Lessons from Puerto Rico TLD attack

It’s likely that we’ll never know how hackers managed to redirect so many Web sites in the Puerto Rico TLD, .pr. Some guess that they exploited a site vulnerability but we don’t know and the press inquiry e-mail address for the Puerto Rico NIC is still down: e-mails to press@nic.pr continue to result in delivery failure.

It appears that the hackers were not trying to steal information. They seem to have been site defacers hoping to gain attention. The hackers now call themselves the Peace Crew but used to call themselves the Terrorist Crew and post messages like “Free Palestine” on hacked websites. They may be Turkish.

“This attack vector is not new. The hackers did not exploit a vulnerability in the DNS itself, but it appears to have been an exploit targeting an SQL injection vulnerability in the domain registrar’s site,” said Symantec Security Response in an e-mail to InternetNews.com.

“This is exactly what happened to CheckFree.com back in December,” added Paul Ferguson, Trend Micro’s senior threat researcher. Even the most sophisticated companies have proved vulnerable to this attack.

While some are calling for DNSSEC to be implemented in Puerto Rico, that would not solve this problem — and it’s not possible either. “While DNSSEC has been deployed on top-level domains operated by Sweden, Puerto Rico, Bulgaria, Brazil and the Czech Republic, VeriSign will support it in 2011,” the Web site of Puerto Rico’s NIC says.

“Without a doubt we will see similar attacks in the future. While this attack has been used several times in the past, it has not been commonly used on domain registrars,” said Symantec Security Response.