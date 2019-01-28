We don't know where the hackers are, but it looks like it's a bit nippy

THE NATIONAL CYBER SECURITY CENTRE (NCSC) has revealed that it is investigating a global DNS hijacking campaign. The alert warns that while the majority of the targets have been in the Middle East, reports are stepping up in Europe and the United States.

"While the NCSC is not currently aware of any compromised entities in the UK, the techniques exhibited could feasibly be deployed against UK targets," the alert reads. "In the campaign, attackers are believed to have compromised credentials that have given them the ability to manipulate DNS records, giving them the ability to redirect traffic to attacker-owned infrastructure."

Once hackers can manipulate DNS records, they can redirect traffic to their own infrastructure, leaving users open to man-in-the-middle attacks. As the targets elsewhere in the world seem to be predominantly based in government, telecoms and internet infrastructure, the possibility for mischief is pretty high if successful.

The NCSC is working with industry and international governments to identify the campaign's impact and come up with defensive measures, but for now the official government advice is pretty run-of-the-mill and straight out of Security 101.

For registrars:

Make sure two-factor authentication is enabled for registrar and registry accounts

Make sure passwords aren't easily guessable, aren't reused and are stored securely

Make sure password recovery contact details are up to date

Consider applying extra security steps to registrar changes

Make sure logging is switched on, so you can see what changes have been made

For DNS hosting, it's similar but with a few domain name twists:

Again, two-factor authentication is your friend

So is good password hygiene

Have backups of critical DNS zones

User configuration-as-code approach for managing DNS zones

Ensure logging is switched on

Keep an eye on DNS records for changes. A monitoring service is probably a good idea

Keep an eye on certificate transparency logs for TLS certificates

And finally, some tips for DNS management:

Make sure that people involved in DNS management are aware of the importance of DNS security (you'd think this would be covered at the job interview, but there we are)

Look out for expiring domains and make sure they're renewed in a timely manner

Make sure any subdomains delegated to third parties follow the same rules

Consider formalising a "registry function" to oversee domain name management

All helpful tips, whether or not the current threat is unusually prolific or not. µ