Hacker News new | past | comments | ask | show | jobs | submit login
Google.ps domain was hacked (google.ps)
130 points by sarjan on Aug 26, 2013 | hide | past | favorite | 86 comments

... and thousands of HN readers get infected by a zero-day exploit. Maybe. If you're thinking of submitting a known compromised site to HN, consider instead submitting a third-party site which explains/documents the compromise. Ideally from a respected security research company. This has several benefits:

1. You're not subjecting HN readers to a site under the control of a malicious party who may have done more than just deface it. Even if you verify that you only receive plain boring text with no scripts, iframes, plugins, etc. it's impossible to verify that someone else won't get served different content. For example, malware that only gets served to people in Israel.

2. Once the compromised site is restored, people visiting the link won't see what happened. When you link to a third-party article, that article will persist even after the hack is long since gone.

3. Linking to a security research company will probably give better insight into the technical details how the attack happened, gratifying our intellectual curiosity, instead of just being a dumbed-down piece from some mass-market tech blog.

I agree with your point, but 0-day exploits aren't tossed around like candy corn. They're multi-million dollar munitions.

> 0-day exploits aren't tossed around like candy corn

They are if the zero-day isn't what you're after.

Something like this is like candy corn to a site like HN. You need an exploit and a reason to get your targets to visit your hacked site. When something like this hits HN's front page, if your target is in the tech world, odds are very good that you'll catch someone in the company/companies you're after. This is not theoretical. See, for instance, the Java exploits employed in those hacked iOS dev forums that successfully compromised computers at Facebook, Twitter, Apple, and Microsoft[1].

[1] http://arstechnica.com/security/2013/02/web-forum-for-iphone...

These are both really excellent points.

While DNS-hijacking Google.ps as a watering hole for HN seems like a bit of a long shot of a vector to get access to HN users, it would be a pretty logical vector for Palestinian Authority systems. And is likely a lot of other users would get unintentionally caught in the net.

Flash/Java vulnerabilities are also quite a bit cheaper (100k range), and well within the price range of most criminal APTs, let alone nation-states. But I imagine most, if not all, HN users have those extensions disabled by default.

So the only way to compromise the systems of most users here would be a 0-day javascript vulnerability in Chrome/Firefox. These are the 0-days to which I was referring, which are massively expensive.

But overall the point is valid. The risk, even if not that large that anyone here would be targeted, makes it a good idea not to post directly to compromised websites. I'm not exactly wild about a random workstation at any US company being compromised, even though they weren't explicitly targeted, by random Israeli hackers or even Unit 8200.

There are tons of 0-days out there, maybe not in Chrome proper but in Java, in extensions, in flash... Multi-million is a huge exaggeration. I think market is 20k - 50k for many areas.

Now you've got me paranoid.

You don't know paranoia until you've worked in the network security industry for a government contractor....

You're not subjecting HN readers to a site under the control of a malicious party who may have done more than just deface it.

I don't see any malicious action here.

How is defacing a page not "malicious"?

I think they meant there was no malware being delivered from visiting the page.

The parent comment covered this very point:

>1. You're not subjecting HN readers to a site under the control of a malicious party who may have done more than just deface it. Even if you verify that you only receive plain boring text with no scripts, iframes, plugins, etc. it's impossible to verify that someone else won't get served different content. For example, malware that only gets served to people in Israel.

google.ps has not been hacked.

The .ps registry was. Google DNS servers have been changed to omar.genious.net and hamza.genious.net

Hacking a registry is even more alarming.

Not all registries are created equal. I'm a heavy Internet user and I'd get along just fine without the .ps nameservers.

Still, it goes to show that even if you lock down your website, you could still be vulnerable if your registry is vulnerable.

That has been shown since the first day of DNS.

i would surely be more alarmed if google got hacked, not some 2.5-world registry. there's been worse, like CAs getting hacked.

If they hacked the .ps registry, did they redirect any other sites?

