Last week, ABC program The Business aired an exclusive report on the Distribute.IT cyber security incident which forced the once-thriving company out of business and significantly impacted their large customer base.
For the first time since the crisis in June 2011, Carl and Alex Woerndle – the owners of the web-hosting and domain name registration company – spoke openly with the ABC about what happened during the incident and the impact it had on their business and customers.
One thing is clear from the raw and emotional interviews with Carl and Alex; cyber crime can have a devastating impact.
What we also learnt was that we as an industry need to be more accountable and better address the needs of .au domain name registrants and Australian website owners.
Today marks the opening of the CeBIT Australia conference in Sydney, the largest technology conference in the country. In recognition of the growing problem of cyber crime, the conference will for the first time host a whole day and stream dedicated to cyber security. According to CeBIT, the total global cost of cyber crime was estimated to be $110 billion in 2012.
In light of the discussions at CeBIT today, it is my firm belief that a better understanding of incidents such as Distribute.IT and sharing the lessons we learnt will help the entire industry better manage cyber security threats.
The Distribute.IT incident
As the appointed Registry operator for the .au namespace second level domains, we were deeply concerned when we received the call in June 2011 to inform us that a .au Registrar had suffered a security breach.
We learnt that after infiltrating Distribute.IT’s security systems, the unidentified hacker targeted the company’s servers and inflicted significant damage and loss of data to a point where customer’s websites were unrecoverable and Distribute.IT was unable to salvage its operations.
Within a matter of hours, losses from the incident were estimated to be tens of millions of dollars, according to the ABC.
While the hacker who attacked Distribute.IT only targeted the company, we were unaware at the time of the extent of the attack and whether .au domain names were at risk.
As such, we worked closely with Distribute.IT and the .au Domain Administration (auDA) to immediately disable their Registry connections to isolate domain name records from the Distribute.IT affected systems.
We also immediately reset all domain name passwords, assessed our server logs to determine any bulk fraudulent activity and liaised with Distribute.IT to assist with re-establishing Registry connections.
While no consolation to those affected, it was comforting to note that no .au domain names were hijacked during this incident.
What we learnt
Needless to say, the Distribute.IT cyber security incident demonstrated the devastating impact of hacking and cyber crime.
While the hosting of websites is outside of our jurisdiction, attacks on our clients (.au Registrars) and their customers (.au domain name registrants) hurts the entire industry and we felt compelled to address the issue.
There were many .au domain name registrants who were angry that such an incident occurred and we are the first to acknowledge that .au domain registrants are right to demand more of the entire industry.
Despite the blurred boundaries between domain name registration and hosting, there was a need for someone to step up and take accountability.
In response to this need for accountability, auDA and AusRegistry spent the past couple of years consulting the entire industry to gather feedback and recommendations on how we can better address security incidents such as the Distribute.IT case. Specifically, we focused on how improved security from .au domain registrations can be transferred across to hosting services too.
An end result of these consultations was the development of a world-first Registrar Information Security Standard (ISS).
Managed by auDA and expected to launch later this year, the .au Registrar ISS is a set of mandatory protocols which will help .au Registrars manage and improve the security of their businesses, as well as protect the stability and integrity of the .au namespace. The mandatory protocols in the ISS will ensure accredited .au Registrars have numerous levels of redundancy in place and adhere to industry best practice security measures to defend against attacks.
The theory behind the ISS is that these shared best practices across the industry will act as a rising tide to lift all boats – from .au domain registration right through to hosting services. In fact, Alex Woerndle from Distribute.IT contributed to the industry working group that helped to develop the ISS, offering valuable insights into its design from his experiences.
I recently spoke with Carl Woerndle and was pleased to receive the following feedback about the ISS:
“It’s good to see that auDA and AusRegistry have been able to use the malicious attack on our company to instigate industry wide improvements such as the Registrar Information Security Standard. This will add considerable safeguards across the industry,” said Mr Woerndle.
On top of the Registrar ISS, we’ve also seen the development and introduction of a number of other initiatives to improve industry-wide security. These include:
- A new Registrar authentication process.
- Increased security protocols for .au Registry web interfaces.
- Registrar contingency planning improved with lessons learned from the incident (an auDA/AusRegistry joint initiative).
- The imminent launch of a new .au domain name security product developed to enhance Registrar and Registrant security. The new product is named .auLOCKDOWN, and it locks domain names at the Registry level.
- New policies formulated by auDA that identify reseller portfolios and facilitate bulk transfers for both Registrars and Resellers. This policy will be introduced soon.
While it is unfortunate that it took the misfortune of a security incident like Distribute.IT to see these improvements ushered in, it is comforting to know that the entire industry has learned from these mistakes and is now better for it.