IEDR Issue Statement About Security Incident

IEDR issued a statement yesterday in relation to the hijacking of google.ie and yahoo.ie

The statement (IEDR_Statement_F_issued_9_November_2012) which is included below admits that their site was compromised and that the registrar was not to blame.

IEDR has concluded an investigation by the company and external security consultants of an unauthorised intrusion into the company’s systems which was discovered on 9 October 2012. A criminal investigation by the Garda Bureau of Fraud Investigation is continuing.
IEDR’s investigations have confirmed that during the 25 day period prior to 6 October 2012 the public-facing web server of the IEDR was subjected to repeated attempts at unauthorised access from external sources. On 6 October 2012 the attempts were successful through the exploitation of vulnerability in IEDR’s configuration of the web application “Joomla!” (a popular and widely-used open source web content management system) which was exploited to allow the uploading of web scripts using the PHP language. These PHP scripts were then used to access a backend database and this database access subsequently provided access to the IEDR control panel and permitted unauthorised modifications to an account with the Domain Name Server (DNS)Note1 details which resolves domain names such as “Google.ie” and “Yahoo.ie”.
IEDR’s investigations have concluded that, whilst the result of the attack has been severe in terms of allowing access to change name server records, it should be noted that the scope of the attack was limited to this single public web server, and that no personal financial information was accessed.
The IEDR confirms that it has implemented all of the recommendations of the external security advisers. As a precautionary move, IEDR has also reset the passwords of every contact, account and service, both internal and external, across its systems. The impact of this security measure is to invalidate any credentials which may potentially have been compromised.
The IEDR investigation also confirmed that neither the Registrar of the affected domains nor its systems had any responsibility for this incident.
The IEDR technical team was assisted in its investigation and analysis of this incident by several external firms, namely Cernam, BCC Risk Advisory and the Digital Forensics Team from one of the ‘Big Four’ accounting firms. Cernam is a specialist digital investigations firm with a focus on online evidence and digital forensic investigations. Owen O’Connor, managing director of Cernam, has assisted IEDR in assessing the root cause of the incident and co-ordinating other aspects of the investigation. Cernam’s experience in investigating incidents of this type brought a forensic rigour to the investigation and to the collection, preservation and analysis of the digital evidence. BCC Risk Advisory is a specialist Internet, network and management security services company. Eoin Keary, CTO of BCC Risk Advisory, provided software security assistance including penetration testing services prior to the resumption of IEDR services. The accounting firms’s Digital Forensics Team is a unit of its Fraud Investigation and Dispute Services division. A team from its London office assisted IEDR in confirming and detailing the scope of the breach, identifying which systems were impacted and determining what information was accessed.
Separately, IEDR has made a criminal complaint regarding this incident to an Garda Síochána. The Garda Bureau of Fraud Investigation (GBFI) is conducting an investigation into this external attack on the .ie namespace. That investigation commenced on Wednesday 10 October and is continuing at this time.
The IEDR regrets the incident and assures consumers and registrants that the security of the .ie nameserver network and the services infrastructure is of paramount importance. IEDR thanks its Registrars in particular for their patience and forbearance. The IEDR also regrets the inconvenience which some customers would have experienced during the service interruption but notes that taking systems off-line as a precaution was the first and most important of a series of security measures taken in response to this incident. In restoring service, IEDR has built new servers, reviewed and enhanced application controls and tested each application prior to service restoration.
IEDR is refining its Security Plan for 2013 which will include a Domain Lock service for customers’ valuable .ie domains. The IEDR has recently appointed a new Technical Services Manager who will immediately place an increased emphasis on security policies, processes and procedures. The steps the IEDR has taken, together with its actions in 2013, will enhance the safety, security and resilience of the .ie domain.

Related articles

• IEDR admits blame for hack that brought down Google and Yahoo (domainincite.com)
• IEDR Claim Website Will Be Restored Tomorrow (internetnews.me)
• IEDR Take Website Offline Following High Profile Domain Hijacks (internetnews.me)
• IEDR Lose Google.ie? (internetnews.me)
• Google and Yahoo Irish search domains hijacked (zdnet.com)
• IEDR seeks gardaí help to investigate attack on .ie namespace (siliconrepublic.com)