er seven."
In addition, the WHOIS database of domain ownership spewed out a stream of obscenities when queried for information on Comcast sites.
Andrew Storms, director of security operations at nCircle Network Security, explained the nature of the exploit in an e-mail. "While we haven't seen all the details on exactly what did transpire, more than likely the hackers performed what would be considered a well-known and understood attack called domain hijacking," Storms said.
"The persons who maintain control over the centrally housed domain-name information with a registrar have the ability to control the DNS information for that domain. Once you have control over DNS, it's quite simple to propagate information into the Internet, telling computers where a Web site can be found."
In essence, the hackers could reroute the proper IP address for comcast.net to some other IP address -- and every time Comcast corrected the information, the hackers were able to reroute the domain.
It doesn't appear that the hackers did much more than deface Comcast's Web site and interrupt users' access to e-mail. With the level of control they had, "they could have done a lot worse," Storms said. "Instead of displaying a defacement, they could have just as easily used their control to set up a fake Webmail site to capture login information or launch phishing attacks."
In an interview with Wired's Threat Level blog, the hackers expressed fear that what may have been intended as a stunt to prove their hacking prowess could land them in trouble. "The situation has kind of blown up here, a lot bigger than I thought it would," 19-year-old Defiant told writer Kevin Poulsen. "I wish I was a minor right now, because this is going to be really bad."
The hackers said they exploited a flaw at Network Solutions, but the registrar denies any lapse. "We now know that it was nothing on our end," spokesperson Susan Wade said. "There was no breach in our system or social-engineering situation on our end."
According to Wired, Defiant and EBK managed to get control of more than 200 Comcast domains. They said that when they initially broke in, they called the Comcast employee listed as technical contact at home to tell him what they had done. When he hung up on them, they started redirecting Comcast domains to servers under their control. They said they went through more than 50 servers in a matter of hours. "You know how hard it is to find hosting handling that kind of traffic?" EBK asked Wired. "The first one went in two minutes."
The hackers denied speculation that the hack was retribution for Comcast's blocking of BitTorrent traffic. "I'm sure they hate us, too," says Defiant. "Comcast is just a huge corporation and we wanted to take them out, and we did."