
LinkedIn suffers DNS hijack  - mikegreenspan
https://alpha.app.net/berg/post/6917579
======
fixxer
I'm done with LinkedIn.

I've been on the fence about it for a year now. I get more recruiter spam than
value.

I'm also a bit too old for the schadenfreude that accompanies news of my
overpaid friends getting canned. I'm running my own race these days and I've
never been happier since I stopped comparing my lot in life to the few lucky
SOBs I know that survived the cull of sub-prime.

I think a better strategy is (1) your own domain and/or (2) a site on github
with actual code to validate* your talents.

*I hate those "Joe Schmo supported you skill in [insert banal technical skill here]" messages. I once put down C++ because I had been working with it for a couple years. Then, I thought better (I would not take a C++ programming job. Period. Hate that language.) and took it off. Next thing I know, I've got coworkers supporting my C++ acumen and LinkedIn trying to push it back on my profile. Ugh. I call that invasive feature creep.

On top of that, they seem to leave the backdoor open a bit too much for a
company with $20b market cap.

~~~
pinaceae
LinkedIn's value is not centered around your personal profile - it's about the
other people that are linked to you and will always have an up-to-date
CV/contact details for you.

It is a self-updating rolodex, Outlook Contacts list, phone book,
whateveryouwanttocallit.

I really don't want to bookmark 300+ individual pages that all have different
creative layouts, get moved, etc. My LinkedIn profile stays up-to-date, you
update yours, that's the implicit deal. And we all profit from it. _all_ being
defined as a western work related group, english spoken. this is not facebook.
Link your gitbub repo from there, absolutely, good idea, but having LinkedIn
as your standardized contact info is very valuable.

is LinkedIn managed in a bad way? sure. But for some reason the modern
business world has chosen it to focus on it. Xing and other local players
never grew enough. the benefits of starting out it in the US. all the
surrounding crap they're building is fluff, their core feature is being a
global rolodex. would love to slap sense into their product management team.

~~~
hkmurakami
Thus I've never had more than minimal info on my linkedin profile.

As of this writing, I only have my undergrad and grad school names listed. I
don't think I even have my areas of study on there.

Works perfectly as a rolodex.

~~~
why-el
I don't even have that; just my name and the other required stuff. I still
accept connections in the hope that I will join one day, but that seems more
and more unlikely.

------
kcen
The DNS was not exactly hijacked, there were issues inside of LinkedIn's top
level DNS provider whom were delegating www.linkedin.com authorization to
unauthorized nameservers, namely NS[SOMETHING].ztomy.com. The ztomy DNS
replaces its delegated domains to point to a domain parking page if there is
no record exiting. These changes were then propagated to other nameservers and
thus to the end user. End result, dns doesn't point where you think it does.

~~~
inopinatus
Au contraire; having the delegation going somewhere unwanted is practically
the definition of a DNS hijack. The question is - how did that happen? A
malicious third party? a blundering sysadmin? or a bug in some provisioning
code?

It does sound like LinkedIn's NOC are playing the blame game already. Well, I
guess they've gotta get all those spamming recruiters & sales reps back
online.

EDIT: heh, maybe it was The New Guy: [http://www.simplyhired.com/job-
id/y5bvoz46k6](http://www.simplyhired.com/job-id/y5bvoz46k6)

~~~
kcen
It's always the new guy, f'n new guy.

------
raldi
Can anyone think of a good reason LinkedIn didn't mark their cookies as HTTPS-
only?

[http://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly](http://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly)

~~~
dsl
I often describe LinkedIn as a bunch of business people, who have a website.
It's not a tech company and the hiring reflects that.

~~~
memmove
dsl, no offense, but you seem to have a problem with any company that doesn't
hire/provide employment to your average local community college CS grad and
instead hires globally based purely on merit.

Linkedin interviews are on par with facebook/google et al.

~~~
dsl
Really, now the sock puppets are coming out?

