The Internet Corp. for Assigned Names and Numbers (ICANN) has been hacked. The nonprofit organization that manages several databases of domain names is investigating a system intrusion that compromised its domain name servers.
ICANN described what it classified as a spear phishing attack that started in late November. Norton defines spear phishing as e-mail that appears to be from an individual or business that you know, but it's really from criminal hackers who want to steal your credit card or bank account numbers, passwords, and financial information.
"It involved e-mail messages that were crafted to appear to come from our own domain being sent to members of our staff," ICANN said. "The attack resulted in the compromise of the e-mail credentials of several ICANN staff members."
What Was Compromised?
ICANN said it discovered early this month that the compromised credentials were used to access other ICANN systems besides e-mail. Specifically, hackers infiltrated the Centralized Zone Data System (CZDS), which provides a centralized access point for interested parties to request access to the Zone Files provided by participating Top Level Domains. Zone files contain data describing a portion of the domain name space for specific top-level domains.
"The attacker obtained administrative access to all files in the CZDS. This included copies of the zone files in the system, as well as information entered by users such as name, postal address, email address, fax and telephone numbers, username, and password," ICANN said.
"Although the passwords were stored as salted cryptographic hashes, we have deactivated all CZDS passwords as a precaution. Users may request a new password at czds.icann.org. We suggest that CZDS users take appropriate steps to protect any other online accounts for which they might have used the same username and/or password. ICANN is providing notices to the CZDS users whose personal information may have been compromised."
Hackers also found a way into the ICANN Governmental Advisory Committee Wiki, which provides advice to ICANN on issues of public policy, and especially where there may be an interaction between ICANN's activities or policies and national laws or international agreements. Finally, ICANN reported unauthorized access to user accounts on two other systems, the ICANN Blog and the ICANN WHOIS (whois.icann.org) information portal.
Could Have Been Worse
We caught up with Tyler Reguly, manager of security research at Tripwire, to get his thoughts on the attack. He told us it's a great reminder that spear-phishing is a serious issue and targeted attacks are quite common. With the holidays upon and more e-mail spam, tracking and delivery notifications, and invoices appearing in our mailboxes due to increases in online shopping, he said we need to be hyper-vigilant about what we click.
"While any breach should be considered serious, the breach at ICANN is not as bad as it could have been. All user passwords have been reset, and should the attackers act on the stolen salted hashes, hopefully users will not have reused passwords from other Web sites," Reguly said.
"It is, of course, advisable that users of the Centralized Zone Data System reset their passwords if they were reused elsewhere. While the zone file copies contain useful information, much of that information will be available via other means, limiting the impact that any data exfiltration may have."