Hundreds of subdomains from dozens of universities have been hijacked by scammers.
See full article...
See full article...
Why are top university websites serving porn? It comes down to shoddy housekeeping.
- Thread starter JournalBot
- Start date
Just checked my alma mater, and apparently I went to school with a bunch of nerds who neither engaged in debauchery or neglected their DNS records.
But I suppose I knew that already.
Upvote
57
(57
/
0)
Reading the 'B' headline, I figured this was that the universities determined that about 90% of its traffic consisted of porn downloads by the student body and decided to cut out the middleman and cache it all locally to take the load of the network infrastructure.
Last edited:
Upvote
36
(38
/
-2)
- Add bookmark
- Featured
- #5
While it wasn't porn - back in college we had a server that was a collection of everything except porn (it was our one rule). Games, movies, tv show, etc.
The university noticed that 99% of the bandwidth in the building was used by that one port in one dorm room.
...they gave us a 10G uplink to the core switch. The number of complaints directed at the university ISP inversely correlated with the rise in use of that server so they hooked us up.
It's also how I got into doing resilient and performant HPC storage as my day job...so it was a huge win.
Upvote
86
(87
/
-1)
A relatively minor faceplant given Columbia's recent terrible track record of bending over to the Trump administration. Embarrassing nonetheless.
Upvote
13
(14
/
-1)
I had to read the original article to understand what's actually going on here. This particular attack doesn't actually have anything to do with 'subdomains' as you might understand them and little to do with DNS. It's more like:
- University outsources a web site to some provider like WP or something and creates a DNS record for a .edu host pointing to the outsourced web hosting provider IP address
- TIme passes, university gets bored, and the contract with the outsourced web hosting provider lapses but the CNAME still exists.
- Hacking group comes along, opens a new account with the web hosting provider and claims to be responsible for hosting the CNAME. Hacking group is now able to host web content of their choosing which is accessible via a 'trusted' .edu DNS entry.
Upvote
101
(104
/
-3)
If I understand this attack properly, it's not that the attacker can go on a dns registrar and somehow register a subdomain for a root they don't control. Rather, if they see a dangling cname, like foo.columbia.edu=>192.168.3.5, then they just need to somehow put up a machine at that ip address to "highjack" the subdomain. Is that right? I'd be curious how an attacker goes about getting a specific ip address if that is what they're doing
Upvote
31
(33
/
-2)
I feel bad that most of my (few) posts seem to be complaining about articles, but particularly security-focused ones seem to be getting especially non-technical lately.
No. A CNAME involves neither a URL or an IP. A CNAME says that a domain should resolve to the same IP address as another domain; it's a symlink on Linux or shortcut on Windows. It says "make causal.stat.berkeley.edu resolve to the same thing as "casualcausal.github.io" (the current value as of when I'm posting this). In other words, when a browser looks up causal.stat.berkeley.edu, it sees the CNAME, looks up casualcausal.github.io, and uses that result.
That gives a 404 on the direct URL, but goes to ESPN when visited on the Berkeley domain; I'm not quite sure how that's set up, but I know github does have some custom-domain configuration available.
I have no idea what "The expired domain name at the base of the old URL means", but I assume that's a particularly twisted way to say "the target of the CNAME"; in the example above, that would be casualcausal.github.io.
So the actual workflow is:
Hopefully this helps explain what's actually happening in terms that are accurate and more explanatory than this article.
No. A CNAME involves neither a URL or an IP. A CNAME says that a domain should resolve to the same IP address as another domain; it's a symlink on Linux or shortcut on Windows. It says "make causal.stat.berkeley.edu resolve to the same thing as "casualcausal.github.io" (the current value as of when I'm posting this). In other words, when a browser looks up causal.stat.berkeley.edu, it sees the CNAME, looks up casualcausal.github.io, and uses that result.
That gives a 404 on the direct URL, but goes to ESPN when visited on the Berkeley domain; I'm not quite sure how that's set up, but I know github does have some custom-domain configuration available.
I have no idea what "The expired domain name at the base of the old URL means", but I assume that's a particularly twisted way to say "the target of the CNAME"; in the example above, that would be casualcausal.github.io.
So the actual workflow is:
- Researcher sets up a page somewhere like "samsresearch.github.io".
- University sets up "samsreasearch.samsdepartment.university.edu", with a CNAME pointing to samsresearch.github.io. So now, if you visit the university subdomain, it resolves to whatever the github domain resolves to.
- The researcher gives up the github domain (honestly, not sure how this happens on github, but it's plausible. And with a custom domain, those expire unless you renew them then are up for grabs.
- An attacker notices a CNAME to an available domain, and swoops in to the domain. Now they can update samsresearch.github.io to point at whatever IP they want, and the university domain will follow it.