I hire people purely on technical merit, I don't even bother reviewing
educational credentials. I am opposed to abusing the H1-B system rather than
opening offices overseas to bring in skilled labor and raise local standards
of living.

~~~
gergles
LinkedIn _does_ have overseas offices.

[http://www.buzzom.com/2011/11/linkedin-opens-a-technology-
ce...](http://www.buzzom.com/2011/11/linkedin-opens-a-technology-centre-in-
bangalore/)

------
ChuckMcM
Random anecdote:

One of the DNS issues I tried to fix with NIS+ was the 'maintaining a list of
trusted servers' problem by distributing the management of the authoritative
servers. Trust was built bottom up, and authority came top down.

The way it worked was that clients used a 'coldstart' file which was the
(small number) of servers you trusted to provide your namespace lookups. You
to their public key and you put it into your coldstart file. Similarly, a
server put the key(s) of the servers it trusted above it in the name space in
its coldstart file. And at company 'root' level was a set of servers run by a
trusted authority.

Locating the authoritative name server for x.y.z from p.q.z (same as DNS root
is rightmost) client in x.y.z asks its server for a trusted y.z server, gets
it, and asks that server for a trusted z. server, then asks that server for a
q.z. server and finally for a p.q.z. server. Once this has happened once you
know trusted servers can can jump to the nearest one to start resolving a new
path in the namespace.

It was slower on initial lookup and then just as fast as DNS on later ones.

It had the downside that compromised (or borked) high level servers could send
you on a different path to different root if the server above them was
incorrect.

It is one of the more fun problems in the whole name/directory service space.

~~~
dvanduzer
DNS SEC doesn't seem any closer to solving this problem, unfortunately.

Do you know of any designs that require a quorum at each level prior to trust?
BitCoin seems to be having success with this model, but I'm wondering if
anyone's built something like that with the _primary_ intent of creating a
directory service.

~~~
ChuckMcM
I don't think they have, much of the work on directory services died when
people gave up. DNS was "too hard" to change and Microsoft wasn't going to let
anything make into a standard that killed off the need for Active Directory.
The LDAP guys, being formerly X.500 guys, went off solving a different problem
and ended up somewhat stuck between AD and DNS. Sad really.

That said, your idea about poaching the Bitcoin quorum ideas is a good one.
Essentially a data structure, equivalent to the block chain, where it only
gets authenticated if enough people ack that its the most valid version of
reality. Probably a publishable paper in exploring that question.

~~~
dvanduzer
I love the fact that AD, and this newer posixy clone FreeIPA essentially
operate as independent but interdependent directory services: LDAP, Kerberos,
and DNS, and they still need X.500 in the form of SSL CA trusts to finish
gluing it all together.

You may see an email from me in the next few weeks asking for feedback on such
a paper.

------
hnolable
I guess they didn't mark their cookies as 'Secure'. Oh well, the real story
here is an app.net link at #1 on HN.

~~~
chollida1
> Oh well, the real story here is an app.net link at #1 on HN.

I can't tell if this is sarcasm or a serious comment. Could you elaborate on
this comment? I don't get why a link by app.net would be news worthy.

~~~
hnolable
My understanding is app.net is trying to be a paid version of twitter. There
was/is much debate whether it could ever take off. This is the first time I've
ever seen someone link to it. Although now I realize that the link is to the
app.net cofounder so that doesn't really say much.

~~~
millzlane
OP works there according to his twitter feed.

------
voidlogic
[http://confluence-networks.com/](http://confluence-networks.com/):

Important Notice [20th June, 2013]

Confluence Networks is a Colocation & Network service provider having tie-ups
with data centers across various geographical regions. We don't host any
services ourselves. Starting few hours ago, we received reports about some
sites (including linkedin.com) pointing to IPs allotted to our ranges. We are
in touch with the affected parties & our customer to identify the root cause
of this event.

Note that it has already been verified that this issue was caused due to a
human error and there was NO security related issue caused by the same. More
details will be provided shortly.

------
nikcub
This isn't over yet - press dot linkedin.com (dont go there) is still pointing
to the rogue server at 204.11.56.17

I'm trying to find other subdomains that might be still pointing there.

edit: i'm enumerating all the linkedin.com hosts using a dict. 80% of A
records are returning the rogue IP 204.11

edit: 96 records still pointing at the rogue server, here is a dump I just
uploaded:

[http://pastebin.com/uc2JXPfB](http://pastebin.com/uc2JXPfB)

