Baidu Taken Down by DNS Hack

From: http://www.bluecoat.com/blog/baidu-taken-down-dns-hack

So Baidu got hacked yesterday. That is very big news. For China, that's like saying "Google got hacked." It's the leading search engine there, and one I've spent time using during work on our Chinese module for DRTR.

The initial report I saw pointed not to an attack on Baidu's servers, but on the DNS entries that let the websurfers of the world get to the correct site. In other words, if you can change the "official" DNS entry for a site, you change its Internet address. Just like that, you've tricked the entire Internet into thinking that the location for baidu.com is now on a server somewhere else, and that's where everyone will go. (The huge potential payoff for a phisherman or other Bad Guy who can pull off a DNS hack is why the "Kaminsky bug" was such a huge deal in the security press back in 2008.)

However, my initial guess (and it's only a guess, since I've seen few real details in any of the sites I checked) is that one of the engineers who has access to baidu.com's domain name registration account unknowingly used a malware-infected computer to access the registrar, and thereby had his password stolen. (Alternatively, someone could have "social engineered" their way past the domain registrar's safeguards -- i.e., do some fast talking and convince them that you're Baidu's official rep and you need to change some settings -- but I consider that a lot less likely.)

One of my "key stories" for 2009 would be Gumblar (and other malware families) specifically targeting website passwords, either FTP credentials in order to gain access to the files that make up a site, or the domain registrar account name and password in order to do a DNS-redirection attack like this one. In either case, a Bad Guy with your account name and passwords is essentially you, at least as far as your web infrastructure is concerned, and can simply walk in the front door and make whatever changes he wants.

So, if you're in a corporate IT position that involves responsibility for your Web domain and/or site, this would be a good time to review the processes you follow when you make Registration (rarely) or Site changes (every day). Do you use any old computer, at home or work? Or do you make a conscious effort to only log in from a maximum-security (maybe even a dedicated?) computer? At minimum, you should be sure that the computer(s) you use for these tasks are fully patched, and protected by both antivirus and web filtering.

I'll be curious to see if any additional details emerge about how the hack was pulled off.