If you own a domain that ends in .pk, chances are you already know about PKNIC. However, if you haven’t heard of it before, here it is in black and white. PKNIC (Pakistan Network Information Center) administers all .pk domains, i.e. country code Top Level Domain (ccTLD) for Pakistan. PKNIC is a US based company with an office in Lahore, formed in 1992. One of the founders – as well as owner and CEO – of the company is Ashar Nisar. He is considered to be among the pioneers of the Pakistani IT industry.
The services provided by PKNIC include:
• Management of the operations of .pk root server DNS as well as registration and maintenance of all .pk domains;
• Managing the SRS Program for PKNIC registry partners;
• Disseminating, archiving and managing public records about Internet domain addresses;
Pakistan’s case is unique with respect to ccTLDs because normally ccTLDs are owned by the government regulatory authorities.
Not having a local root server can cause many problems ranging from slow registration to more serious issues like vulnerability in the event that an ISP or other such entity decides to give us a hard time by disrupting the resolution of .pk hosts. However, this issue has finally been resolved as the PTA (The Pakistan Telecommunication Authority) has managed to convince PKNIC to deploy a mirror root server in Pakistan and it is operating as we speak.
PKNIC’s Security Dilemma
Given the enormous power that rests with PKNIC, one would expect that they would have also fully secured operations. However, PKNIC seems to have a serious problem with information security. Many members of the IT community in Pakistan have raised concerns about various security problems. There have been two major security breaches involving PKNIC in the recent past.
First incident
In Nov 2012, a Turkish hacker ‘eBoz’, re-routed hundreds of .pk domains from their servers to a different destination owned by the hacker. These domains included major company sites like google.com.pk, msn.com.pk, ebay.pk, chrome.pk etc. and many other global brands.
Many website visitors and owners saw the message given below, when they accessed their website:
In the case of google.com.pk, even after the problem was resolved, the name-server was still pointing towards the destination of the hacker as seen below.
A Pakistani hacker group including Khanisgr8, Net_Spy, Xpired, Sho0ter and N3t.Crack3r, claimed that the servers managing .pk domains are vulnerable to several threats including:
• Boolean-based blind sql injection (by using SQL injection it is possible to extract the entire database from a website)
• Cross site scripting
• Sensitive directory disclosure
Now, the question on every body’s mind was ‘why this happened?’
According to PKNIC, they were performing an upgrade and somehow a security hole opened and the hacker took advantage of it, but they dispute the number of websites claimed to be hacked.
“However, it inadvertently left open vulnerability, under certain obscure conditions and contexts that was used in the recent attack.
As a result, in addition to a thorough investigation of our entire site and systems, we reverted to the simpler more robust model of filtering out everything unknown, instead of continuing to use the new system that had been tailored to the latest threats using more complicated algorithms.” said Ashar Nisar.
Second incident
The dust of this first incident hadn’t even settled when another attack was successfully launched in February, 2013. In this incident, once again, several websites including that of Jang and some other newspapers were compromised.
This time it was the work of hackers named ZombiE_KsA, Dr Freak, Z3r0Byt3 and Xploiter. They posted a message on PAKbugs sharing their feat.
“Here we go again, pknic.net.pk you think you control .pk domains? … You don’t! Today, we are controlling .pk domains,” they said in a message left on the defaced pages. “After you patched your [faulty] system, we still owned you,”
In addition to these two well-known incidents, there have been problems in the past also. A Pakistani IT expert Haris Shamsi shared his experience from 2009 on cloud.pk:
“Today morning when I logged in to my account I was shocked to see a domain named ‘eurocentra.com.pk’ in my domains list. I have never opted for registration of this domain neither I used this bogus information ever to register any domain with PKNIC.”
You can see what happened in this screen shot below:
It is quite apparent that PKNIC needs to take much better care of its assets and should reevaluate and upgrade its security measures.
