OpenDNS Security Labs at BSides Las Vegas, Black Hat, and Defcon

trinityIt’s that time of year where security folks descend upon the desert of Las Vegas for what many call “Security Summer Camp” or, in some circles, “Hacker Summer Camp”. We, of course, mean the Holey Trinity (see what we did there?) of Security BSides Las Vegas, Black Hat, and Defcon.

Security Analysts Kevin Bottomley and Josh Pyorre will be attending BSides Las Vegas to see a number of great talks including one from OpenDNS Engineering’s Andrew Hess entitled Advancing Internet Security Research with Big Data and Graph Databases. In the talk, Hess will provide an overview of OpenDNS’s threat intelligence database system and focus on how it has influenced security research at OpenDNS. This is the system that we, the OpenDNS Security Labs team, relies on for both data ingestion from our resolvers and serves as the repository for our threat model results….hopefully he doesn’t give away too many secrets about how the cyber-sausage is made.

OpenDNS will also have a booth at the Mandalay Bay Resort and Casino for Black Hat USA 2015. Why not stop by booth 753 to catch up with the OpenDNS Security Labs team, watch a demo of our products, snag a fancy t-shirt, and enter to win an Apple Watch? Dr. Dhia Mahjoub, Sr. Security Researcher, Anthony Kasza, Security Researcher, Andrew Hay, Director of Research, and Dan Hubbard, CTO will be at the booth throughout the day. If you happen to drop by and the person you’re looking for is not there, please leave a business card, written note, or verbal message and we’ll try and sync up with you. You can also meet with Dhia, Andrew, or Dan by scheduling a one-on-one meeting through our scheduling form. We have a meeting room off the show floor so private conversations are welcomed (and encouraged).

You should also plan on attending Dan Hubbard and Andree Toonk’s presentation entitled BGP Stream on Thursday, August 6th, from 12:10-1:00pm in South Seas IJ. In the presentation, Dan and Andree will talk about their methodology and tool—conceived during a recent OpenDNS Hack-a-thon—that can be used to monitor BGP ASN hijacks, historical relationships, and geographic locations of announcing Internet routers. This “alert system for the Internet” is described on our OpenDNS blog, found here. You can, and should, also follow the dedicated Twitter account @bgpstream.

Finally, you may have already started to notice complaints about the long wait times for a taxi at McCarran International Airport.

Vegas needs @Uber so bad. Standing in cab line. About one cab showing up every 2 minutes.

— Chris Eng (@chriseng) August 3, 2015

Why not skip the line and jump on the OpenDNS Limo? We’re picking up from the Las Vegas airport Tuesday & Wednesday every 30 minutes. Just follow signs. We will make sure you get the details if you sign up here. Please note, the limo runs Tuesday (5am to 10pm) and Wednesday (5am to 1pm) and only travels between McCarran and the Mandalay Bay Resort and Casino. If you’re lucky enough to be arriving between 8am and 10am on Wednesday, Andrew Hay will regale you with tales of security from his adventures on the tropical island of Bermuda and of a far away and magical land…called Canada.

The OpenDNS Security Labs team will also be headed to Defcon to learn about some of the cutting edge research our peers have published – some responsibly, some not as responsibly. Dhia, Andrew, Kevin, Josh, and Anthony will be joined by Thibault Reuille, Sr. Security Researcher. Hopefully we’ll get a chance to connect at one of these amazing venues, at a party, or while waiting in a long line for food or a taxi.

We should be easy to spot as we’ll likely be wearing the t-shirts that get us noticed wherever we go. See you there!


The post OpenDNS Security Labs at BSides Las Vegas, Black Hat, and Defcon appeared first on OpenDNS Security Labs.

Infosecurity Europe and Intelligent Defence Wrap-up

Infosecurity Europe Logo_RGBThe first week of June saw Dr. Dhia Mahjoub and I (Andrew Hay) hopping on a plane at SFO and waking up in London – well, I was able to sleep, Dhia wasn’t able to. We were both in London to speak at Infosecurity Europe and at the new Infosecurity Intelligent Defence conference.

This was the first time the conference was held at the Olympia Conference Centre in London. It was a good thing the event moved from the Earls Court Exhibition Centre as I’m not sure the old venue could have held the number of vendors or attendees. It was packed.