~~~
meatmanek
What nameserver are you using?

~~~
nikcub
against their primary NS ns1.linkedin.com

short TTL's on a lot of these domains

I just ran it again this time using Google name servers and still a lot of
subdomains are pointing to the 214 server. confirmed it running against their
NS, which means it hasn't been changed yet.

~~~
wavefunction
I've got my nameservice hardset through openDNS and it's resolving to
198.55.195.121, which is allocated to NASDAQ OMX according to ARIN...

The 214.-.-.- is some British Virgin Islands allocation?

~~~
nikcub
I just got a message on twitter that 214.11 might be a DDoS mitigation
service.. have emailed linkedin to find out what is what.

------
meritt
Seeing 204.11.56.17 for their A record which is

    
    
        OrgName:        Confluence Networks Inc
        OrgId:          CN
        Address:        3rd Floor, Omar Hodge Building, Wickhams
        Address:        Cay I, P.O. Box 362
        City:           Road Town
        StateProv:      Tortola
        PostalCode:     VG1110
        Country:        VG
        RegDate:        2011-04-07
        Updated:        2011-07-05

~~~
mindcrime
I'm getting 216.52.242.80. Looks legit:

    
    
      [prhodes@captainchaos ~]$ whois   216.52.242.80@whois.arin.net
      [Querying whois.arin.net]
      [whois.arin.net]
    
      #
      # ARIN WHOIS data and services are subject to the Terms of   Use
      # available at: https://www.arin.net/whois_tou.html
      #
    
    
      #
      # Query terms are ambiguous.  The query is assumed to be:
      #     "n 216.52.242.80"
      #
      # Use "?" to get help.
      #
    
      #
      # The following results may also be obtained via:
      # http://whois.arin.net/rest/nets;q=216.52.242.80? showDetails=true&showARIN=false&ext=netref2
      #
    
      LinkedIn Corporation INAP-LAX-LINKEDIN-38682 (NET-216-52-  242-0-1) 216.52.242.0 - 216.52.242.255
      Internap Network Services Corporation PNAP-8-98 (NET-216-52-0-0-1) 216.52.0.0 - 216.52.255.255

------
bryanh
Was api.linkedin.com compromised/hijacked? If so, that means they'll need to
reset a lot of OAuth token/secrets which will be very painful indeed (worse
than just a site-wide session reset).

~~~
kcen
Isn't that the point of OAuth? (versus HTTP basic auth)

Your secret key shouldn't be compromised, because you're supposed to keep that
secret. Also if you use HTTPS for requests you'd still get a cert error even
if DNS was routing incorrectly. You're probably fine.

~~~
bryanh
Indeed, I misspoke and meant to say tokens/refresh tokens. A similar thing
happened for Evernote a while back and knocked down all tokens and required
re-authentication across the board.

------
quackerhacker
I think confluence-networks.com may be apart of Network Solutions (which is
whom LinkedIn is registered with).

I had a domain (nitren.com), that I let expire after 3yrs and confluence-
networks.com back ordered it, I remember looking it up a while back, but if I
remember right, all the ip and domains were registered or associated with
netsol.

~~~
dukekarthik
confluence-networks.com is part of DirectI. See
[http://www.directi.com](http://www.directi.com)

------
ioquatix
I'm going to blatantly advertise my own project "RubyDNS" \- it can be a lot
of fun, and it is especially relevant because it allows you to perform these
kinds of attacks in a controlled environment.
[http://www.codeotaku.com/projects/rubydns/index.en](http://www.codeotaku.com/projects/rubydns/index.en)

