The TCS Website hack: Don't let your company join the list

In what has become a cause of major embarrassment to the Indian IT community, leading Indian IT company Tata Consultancy Services' (TCS) Website was hacked on February 7, 2010. The breach is believed to be a domain name system (DNS) hijack, similar to the breach that social media Website Twitter faced in 2009. 

Quick takeaways A Website is the public face of your company. But sad to say, Indian organizations place the least importance when it comes to securing this facet. It's critical to note at this point that typically only corporate Websites which host sensitive applications (like e-commerce or online auctions) are secured in the best possible manner. Conduct regular vulnerability assessment and patch management of your service providers' servers.Strong SLA

s can achieve this. When evaluating a service provider, conduct a detailed risk assessment of the service provider. Follow this up with a third party assessment if feasible. All security audits should include your Web hosting providers as well. Review meetings with the vendors should include the results of security audits as well. Have a strong incident response management plan (backed up by effective damage control mechanisms to counter losses) in place to deal with Website security breaches.

The hacker(s) altered TCS' name server entries, and also put up the domain for sale. After the hack, Website visitors could read a clear message of "The domain name is for sale, please contact us for further information" in English and French. Ironically, the breach happened just a day before the Nasscom India leadership forum 2010, a major Indian IT industry conference.

According to TCS' official statement, its website www.tcs.com was disrupted, and restored subsequently. "Initial investigation reveals a DNS redirection at the domain name registrar's end." claims the TCS official spokesperson. The domain name registrar in this case is Network Solutions LLC.
 
The jury is divided on whether organizations can avoid such DNS-based attacks. According to K K Mookhey, the principal consultant of NII consulting, such attacks have become a popular ploy of hackers who don't actually hack into the TCS.com website, but instead break into the DNS server. "So people who ended up using the hacked DNS server, landed on a compromised page. On the other hand, those who accessed the unaffected DNS server got the actual TCS website," says Mookhey. According to Mookhey, there is not much that TCS could have done to avoid such a breach, as the DNS servers are not in its control.  Giving an example, he explains, "Let's suppose that TCS was using any of the Indian service providers as its Internet service provider. In this case, TCS is using the service provider's DNS servers to access the Internet. So if the DNS servers get hacked, TCS can't do much."

Sameer Ratolikar, the CISO of Bank of India classifies the TCS Website as a typical Web 1.0 pharming attack, which led to the DNS servers' compromise. He believes that such issues arise due to non-timely patching of vulnerabilities in the DNS server. Ratolikar recommends that in cases where a company hosts its name server(s) on a third party data center, regular vulnerability assessment and patch management of these servers are essential. These can be achieved though strict SLAs with the partner.
 
The source, location and intention behind compromised TCS website is yet to be identified, but this has already raised questions against the company's information risk assessment capability. Although the fault may be external, it does not save TCS from the reputation loss, believes Dinesh O'bareja, an independent information security consultant. "My take is that if the world looks up to you for excellence, then it's very important to keep your house in order. Tata has a large data center and hosting facility. Tata Communications is also an ISP, so why does TCS need to involve outside vendors?" questions O'bareja.

Both Mookhey and Ratolikar have observed a rise in DNS attacks in the recent past. Ratolikar points out that attack vectors have shifted from email based phishing to pharming. Mookhey sees a possible pattern in such attacks, where hackers are now probably working on the DNS records of bank websites for future breaches that will involve more than just loss of reputation.