IMG_20150602_140746OpenDNS had a booth on the show floor in one of the most trafficked thoroughfares in the building. Whenever we walked by the booth, it was bustling with activity. People looking for more information about our products, requesting demos, or just wanting to ask questions about specific threats and trends.

IMG_20150604_134250Luckily our expert booth staff were able to handle any and all questions that popped up. They were also not shy about grabbing Dhia and I as we walked by to introduce us to individuals looking to collaborate or share security information after the show.

On Tuesday, June 2nd Dhia and I both presented sessions. Dhia presented his malicious domain tracking research in a talk entitled Tracking Malware in Criminal Internet Neighbourhoods at Infosecurity Europe. The talk focused on recent and original research on tracking malware domains and infrastructures at large scale and methods to track, detect, and mitigate malware domains and IPs in order to protect one’s network and assets or those of customers.


(Thanks to @edouardng for letting us use this photo from his tweet)

I presented the results of our 2015 Internet of Things in the Enterprise Report in a talk entitled The Researcher’s Guide to the loT Galaxy. The talk was presented at Infosecurity Intelligent Defence, a new two-day, technical security conference, focusing on the latest research including insight into new vulnerabilities and exploits how to defend against them, and was well attended. I had numerous questions after the session and was interviewed by Infosecurity Europe immediately after (as seen below).

Though we were unable to get to BSides London, we both heard fantastic feedback from friends and colleagues who were able to get tickets. Maybe next year.

Our trip to London was great. Dhia and I were able to visit with a number of customers and prospects during our week in London to provide insight into OpenDNS’ capabilities and OpenDNS Security Labs’ current and future research projects.

Dhia also seized the opportunity to visit with our EMEA team a few more prospects in Paris and to attend in the Vatican city a conference on June 9th about “Ethics and Security in the Digital Age”, where our own Paolo Passeri also gave a talk. These meetings and conference were a great opportunity to emphasize the value of our research and innovation in OpenDNS’ product offerings. I can’t count how many times I heard “that’s amazing” or “wow” from customers and prospects. That feedback alone made the trip worth it.

The post Infosecurity Europe and Intelligent Defence Wrap-up appeared first on OpenDNS Security Labs.

Five Things To Know About The Tesla Motors Compromise

As many of you have heard, Tesla Motors’ website was “hacked” on Saturday as well as its official Twitter account. The website was redirected to a server hosted in Amsterdam. Within a few minutes, the account began sending tweets promising free Tesla cars to those who called a certain phone number, which belonged to a computer repair shop in Illinois, and was presumably tweeted out to flood the number’s owner with calls. Later that same day it was revealed that Tesla founder Elon Musk’s Twitter account was compromised. According to Dave Smith at Business Insider “though the parties claiming responsibility offer up different names, it appears to be one coordinated attack on all of Musk’s online and social properties.”

Let’s take a deeper dive into what happened.

1) This was not a “hack,” but a series of related defacements

We’d first like to communicate that we believe this to be a compromise, and not necessarily a “hack.” This attack (and we use the term loosely) involved the redirecting of legitimate traffic destined for to an IP address of the attackers’ choosing.

Visitors to the domain were presented with the following page (as captured by David Maynor via his Twitter feed):

Oh wow…That can’t be good. #tesla #hacked


— David Maynor (@Dave_Maynor) April 25, 2015

At roughly the same time, the corporate Twitter account for Tesla was compromised. Once controlled by the attackers, several tweets appeared from the @TeslaMotors Twitter account and the name of the account was changed to “#RIPPRGANG.” The account also tweeted the number to call to get a free Tesla. The number was that of a small computer repair shop in Illinois.


Elon Musk’s account also began tweeting messages about free cars and where they can be picked up–at the same address in Illinois.

screen shot 2015-04-25 at 6.47.49 pm

2) The domain registrar may have been socially engineered to give up control of the domain

It appears that very little sophistication was involved in this defacement. As such, there was initial speculation of a social engineering (SE) attack against the domain registrar but sources close to the investigation inform us that the SE attack vector was not exploited.

