If you cover information security, it doesn't take long until you hear "it's always DNS". What that refers to is one of the foundation technologies of the Internet, namely the Domain Name System.
In simple terms, the global DNS is what directs users web browsers to one or more Internet Protocol (IP) addresses, when they type in, or click on "interest.co.nz/technology" and other links.
It's crucial to get that translation right, but it's also easy to make mistakes when configuring DNS servers as anyone who has set them up will testify to. Forgot a full stop (.) or put one in the wrong place? Do that, and something completely unexpected can happen.
Which brings us to what payments giant MasterCard did. What happened is a little convoluted but it shows Security researcher Philippe Caturegli at Boston-based company Seralys had a look at MasterCard's DNS records, and saw this:
Without going into too much DNS detail, one of the responses from the MasterCard server he queried via the public Internet looked at bit off. MasterCard uses a content delivery network called Akamai, which is why the responses have *.akam.net domain names.
Like .nz being the country-code top level domain for Aotearoa, the .ne one points to Niger in Africa.
And that is most likely not how MasterCard intended to configure its DNS, as it risks redirecting traffic to completely the wrong part of the Internet. It's obviously a typo, but it appears MasterCard didn't notice for four and a half years, Caturegli said.
Caturegli posted details on the DNS typo on LinkedIn and said he handled the disclosure of what can only be described as a major security hole responsibly. Meanwhile, well-known infosec journalist Brian Krebs wrote about the DNS typo, and observed that "Ivan I." from Moscow had registered the akam.ne domain between 2016 and 2018, running a server on it that was located in the Germany.
There's some debate online around how serious the typo was, and if MasterCard's response was appropriate (no bug bounty was given by the payments giant to Caturegli for instance).
But yes: it's always DNS.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.