Looks like nike.com.ps (for example) still redirects to the nike homepage.

I think saying "google.ps was hacked" is a perfectly reasonable way to describe what happened.

I don't agree at all, the system which was hacked is not in Google's control at all, even though it does depend on it for DNS SOA.

Every site depends on root DNS servers to do their job right...the root for .ps was hacked...that's what happened here...google was affected, but not hacked.

You are using these words, but I don't think you know what they mean.

The SOA record is almost irrelevant in this case, unless you are seeing some trickery where they set high TTLs or something to keep the "hack" around longer after it has been corrected.

There is only one root (which is kinda what makes it a root) - and in this case the root servers are doing their job just fine. DNS is hardly even involved. As far as I can tell this was simply a compromise of the web UI that allows for the management of domains under the .ps ccTLD. Probably just another sloppy front end developer.

Forgive me, it has been several years since I dealt with DNS authority, however it still does not change the argument that it was not google who was 'hacked'...the title of this post is just blatantly wrong.

That implies the site itself was hacked, when it was not. It appears the .ps domain registry was hacked.

Looks like their domain was compromised. It points to an IP associated with this hosting provider: http://www.genious.net/

Looks like a Moroccan hosting provider.

Thank you.

I wish OP would have done the same with a comment. In fact, this should probably be standard procedure when submitting a link to a compromised site if it's not to a blog/news post about it.

Please change the title to "Google Palestine defaced" or "Google DNS entries maliciously changed". Google Palestine was/is not hacked.

Yes it was. Let's not quibble.

No it was not. It implies something under Google their control was compromised which was not the case.

Really, it implies any attack or breach that is apparent to users. This is very apparent.

That is not what "hacked" means. If they had really hacked Google their servers and proxied all searches through a system of theirs without letting the users know it would not have been "apparent" yet Google was hacked in the correct sense of the definition.

They were defaced which was directly apparent to users - not hacked. At all.

I'll repeat the crux of this discussion. There's no definition of 'hacked.' Welcome to the Internet.

No definition of "hacked"? Really? You will go that meta to prove your point?

"a hacker is someone who seeks and exploits weaknesses in a computer system or computer network" ( http://en.wikipedia.org/wiki/Hacker_(computer_security) )

Being hacked means a hacker has found and exploited a weakness in a computer system or network. Saying that Google Palestine was hacked is false because no exploit in a computer system or computer network OF Google Palestine was found nor exploited.

if i stood in front of your house with a cellphone jammer, did i just hack your cellphone service provider?

"The page was restored within an hour of defacement."

Not it wasn't. It's still hacked for me.

Wait for your DNS to propagate from the hacked server.

#dig google.ps @

Nope, still

Just wait. It takes time.

Funny though that they didn't flush the incorrect cache on their (Google's) own DNS service.

Doesn't look like a fake defacement, google.ps has looked like google since 2009 according to archive.org: http://web.archive.org/web/20090812080241/http://www.google....

Right, but someone just changed the domain to point to a new IP address. So no one hacked Google's server.

Exactly. Instead of showing up Google, these hackers (assuming they are indeed Palestinians) have just shown up their own domain registry.

Yes, using google's DNS servers go to authenticated google search page.

Fair warning, that link goes to the compromised site.

There was no fair warning: the title doesn't make it clear whether the event is over.

Oh man, imagine the heart attack the engineer who first got this ticket must have had before he realized it was a just a dns hijacking.

Google's incident response team deals with far bigger issues on a daily basis. This is hardly more than a few kids playing around.

Care to elaborate?

Nice try, Mark Zuckerberg

The page also tries to load a mp3 file using Real Player. Sounds bad... Is that some known exploit?

Real Player is so rear this days, so at list it wouldn't be my first choice if you only wanted to play a song.

The mp3 is "Hard", by Rihanna. Doesn't seem to have any exploits attempted (it plays fine in mplayer, with no funny business).

Probably just Kids. Nothing very sophisticated. Shame that pretty much all of the basic internet infrastructure is so utterly broken.

