Safe and S3CUR3
The content on this website is strictly the property of Insight and the Students’ Gymkhana IIT Bombay. If you wish to reproduce any content herein, please contact us:
Chief Editors: Mihir Kulkarni, Niranjan Thakurdesai
Mail to: insight[at]iitb.ac.in
This image was making rounds of social media yesterday, after people observed this message while trying to access the main website www.iitb.ac.in externally. Even though the website was being redirected to a hacker’s page, neither the website, nor our internal services were hacked, but it was just the internet traffic that was redirected to the hacker’s page. Simply put, the DNS record for www.iitb.ac.in domain was changed.
Due to the inherent “lag” in the way DNS works, the website pointed to the correct server for the majority of people accessing it from India as the DNS record update had not propagated everywhere.
“The nature of the attack seemed to be more for attention-seeking / mischief mongering. A lot more damage would have been possible, had they not made the invasion public in such an obvious manner” said Shantanu Thakoor, the Manager of The Web and Coding Club.
What Exactly Happened?
The DNS entry for iitb.ac.in was changed at ERNET, the Domain Name Registrar (the organization that manages which IP address the URL iitb.ac.in points to) for IITB’s domain. So, requests to www.iitb.ac.in were instead being routed to the Hacker’s server. What supports this arguement is the fact that when one went to the IIT-B IP directly, it worked fine.
Simply put, there could be only two ways to pull this off: hack the email address in-charge of IITB’s account on ERNET, or break ERNET’s security. The latter one seems to be a more likely scenario.
Education and Research Network (ERNET), India is an autonomous scientific society under the administrative control of Dept. of Information Technology of the Government of India. The work of ERNET India is not limited to just providing connectivity, but to meet the needs of academic and research institutions like IITB, by providing consulting, project management, training and other value added services such as web hosting, email services and domain registration. “How the so-called ‘hackers’ got access and what level of access did they get is something only ERNET can tell after an investigation. It is possible that they found a general loophole in the website which until now, they have only exploited for IITB”, says Abhijit Tomar. “Hence, until the cause of the attack is established and resolved, we should assumed that the attackers possess the ability to repeat it anytime.”
“A registrar is the official records-keeper of DNS, breaking into that is a hijack at the highest level, and can be persistent.” said Pritam Baral. While other forms of attacks previously faced by websites like Youtube involved the attacker changing the DNS entry at a particular node like an ISP, this attack involved changing the DNS entry at TLD (top level domain) nameserver – in essence becoming the “real” iitb.ac.in.
ERNET (registrar for all *.ac.in domains) has a terribly insecure system. After only a few minutes of investigation, Pritam Baral was able to find several security issues on ERNET’s website. For instance, they seem to store passwords in plaintext and send it as plaintext in emails when asked. Also the password is not designed to be changeable.
How does this concern you?
Since www.iitb.ac.in was compromised, all your emails (those which you were supposed to have received in the timeframe of the hack) should be assumed read by the hackers. This also means that, they could use the email ids to reset something as significant as your facebook password. Anything related to iitb.ac.in cannot be considered secure until legitimate records are restored (which could take several days), even though at the time of writing this article, the DNS record has now been updated to point to the correct IITB server. Also, until the cause of this lapse has been satisfactorily outlined and resolved, the same measures should be continued.
Therefore, it is advised to students to remove the @iitb.ac.in email ID from their Facebook profiles, their GitHub profiles, and anywhere else where their IIT Bombay email ID is being used as a recovery option or they risk losing access to those accounts. Changing LDAP passwords is also recommended to people who have given out their LDAP credentials to external services, like Gmail (for accessing GPO).