As reported by Aardvark shortly after mid-day yesterday, NZ"s monopoly registry
was hit by a security problem that saw nearly 60 megabytes of transactional data
free for browsing by anyone who was able to work out the way to do it.
Get Your Own Aardvark
|
If you're looking for some interesting, exciting, new content
in the form of a regular column by the Aardvark tailored
specifically to the needs of your print or Internet
audience then please contact me.
I'm now available to write the kind of cutting, informative,
easy-to-read articles your readers will love -- and at a
reasonable price to boot!
|
Contact Me
|
Aardvark reported the problem around 12:55 pm on Wednesday and an alert was
posted to the nz.org.isocnz newsgroup and mailing list.
Domainz posted a bulletin stating that "the issue was fixed just as soon as
we found out about it."
The bulletin went on to proudly state:
"Domainz, the New Zealand domain name Registry has acted promptly to correct
a bug in the system which allowed outsiders access to view historical information"
"Mr O'Brien says as soon as Domainz became aware of the security breach immediate
action was taken and the problem was corrected within 30 minutes."
"We certainly regret any unauthorised disclosure of information and moved
swiftly to identify and correct the problem."
"Mr O'Brien says the issue was taken very seriously and was pleased that a
solution to the breach was implemented so quickly."
Unfortunately -- Mr O'Brien was wrong, and a slight variation of the same
vulnerability was reported to Aardvark by an alert reader, Mark Petrie, later
that afternoon -- after the Domainz statement was issued.
Petrie described how, what appeared to be the entire 58 megabytes of Domainz'
Registry transaction database, could be downloaded through almost the same
simple URL. Aardvark later learned from another source that least one other
unrelated party also discovered the vulnerability and exploited it to
download the entire transaction list before the problem was finally fixed.
Aardvark spoke with Mr O'Brien on Wednesday evening when details of how the
bug still existed were passed on to him for action.
O'Brien says that the site had been audited by a third party prior to
commissioning and that the audit included a security check. Aardvark is
not overly concerned that such a simple bug could slip through such a
difficult task as a security audit. Aardvark, ISOCNZ, and the industry
should however, be very concerned that any security hole should be subject
to what was obviously an unsuccessful "patch-up job" and then signed
off as fixed so casually.
In order to try and fix the bug for good, Domainz was forced to take the
system down for a period while the Advantage Group worked to do the job
again -- albeit properly this time.
This new "bug" has again raised questions as to exactly who must bear responsibility
for the enormous number of bugs and problems that have been associated with the
revamped Domainz system.
Perhaps ongoing uncertainties as to the security of the system are the reason
that the site still lacks one of the most critical aspects of any such system --
the ability to tender payment online using a credit card.
Despite Domainz' claims that things are coming along nicely, Aardvark continues
to recieve numerous complaints from people in the industry who have cited a
list of outstanding problems that remain unaddressed and continue to cause
inefficiencies and frustration. They claim that Domainz are aware of the problems
but have yet act to correct them.
As always, your feedback is welcomed.