A SE attack against the registrar would explain how the attackers were able to gain access to both the corporate Twitter account and the account of founder Elon Musk. By controlling the domain, and by association the MX (mail exchange) records, the attackers could request a password reset for the Twitter accounts.

By controlling the MX record, the e-mailed password resets would have given the attacker control of the social account passwords.

The official statement from Tesla, as told to Thomas Fox-Brewster of Forbes, was that

“Posing as a Tesla employee, somebody called AT&T customer support and had them forward calls to an illegitimate phone number. The impostor then contacted the domain registrar company that hosts, Network Solutions. Using the forwarded number, the imposter added a bogus email address to the Tesla domain admin account. The impostor then reset the password of the domain admin account, routed most of the website traffic to a spoof website and temporarily gained access to Tesla’s and Elon’s Twitter accounts.”

Tesla’s corporate network, cars, and customer database were not affected and everything has been restored to normal, according to the spokesperson.

“We are working with AT&T, Network Solutions, and federal authorities to further investigate and take all necessary actions to make sure this never happens again,” the spokesperson added.

So the domain registrar was not SEd, but rather AT&T. This is not the first time that AT&T was tricked into redirecting calls to an illegitimate phone number.

3) DNS shows a timeline of changes during the attack

As you can see from OpenDNS Investigate results for, the domain’s IP address was changed on April 25th from to 4 additional IP addresses not owned or controlled by Tesla.

Screenshot 2015-04-27 07.56.24

OpenDNS Investigate’s new WHOIS information shows that the domain is back to using UltraDNS for its name servers.
Screenshot 2015-04-27 07.56.06

The historical (and expected) IP address for is associated with AS 40913 owned by Quality Technology Services Santa Clara, LLC. This is where the domain is usually hosted.

Screenshot 2015-04-27 07.57.53

The new IP addresses are shared between hosting providers Digital Ocean (AS 200130), VOXILITY (AS 3223), and OVH (AS 16276). As you can see below, at least 2 of the IP addresses have a questionable track record.Screenshot 2015-04-27 07.57.32 Screenshot 2015-04-27 07.57.25
Screenshot 2015-04-27 07.57.07 Screenshot 2015-04-27 07.56.58

4)  So far, nothing indicates visitors were at risk for malware downloads

The domain received a surge in visits between 04:00 and 07:00 UTC. The most significant spike to the domain occurred on April 26th at 05:00 UTC as shown below.
Screenshot 2015-04-27 07.55.38This was likely due to the attackers publicizing the “hack.” The subsequent Internet frenzy to visit the site ensued and was noticed by more than a few individuals.

There is no indication of any malware being dropped, nor were visitors redirected to another site to download malware. This can be verified by the HTML dump of the fraudulent site on Pastebin

5) The Islamic State of Iraq and ash-Sham (ISIS) was not likely involved, but Lizard Squad may have been?

At one point during the campaign, the site was redirected to another fear-inspiring domain: isis[.]camp.

Now points to a domain with ISIS in it.


— David Maynor (@Dave_Maynor) April 25, 2015

The newly created domain was registered at ENom and hosted at DreamHost Web Hosting‎ for a brief time. Screenshot 2015-04-27 09.25.28Screenshot 2015-04-27 09.25.47So was this the work of ISIS? In a word, unlikely. It’s incredibly unlikely that ISIS would have it out for Tesla as a company. It’s even more unlikely that they’d direct their anger at a small Illinois-based computer repair shop. There are speculations around the research community, as well as the targeted individual, that this breach was the work of “Ryan” aka “zeekill” aka “Julius Kivimäki”, a Finish national with alleged ties to Lizard Squad.

Receiving reports that Julius Kivimaki hacked Tesla and Elon Musk’s Twitter accounts and websites by Social engineering NetworkSolutions

— r000t (@rootworx) April 26, 2015

OpenDNS can neither confirm nor deny attribution at this time.

The use of Jihadist-inspired defacements is not new. As many of these defacements are meant to drive traffic to the hijacked site, instill fear, and increase publication int he popular media, the use of controversial (yet unrelated) imagery and messaging is becoming common place.

As always, please let us know if you have any additional information or would like to talk to us about our findings.

The post Five Things To Know About The Tesla Motors Compromise appeared first on OpenDNS Security Labs.