I love how it says "From Palestine: We are the Best of the Rest"

Best of the Rest? Well, that's not saying much, is it?

They must have some awesome ANSI art.

"Listen to rihanna and be cool :P"

Out of six DNS servers, which are authoritative for zone .ps, only one gives out wrong NS records for google.ps . Is it pure luck for that answer to be cached at Google Public DNS, or it possibly had been done by some obscure trick?

EDIT: Ok, on the second thought it seems that the compromised server is just the closest to google. All that is left is to wonder, whether palestine guys did target that server because of it :)

Using HTTPS Everywhere gave me a warning on visiting https://google.ps, Chrome blocked the url giving a warning on the HSTS/certificate pinning.

Being the Google bar on the screenshot in French and the name servers on a Moroccan hosting provider I think it's clear where these script kiddies are from :)

P.S.: Not implying anything, just adding information. I've re-read my comment and it looks a bit wrong.

"Listen to Rihanna and be Cool"


Aren't we seeing a lot of DNS based attacks in the recent past? I remember .pk TLD was hacked not too long ago.

Considering that most of the big sites run local variants of their services using these TLDs is it fair to assume that one of these next ones could be of the phishing kind? What's the best thing to do - always use the .com hoping that it is safer?

This isn't a DNS issue, it's a SQL injection attack.

ICANN needs to mandate stronger requirements for best practices with web based management UIs. Unfortunately they have little in the way of real control over ccTLDs.

You'd be best served registering ccTLDs and redirecting them to your gTLD of choice (say, .com) and not trying to serve localized content from them.

ICANN is not in a position to mandate such requirements for ccTLDs as they are not empowered to. ccTLD governance differs from gTLDs in that each country code is managed and overseen locally within the country. This is why there is such a diversity in ccTLD policies. For better or worse this model of subsidiarity is what we have today.

Which is why I said

> Unfortunately they have little in the way of real control over ccTLDs.

Hopefully NTIA can empower ICANN (as the IANA operator) to better exercise security requirements against ccTLDs. Ultimately NTIA can pull the ccTLD from the root, which is a stick we could use increase the overall security of the internet, but I would prefer we find a carrot.

How do you know what kind of attack vector was used?

Semantics. If it was an SQL injection attack, it was an SQL injection account that caused a DNS issue. No one cares about a specific SQL injection vulnerability, what matters is that a domain stopped being secure. Nothing bad happened here, but they could have made the fake page look like Google and collected a bunch of logins.

I cannot confirm this from all locations. google.ps sometimes resolve to a legitimate Google and other times to the Moroccan server. Does anyone have an idea how could that be possible?

DNS caching.

Switched to my phone's LTE - it said "This Account Has Been Suspended"

Refreshed site on my computer connected to wi-fi - it now appears to be return correct Google site.

What? Where?


why? I think the post is very relevant

relevant to? google maps being more sensitive & accurate? DNS hijacking and bigger companies protecting their trademarks better? I dunno.

Google having their DNS hijacked seems significant.

> DNS hijacking

You don't see how that might be relevant to this site?

wtf is this bullshit!

This is hilarious

Good job, butthurt nationalist losers ;-).

And if this were done by jews being oppressed somewhere, your reaction would be the same?

Not that you'll take this advice, but I'd really recommend spending a little time thinking about what if you were born with a different last name.

Would you be a butthurt loser then, by dint of that last name?

I'm congratulating them; hence the winking smiley-face. What the hell?

This is an online prank. Have you actually decided to treat it as a serious political protest?

Congratulating someone by calling them "butthurt" and "losers" doesn't work. Your post is rather offending and your last name does indeed spoil your stance in the Israeli-Palestinian conflict but nevertheless your comment is inappropriate and was uncalled for.

Hey kids, check this out! http://www.reddit.com/r/worldnews/

Heil Netanyahu!

Somehow, you two seem ... a bit out of place.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact