Friday, December 18, 2009

DNS hijack - high level explanation

A bunch of servers exist throughout the internet which map friendly human readable names (, to IP addresses. These are DNS servers (Domain Name System servers) -- phonebook for the internet. When you type in "" to see his latest transgression admission, along the way DNS is queried and you are directed to the mapping to that IP address which presents the html and images of Tiger's statement.

A DNS hijack... is when the evil doers redirect the mapping, to a mapping of their own choosing. E.g. instead of pointing to twitter's actual IP address, they point it to the IP of their own website where they can display whatever they want. (hey, maybe Tiger never admitted anything, and it is an ongoing DNS hijack?)

Once they have accomplished the hard part of hijacking DNS... it's very easy to create a landing page that looks identical in every way to the real site, but is in fact run by someone else. Look, Virginia, it even has the same URL. Looks legit, but is not. When people try to log in, the criminals setting up these sites can simply grab and store the username and password of the person attempting to login (phishing) for malicious uses.

So when/how can you be sure? HTTPS and SSL certificates can ensure that the site you are attempting to reach is the actual site. The site has been "notarized" in effect by an SSL cert, and while the evil doers can fake the look of a site and in some cases can even hijack the domain name (as they did with Twitter), they can't fake an SSL cert** -- it is bound to the domain name itself. (Not all sites use https and ssl certs)



** can't fake an SSL cert... unless the cert was encrypted using an MD5 hash, and the hacker had access to one or more PlayStation3's. ;)

No comments: