Why won't Web.com confirm or deny that its Register.com subsidiary has been breached?
See Also: Secure Access in a Hybrid IT World
Register.com, which says it manages more than 2 million domain names and has hundreds of thousands of customers for its domain registration, website design and hosting services, has yet to respond directly to a March 18 Financial Times report that the FBI has been probing a year-old breach at the company. The intrusion apparently did not result in the theft of customer data or service disruptions, the newspaper reports, adding that neither customers nor investors have been informed about the incident.
It sounds like the sort of statement you receive from the intelligence services - not an Internet company.
The newspaper report only cites unidentified "people familiar with the probe" as the source of information about the investigation. The FBI didn't immediately respond to a request for comment on the Financial Times report.
Web.com also declined to comment on any specific breach. But spokesman John Herbkersman offered a carefully worded statement: "While we cannot comment on specific security events or threat actors, as you are aware, information security risks have generally increased in recent years, in part because of the proliferation of new technologies and more widespread use of the Internet, and the increased sophistication and activities of organized crime, hackers, terrorists, activists, and other external parties, some of which may be linked to hostile foreign governments. We are not aware of the loss of any customer data resulting from an attack on any Web.com system."
Alan Woodward, a visiting professor at the Department of Computing at England's University of Surrey, as well as a cybersecurity adviser to Europol, tells me it's "a bit of a puzzler" why Web.com won't confirm or deny the alleged breach or related probe at Register.com. "It sounds like the sort of statement you receive from the intelligence services - not an Internet company," he says. "And, the fact that they stress that they are not aware of any customer data being breached suggests that perhaps this was, if it happened, an attack on the infrastructure, i.e. DNS rerouting, etc., and not a 'simple' data breach."
Based on the Financial Times report, "it seems that Register.com has contacted the FBI but not their users - not an obvious thing to do unless perhaps they are actually unsure if they have been attacked," Woodward says.
One worry with a registrar being hacked is that attackers might change sites' DNS settings to redirect traffic through a server that they control, and then on to the legitimate server. Such a man-in-the-middle attack could give the attackers the ability to monitor everyone who visits the website, eavesdrop on all related communications and intercept all emails sent to or from addresses that are registered to those domains.
Annual Report: Cybersecurity Updates
Web.com likewise wouldn't confirm or deny to the Financial Times whether the FBI was investigating an intrusion at the firm. But the newspaper does note that Web.com's 2014 annual report to the U.S. Securities and Exchange Commission, released Feb. 27, 2015, expands the references to cybersecurity to a 660-word section about its potential to "be adversely affected by information security breaches or cyber security attacks." While the SEC has urged public companies to disclose any information security events of a "material" nature, it's mostly left the definition of "material" up to the businesses it regulates, meaning they're under little obligation to disclose breaches. Under most states' laws, furthermore, businesses must only disclose a breach if it affects a certain number of state residents.
The 2014 Web.com annual report includes the disclaimer about the threat from "organized crime, hackers, terrorists" and other bad actors. "Although we have insurance in place that covers such incidents, the cost of a breach or cyber attack could well exceed any such insurance coverage," the annual report adds.
Web.com, which acquired Register.com in 2010, has a number of Web services subsidiaries, including Network Solutions, which is the world's third-largest domain registrar.
As I've reported before, Network Solutions, like many other registrars, has been at the receiving end of various types of attacks, including distributed denial-of-service attacks. The Guardian also documented in 2013 how the registrar was tricked by domain name system redirection attacks, in which the company apparently honored fake password-reset requests, allowing attackers to take control of site and deface them.
China Suspected, Again?
The Financial Times report also claims the FBI is probing a potential connection between the alleged Register.com hack and the Chinese military.
But multiple information security experts, including Woodward, have repeatedly cautioned against taking such reports at face value, noting that attribution is incredibly difficult. Also, unnamed sources cited in many news reports may have unknown political or marketing agendas. Of course, such agendas may have more to do with the suggested perpetrator, than the potential victim.