
Google.ps domain was hacked - sarjan
http://google.ps/
======
biot
... and thousands of HN readers get infected by a zero-day exploit. Maybe. If
you're thinking of submitting a known compromised site to HN, consider instead
submitting a third-party site which explains/documents the compromise. Ideally
from a respected security research company. This has several benefits:

1\. You're not subjecting HN readers to a site under the control of a
malicious party who may have done more than just deface it. Even if _you_
verify that you only receive plain boring text with no scripts, iframes,
plugins, etc. it's impossible to verify that someone else won't get served
different content. For example, malware that only gets served to people in
Israel.

2\. Once the compromised site is restored, people visiting the link won't see
what happened. When you link to a third-party article, that article will
persist even after the hack is long since gone.

3\. Linking to a security research company will probably give better insight
into the technical details _how_ the attack happened, gratifying our
intellectual curiosity, instead of just being a dumbed-down piece from some
mass-market tech blog.

~~~
s_q_b
I agree with your point, but 0-day exploits aren't tossed around like candy
corn. They're multi-million dollar munitions.

~~~
magicalist
> 0-day exploits aren't tossed around like candy corn

They are if the zero-day isn't what you're after.

Something like this _is_ like candy corn to a site like HN. You need an
exploit _and_ a reason to get your targets to visit your hacked site. When
something like this hits HN's front page, if your target is in the tech world,
odds are very good that you'll catch someone in the company/companies you're
after. This is not theoretical. See, for instance, the Java exploits employed
in those hacked iOS dev forums that successfully compromised computers at
Facebook, Twitter, Apple, and Microsoft[1].

[1] [http://arstechnica.com/security/2013/02/web-forum-for-
iphone...](http://arstechnica.com/security/2013/02/web-forum-for-iphone-
developers-hosted-malware-that-hacked-facebook/)

~~~
s_q_b
These are both really excellent points.

While DNS-hijacking Google.ps as a watering hole for HN seems like a bit of a
long shot of a vector to get access to HN users, it would be a pretty logical
vector for Palestinian Authority systems. And is likely a lot of other users
would get unintentionally caught in the net.

Flash/Java vulnerabilities are also quite a bit cheaper (100k range), and well
within the price range of most criminal APTs, let alone nation-states. But I
imagine most, if not all, HN users have those extensions disabled by default.

So the only way to compromise the systems of most users here would be a 0-day
javascript vulnerability in Chrome/Firefox. These are the 0-days to which I
was referring, which are massively expensive.

But overall the point is valid. The risk, even if not that large that anyone
here would be targeted, makes it a good idea not to post directly to
compromised websites. I'm not exactly wild about a random workstation at any
US company being compromised, even though they weren't explicitly targeted, by
random Israeli hackers or even Unit 8200.

------
jedisct1
google.ps has not been hacked.

The .ps registry was. Google DNS servers have been changed to omar.genious.net
and hamza.genious.net

~~~
ck2
Hacking a registry is even more alarming.

~~~
benatkin
Not all registries are created equal. I'm a heavy Internet user and I'd get
along just fine without the .ps nameservers.

~~~
aray
Still, it goes to show that even if you lock down your website, you could
still be vulnerable if your registry is vulnerable.

~~~
jonknee
That has been shown since the first day of DNS.

------
lars
Looks like their domain was compromised. It points to an IP associated with
this hosting provider: [http://www.genious.net/](http://www.genious.net/)

~~~
theboywho
Looks like a Moroccan hosting provider.

------
tambourine_man
[http://i.imgur.com/BNspAdZ.jpg](http://i.imgur.com/BNspAdZ.jpg)

~~~
eksith
Thank you.

I wish OP would have done the same with a comment. In fact, this should
probably be standard procedure when submitting a link to a compromised site if
it's not to a blog/news post about it.

------
pearjuice
Please change the title to "Google Palestine defaced" or "Google DNS entries
maliciously changed". Google Palestine was/is not hacked.

~~~
hack_edu
Yes it was. Let's not quibble.

~~~
pearjuice
No it was not. It implies something under Google their control was compromised
which was not the case.

~~~
hack_edu
Really, it implies any attack or breach that is apparent to users. This is
__very __apparent.

~~~
pearjuice
That is not what "hacked" means. If they had really hacked Google their
servers and proxied all searches through a system of theirs without letting
the users know it would not have been "apparent" yet Google was hacked in the
correct sense of the definition.

They were defaced which was directly apparent to users - not hacked. At all.

~~~
hack_edu
I'll repeat the crux of this discussion. There's no definition of 'hacked.'
Welcome to the Internet.

~~~
pearjuice
No definition of "hacked"? Really? You will go that meta to prove your point?

"a hacker is someone who seeks and exploits weaknesses in a computer system or
computer network" (
[http://en.wikipedia.org/wiki/Hacker_(computer_security)](http://en.wikipedia.org/wiki/Hacker_\(computer_security\))
)

Being hacked means a hacker has found and exploited a weakness in a computer
system or network. Saying that Google Palestine was hacked is false because no
exploit in a computer system or computer network OF Google Palestine was found
nor exploited.

------
AgLiAn
More details here [http://hak-it.blogspot.ro/2013/08/google-palestine-
hacked.ht...](http://hak-it.blogspot.ro/2013/08/google-palestine-hacked.html)

~~~
lars
Doesn't look like a fake defacement, google.ps has looked like google since
2009 according to archive.org:
[http://web.archive.org/web/20090812080241/http://www.google....](http://web.archive.org/web/20090812080241/http://www.google.ps/)

~~~
sp332
Right, but someone just changed the domain to point to a new IP address. So no
one hacked Google's server.