~~~
dsl
Have you played with PowerDNS? It would be awesome to see RubyDNS rewritten as
a backend.

~~~
ioquatix
Yeah, I've looked at it briefly. Well, RubyDNS already provides the full DNS
server functionality, so I didn't really see the point.

What do you think the main benefits would be?

------
mtam
My traceroute is going thru prolexic.com so there might be something else at
play here. "Prolexic is the world’s largest and most trusted distributed
denial of service (DDoS) mitigation service provider"

------
thrownaway2424
I guess it's a good thing I never reset my LinkedIn password after they lost
them all, so I don't have a LinkedIn account to be hijacked.

------
djabatt
DNS hacks on big public companies seems like a big security oversite form the
linkedin team. wow.

Perhaps my HTTPS anywhere extension could have helped folks.

~~~
DoubleMalt
While I love your HTTPS anywhere extension and thought ( _cough_ ) have it
installed, I was dismayed that I was allowed to connect to
[http://www.linkedin.com/](http://www.linkedin.com/).

Then I found out it wasn't synched over last time I changed laptops.

Installing it now. Thanks for the great work!

------
TheBurningOr
Does anyone have any corroboration of this?

~~~
moondogg
[http://www.cio.co.ke/news/main-
stories/google,-microsoft,-li...](http://www.cio.co.ke/news/main-
stories/google,-microsoft,-linkedin-hacked-in-kenyan-dns-hijack)

~~~
glanotte
That is from April 15th.

------
shuw
[https://linkedin.com](https://linkedin.com) 301s to
[http://linkedin.com](http://linkedin.com) for me. Should I be suspicious or
do browsers validate the certificate even during re-directs?

~~~
gergles
The certificate is validated before the 301 is sent.

------
danyork
LinkedIn has posted a statement pointing over to "the company that manages our
domain" \- [http://linkd.in/12XMvpu](http://linkd.in/12XMvpu)

------
Xanza
HTTPS everywhere; that's all I have to say. Something like this is very
malicious and very hard to detect -- unless you ALWAYS use SSL. I noticed
right away that the DNS was incorrect.

------
NKCSS
I just realised; If you opened a website with a linked in share button, your
cookie might be compromised as well; you didn't even have to go the the site
while under the DNS Hijack...

------
sam152
Can someone examine the cookies that they set and tell if there is any
sensitive information (passwords?) that are hashed in there? Should we
consider this a password breach?

------
kyllo
Can they actually snarf cookies from other sites you're logged into, or would
they only be able to get at your LinkedIn session cookies?

~~~
bcl
No. Cookies only get sent to the originating domain. What happened here is
*.linkedin.com points to the rogue server so your cookies get passed to them
instead of the real Linkedin.

------
willlll
How has app.net adoption been going?

------
kcthota
fidelity.com is also not accessible. Currently traffic is routed to some
domain parking page.

~~~
jes
Appears to be corrected at this time.

~~~
meatmanek
It depends what nameserver you're using. At this time, I see bad results from
3 nameservers on
[http://www.whatsmydns.net/#A/fidelity.com](http://www.whatsmydns.net/#A/fidelity.com)

It seems this website chooses a random selection from a larger pool of
nameservers, so if you refresh the page you may get different results.

------
mattbarrie
Seems legit.

www.ztomy.com

~~~
dsl
ztomy.com is part of the DirectI/ResellerClub/etc. group of companies. They
operate paid domain parking programs for registrars.

------
leke
Weren't they asking for your email passwords the other day?

------
krapp
Someone turned off the 'more magic' switch...

------
somid3
well, certainly the photo upload still is not working, you can update your
photo via their website apparently.

------
mtam
LinkedIn seems to be back online.

------
surjithctly
What a Hacking Idea. Seriously!

------
tomasien
Watershed moment for ADN?

------
rsamvit
Sigh. At least they didn't leak plaintext passwords again

~~~
gergles
When did they ever leak plaintext passwords before? If you're referring to the
event a year ago, that was unsalted MD5 hashes (obviously not great, but let's
not hyperbolize.)