Hopefully this helps explain what's actually happening in terms that are accurate and more explanatory than this article.
Upvote
124
(125
/
-1)
It relies on the IP address being a web hosting provider that the attacker can get an account at and say "hey, I'm hosting content for foo.columbia.edu which is totally legit as you can tell because I already set up DNS pointing at you!"
Upvote
5
(8
/
-3)
I don’t mean to be an ass but what do you mean found recently? Your link to infobox has a whole bunch of articles from early last year stating they were targeting universities with the likes of Berkeley specifically called out.
https://www.infoblox.com/threat-intel/threat-actors/hazy-hawk/
https://www.bleepingcomputer.com/ne...its-dns-misconfigs-to-hijack-trusted-domains/
What should be news is that it’s been a year and they haven’t done anything about it.
Upvote
21
(22
/
-1)
It took me a while but I finally understood what was going on. The technical explanation in this article is pretty bad.
Upvote
56
(56
/
0)
Does anyone else feel like this type of attack comes from lack of funding/staffing in IT departments?
I feel that this was an inevitability with all the anti-DEI and staff reduction initiatives at soooooo many businesses; you cannot effectively maintain an IT infrastructure if you keep cutting staff and moving services to the cloud.
Eventually, something is going to fall through the cracks...
I feel that this was an inevitability with all the anti-DEI and staff reduction initiatives at soooooo many businesses; you cannot effectively maintain an IT infrastructure if you keep cutting staff and moving services to the cloud.
Eventually, something is going to fall through the cracks...
Upvote
5
(9
/
-4)
Does the term "DC++" ring any bells?While it wasn't porn - back in college we had a server that was a collection of everything except porn (it was our one rule). Games, movies, tv show, etc.
The university noticed that 99% of the bandwidth in the building was used by that one port in one dorm room.
...they gave us a 10G uplink to the core switch. The number of complaints directed at the university ISP inversely correlated with the rise in use of that server so they hooked us up.
It's also how I got into doing resilient and performant HPC storage as my day job...so it was a huge win.
Upvote
8
(9
/
-1)
The more insidious way to exploit this would be to replicate the actual university's website style and formatting, but host misinformation. It would be virtually undetectable unless it goes viral.
Upvote
9
(9
/
0)
Don't feel bad, my alma mater "graduated" to a newer .edu domain name as well.
I still remember in the early 1990's using the ftp site (didn't they also have a gopher server?) at ftp.wustl.edu
Upvote
8
(8
/
0)
Indeed it does. This was 20 years ago so we hosted forums and direct downloads from that server, though, so no DC++ for the actual sharing mechanism.
Upvote
4
(4
/
0)
Thanks to commenters doing a much better job explaining than the article itself!
Upvote
37
(37
/
0)
This explanation is totally off. There's no way someone can simply register a subdomain of another domain name like this. Subdomains only expire when the primary domain expires. Columbia.edu itself would have to expire first, and by then they've got bigger problems than a subdomain. Also, it's A records that point to IP addresses, not CNAMEs. A CNAME record maps a domain or subdomain like columbia.edu or provost.columbia.edu to another domain, making it an alias for that domain.
Upvote
37
(37
/
0)
This reminds me of a scandal from my undergrad days, when the university I transferred to had a hotline for prospective students and their parents to learn more about what the university had to offer.
The problem was, the hotline was formatted as 1-800-AAA-BBBB, but they sent out a pamphlet reversing two parts of the number to 1-800-BBB-BAAA.
Which, as it turned out, was a totally different kind of hotline, that you might have seen advertised on late-night cable TV.
The problem was, the hotline was formatted as 1-800-AAA-BBBB, but they sent out a pamphlet reversing two parts of the number to 1-800-BBB-BAAA.
Which, as it turned out, was a totally different kind of hotline, that you might have seen advertised on late-night cable TV.
Upvote
15
(15
/
0)
Thanks for the clear explanation. I was wondering how on earth the attack could be pulled off the way it was described in the article.
Upvote
24
(24
/
0)
I'm sure that contributes to the problem, but at universities, the number of domains and servers can get pretty wild. And even in a fully staffed department, it's rare that anyone is tasked with either tracking or cleaning up dead registry entries. To a large extent, universities are an IT nightmare because you have a whole host of people who know enough to set stuff up on their own, but don't know enough to tell someone when they pull the plug.
Upvote
18
(18
/
0)
Several years ago, Target made that mistake with the 800 number for their wedding registry. The sign up kits provided in the store had a sex line number instead of the wedding registry setup line.
Upvote
9
(9
/
0)
It's weird that the technical details of this are so far off in the article and we have to look to the comments for a correct description. Dan Goodin should really know better.
I really hate to have to pull the AI card for everything nowadays, but it's hard not to nurse the suspicion.