~~~
UVB-76
Exactly. Instead of showing up Google, these hackers (assuming they are indeed
Palestinians) have just shown up their own domain registry.

------
pfraze
Fair warning, that link goes to the compromised site.

~~~
nodata
There was no fair warning: the title doesn't make it clear whether the event
is over.

------
math0ne
Oh man, imagine the heart attack the engineer who first got this ticket must
have had before he realized it was a just a dns hijacking.

~~~
dsl
Google's incident response team deals with far bigger issues on a daily basis.
This is hardly more than a few kids playing around.

~~~
ponyous
Care to elaborate?

~~~
packetslave
Nice try, Mark Zuckerberg

------
runarb
The page also tries to load a mp3 file using Real Player. Sounds bad... Is
that some known exploit?

Real Player is so rear this days, so at list it wouldn't be my first choice if
you only wanted to play a song.

~~~
srl
The mp3 is "Hard", by Rihanna. Doesn't seem to have any exploits attempted (it
plays fine in mplayer, with no funny business).

------
keyme
Probably just Kids. Nothing very sophisticated. Shame that pretty much all of
the basic internet infrastructure is so utterly broken.

------
codereflection
I love how it says "From Palestine: We are the Best of the Rest"

Best of the Rest? Well, that's not saying much, is it?

~~~
mnbvcxza
They must have some awesome ANSI art.

------
iranai
Out of six DNS servers, which are authoritative for zone .ps, only one gives
out wrong NS records for google.ps . Is it pure luck for that answer to be
cached at Google Public DNS, or it possibly had been done by some obscure
trick?

EDIT: Ok, on the second thought it seems that the compromised server is just
the closest to google. All that is left is to wonder, whether palestine guys
did target that server because of it :)

------
captn3m0
Using HTTPS Everywhere gave me a warning on visiting
[https://google.ps](https://google.ps), Chrome blocked the url giving a
warning on the HSTS/certificate pinning.

------
mobiplayer
Being the Google bar on the screenshot in French and the name servers on a
Moroccan hosting provider I think it's clear where these script kiddies are
from :)

~~~
mobiplayer
P.S.: Not implying anything, just adding information. I've re-read my comment
and it looks a bit wrong.

------
niuzeta
"Listen to Rihanna and be Cool"

Kudos.

------
adhipg
Aren't we seeing a lot of DNS based attacks in the recent past? I remember .pk
TLD was hacked not too long ago.

Considering that most of the big sites run local variants of their services
using these TLDs is it fair to assume that one of these next ones could be of
the phishing kind? What's the best thing to do - always use the .com hoping
that it is safer?

~~~
dsl
This isn't a DNS issue, it's a SQL injection attack.

ICANN needs to mandate stronger requirements for best practices with web based
management UIs. Unfortunately they have little in the way of real control over
ccTLDs.

You'd be best served registering ccTLDs and redirecting them to your gTLD of
choice (say, .com) and not trying to serve localized content from them.

~~~
kijeda
ICANN is not in a position to mandate such requirements for ccTLDs as they are
not empowered to. ccTLD governance differs from gTLDs in that each country
code is managed and overseen locally within the country. This is why there is
such a diversity in ccTLD policies. For better or worse this model of
subsidiarity is what we have today.

~~~
dsl
Which is why I said

> Unfortunately they have little in the way of real control over ccTLDs.

Hopefully NTIA can empower ICANN (as the IANA operator) to better exercise
security requirements against ccTLDs. Ultimately NTIA can pull the ccTLD from
the root, which is a stick we could use increase the overall security of the
internet, but I would prefer we find a carrot.

------
AmrMostafa
I cannot confirm this from all locations. google.ps sometimes resolve to a
legitimate Google and other times to the Moroccan server. Does anyone have an
idea how could that be possible?

~~~
alcari
DNS caching.

------
bdcravens
Switched to my phone's LTE - it said "This Account Has Been Suspended"

Refreshed site on my computer connected to wi-fi - it now appears to be return
correct Google site.

------
AgLiAn
What? Where?

------
Globz
wtf is this bullshit!

------
omarchowdhury
This is hilarious

------
eli_gottlieb
Good job, butthurt nationalist losers ;-).

~~~
jbooth
And if this were done by jews being oppressed somewhere, your reaction would
be the same?

Not that you'll take this advice, but I'd really recommend spending a little
time thinking about what if you were born with a different last name.

Would you be a butthurt loser then, by dint of that last name?

~~~
eli_gottlieb
I'm congratulating them; hence the winking smiley-face. What the hell?

This is an online prank. Have you actually decided to treat it as a serious
political protest?

~~~
pearjuice
Congratulating someone by calling them "butthurt" and "losers" doesn't work.
Your post is rather offending and your last name does indeed spoil your stance
in the Israeli-Palestinian conflict but nevertheless your comment is
inappropriate and was uncalled for.

