Asia-Pacific internet registry APNIC says WHOIS admin passwords were mistakenly exposed for three months

3 years ago 172
BOOK THIS SPACE FOR AD
ARTICLE AD

Internet org downplays threat to integrity of domain name registry

Asia-Pacific internet registry APNIC says WHOIS admin passwords were mistakenly exposed for three months

APNIC, the internet address registry for the Asia-Pacific region, has revealed that a “configuration error” meant hashed administrator passwords were publicly accessible for three months.

The oversight publicly exposed a dump file of APNIC’s WHOIS SQL database containing hashes of passwords used to authenticate database object changes, “corporate contact details”, and password hashes and contact details related to internal Incident Response Teams (IRTs), said APNIC.

Remedial actions

In a security alert posted on June 18, APNIC (short for ‘Asia-Pacific Network Information Centre’) said the issue arose when its staff copied the database “to a Google Cloud storage ‘bucket’ that was believed to be private”.

The member-based non-profit said it rectified the configuration error and removed the dump file after being alerted to the issue by an independent security researcher on June 4.

Read more on the latest internet infrastructure news and analysis

It added that it had just completed a four-day process of resetting all maintainer and IRT passwords, some of which were done manually to “minimise disruption to their network operations”.

No suspicious activity

APNIC conceded the “possibility that passwords can be derived from the hash by a malicious actor” and WHOIS data potentially “corrupted or falsified for misuse”.

The organization added: “It is not known if the data was accessed, as complete log files are not available, however initial investigations reveal no sign of suspicious update activity.”

APNIC also downplayed the threat to the integrity of its WHOIS database, a publicly searchable resource used to find information about web domains such as date of registration and expiry, place of registration, and the contact information of website owners.

“Any public misrepresentation of registry contents on WHOIS would not result in a permanent transfer of IP resources, as these functions are protected by MyAPNIC access mechanisms, and authoritative registry data is held internally by APNIC,” said the organization.

There were also “private WHOIS objects that are not visible on APNIC’s regular public WHOIS service”, whose contents “predominantly consists of corporate contact details”.

Catch up on the latest cybersecurity news from Asia

This data dates up to October 2017, before which the creation of new private objects in the WHOIS database triggered the incorporation of a duplicate private object in the audit logs.

This data “is still being assessed to determine if any further remedial action should be taken” said APNIC.

APNIC resource holders have been advised not to reuse their previous password, and to update login credentials for any other accounts where it is being used.

MyAPNIC passwords, added the organization, are unaffected and do not need to be changed.

APNIC said it is continuing to monitor for evidence of suspicious activity and will implement the recommendations from an ongoing post-incident review “as a priority in the coming weeks”.

As well as maintaining the Asia-Pacific WHOIS database, the Brisbane, Australia-based organization distributes and manages IP addresses and AS numbers in 56 Asia-Pacific economies, holds annual conferences focused on internet policy development, and provides internet maintenance training through the APNIC Academy.

The Daily Swig has sent additional questions to APNIC. We will update the article if and when we hear back.

RELATED US supermarket chain Wegmans suffers data breach due to ‘misconfigured’ databases

Read Entire Article