I really hate to have to pull the AI card for everything nowadays, but it's hard not to nurse the suspicion.
Upvote
16
(20
/
-4)
Thanks! I didn't understand what was going on based off the article either.
Upvote
12
(12
/
0)
"Some of the world's most prestigious universities, and also Columbia."
Upvote
26
(26
/
0)
AI would give a better explanation. There are sources about how Hazy Hawk works all over the web which I’m sure the companies have hoovered up to regurgitate
Upvote
-2
(3
/
-5)
Back in the '90s, in my first year at university it was still common to have personal home pages in a "public_html" under your home directory accessible through <university>.<tld>/~<username>/
One classmate used his to host porn, to get affiliate income from a porn site.
Maybe I should have reported him, but I didn't ...
One classmate used his to host porn, to get affiliate income from a porn site.
Maybe I should have reported him, but I didn't ...
Upvote
12
(12
/
0)
This line was a literal spit take on my monitor... this is why I subscribe. chefs kiss
Upvote
8
(8
/
0)
Thank you. My eyebrows rose at the claim that registrars were allowing scammers to register “base” domain names.
I assure you, no one gets to register “columbia.edu”.
This entire “attack” is simply grabbing whatever the CNAME was pointing to. Domain Registrars weren’t involved.
Other than country extensions and a couple of special purpose domains like .name, domain registrars only register top-level domains (TLDs), like Columbia.edu. What happens below that is solely DNS config.
As far as “not letting” computers use hostnames belonging to other domains, there’s literally no way to stop them. A host can call itself anything it wants. It’s up to DNS to say whether anything gets routed to it.
And if you have a host named foobar at provider.com, there’s no way of telling that there’s a CNAME out there pointing to foobar.provider.com.
It’s a structural weakness.
Upvote
10
(12
/
-2)
Brings me back to the 90s when universities DID host porn. It was called usenet.
Upvote
8
(8
/
0)
Honestly, I think current AIs would have been more accurate. This just feels like someone who doesn't know the underlying system trying to summarize an article without understanding it; the kind of thing I expect from non-tech media (and, increasingly, security articles here.)
Upvote
7
(8
/
-1)
So this: "Any organization with a website should compile a running inventory of all subdomains along with the purpose of each one and its corresponding CNAME record. Then staff should regularly audit the list..."
...presumes that org IT departments, especially university IT departments, have a lot more administrative capacity than they do. And good luck getting a researcher/professor/dean/etc. to respond to an email request that they certify that x.department.school.edu is or is not in use. No - you're probably going to need to email, then make a phone call, then find the right ~~servant~~ er, grad student tasked with that sort of technical trivia, assuming they haven't left the university year ago.
...presumes that org IT departments, especially university IT departments, have a lot more administrative capacity than they do. And good luck getting a researcher/professor/dean/etc. to respond to an email request that they certify that x.department.school.edu is or is not in use. No - you're probably going to need to email, then make a phone call, then find the right ~~servant~~ er, grad student tasked with that sort of technical trivia, assuming they haven't left the university year ago.
Upvote
10
(10
/
0)
YetAnotherAnonymousAppellation
Ars Praefectus
- Add bookmark
- Featured
- #36
Just checked my Canadian alma mater and got plenty of hits. I'm going to email the admins and suggest that they might want to look into this. It might not affect their overall bandwidth usage much as they've got ~100k students and staff these days.
Upvote
7
(7
/
0)
It's quite an old attack and has always been an issue with branded SaaS. I remember receiving a report for one our own subdomains back in 2020. Some marketing campaign or something pointed to some random webhost and was forgotten about.
There's a related attack where the account expires at a DNS host but the NS records still point to the DNS host and someone can go setup a new account at the DNS hosting service and assume control of the domain.
Upvote
4
(4
/
0)
I used to work for UCSF. Trust me when I say, a good percentage of their IT folks lack actual skills necessary/required to protect the organization from security holes and breaches. They would rather further their skills in office politics instead. They would rather have Drupal show offs than actual developers who can develop tools to mitigate break ins and exploits. The leadership is stupid therefore so are the employees. They deserve what they get.
Upvote
3
(3
/
0)
Yep. A large factor is that researchers feel strongly that they should be independent and unregulated.
Which is a good thing when it comes to research. It's less good when it comes to information security and IT best practices.
They ask for a subdomain for something, where "something" is a project website hosted on AWS, or the remote web interface for a piece of equipment, or some hacked up online analysis tool, or a student project, or whatever.
Months or years later the postdoc in charge leaves, the thing slowly rots away, the group stops paying for the site. And they never inform IT the domain is no longer in use.
A large university has tens of thousands of researchers and students. It's really easy to see how a few unused subdomains may get lost in the cracks.
Upvote
12
(12
/
0)