Breaking Analysis: PKNIC’s Weaknesses Exposed in Pakistan Cyber Attack

Google, Apple, Ebay and Yahoo were among almost 300 sites affected by a hack attack in Pakistan. The attack was focused on highly critical vulnerabilities at PKNIC.  SiliconANGLE Contributing Editor John Casaretto compared PKNIC to GoDaddy.com; it’s the organization which manages the country’s domains, in this case, .pk web domains. Casaretto described the attacks as fairly common weaknesses in the system, things that are typically well-exploited and also well-addressed in terms of vulnerabilities, such as SQL injections, cross-height scripting, sensitive directory disclosure, and permissions.  He said, “What they have done is exposed a very weak security perspective here at this top level domain, and in doing so, were able to attack . . . all these high-profile websites.”

The affected sites were defaced and re-directed visitors to a page featuring a picture of two
penguins walking across a bridge with the slogan “Pakistan Downed”.  Casaretto speculated on the hackers’ motives, saying that the hackers basically made a statement that PKNIC is not doing a good job of security.

Technology blog ProPakistani said it had received an email from the hackers explaining how they carried out their attack.  Casaretto attributed this to typical hacker behavior. He said hackers sometimes like to reveal how they did what they did, and some hackers feel as though they’re doing a service to the community by exposing some ineptitude.

In another hacking story, two members of the Goatse Security group, also known as GoatSec, have received a guilty verdict in the 2010 AT&T “hacking” case which involved the collection of about 120,000 email addresses of iPad owners. The men were charged with conspiracy to access a computer without authorization and fraud in connection with personal information.  Casaretto gave some additional history on the case, “Both charges were brought under the Computer Fraud and Abuse Act of 1986, also known as CFAA.” This act pre-dates how we know the internet today, and so a grey area remains at large in this case as to whether or not this was a true act of hacking. Casaretto noted, “It was a public weakness, but it wasn’t really a hack where they intruded into a computer.” Casaretto discussed his view in terms of what a “real hack” is and said that AT&T should have had another level of authentication in place to prevent this type of act.  See the whole segment with Kristin Feledy and John Casaretto on the Morning NewsDesk Show.