Internet org downplays threat to integrity of database
UPDATED APNIC, the internet address registry for the Asia-Pacific region, has revealed that a “configuration error” meant hashed administrator passwords were publicly accessible for three months.
The oversight publicly exposed a dump file of APNIC’s WHOIS SQL database containing hashes of passwords used to authenticate database object changes, “corporate contact details”, and password hashes and contact details related to internal Incident Response Teams (IRTs), said APNIC.
In a security alert posted on June 18, APNIC (short for ‘Asia-Pacific Network Information Centre’) said the issue arose when its staff copied the database “to a Google Cloud storage ‘bucket’ that was believed to be private”.
The member-based non-profit said it rectified the configuration error and removed the dump file after being alerted to the issue by an independent security researcher on June 4.
It added that it had just completed a four-day process of resetting all maintainer and IRT passwords, some of which were done manually to “minimise disruption to their network operations”.
No suspicious activity
APNIC conceded the “possibility that passwords can be derived from the hash by a malicious actor” and WHOIS data potentially “corrupted or falsified for misuse”.
The organization added: “It is not known if the data was accessed, as complete log files are not available, however initial investigations reveal no sign of suspicious update activity.”
APNIC also downplayed the threat to the integrity of its WHOIS database, a publicly searchable database for internet number resources such as IPv4 addresses, IPv6 addresses, and AS Numbers in the Asia-Pacific region, and contact details of resource holders.
“Any public misrepresentation of registry contents on WHOIS would not result in a permanent transfer of IP resources, as these functions are protected by MyAPNIC access mechanisms, and authoritative registry data is held internally by APNIC,” said the security alert.
There were also “private WHOIS objects that are not visible on APNIC’s regular public WHOIS service”, whose contents “predominantly consists of corporate contact details”.
Tony Smith, communications director at APNIC, told The Daily Swig: “The data contained in the private objects varies, as there were comments added by resource holders in the ‘descr’ and ‘remarks’ attributes. The corporate contact details found in those objects were added by the resource holders.” .
This data dates up to October 2017, before which the creation of new private objects in the WHOIS database triggered the incorporation of a duplicate private object in the audit logs.
This data “is still being assessed to determine if any further remedial action should be taken” said APNIC.
APNIC resource holders have been advised not to reuse their previous password, and to update login credentials for any other accounts where it is being used.
MyAPNIC passwords, added the organization, are unaffected and do not need to be changed.
APNIC said it is continuing to monitor for evidence of suspicious activity and will implement the recommendations from an ongoing post-incident review “as a priority in the coming weeks”.
As well as maintaining the Asia-Pacific WHOIS database, the Brisbane, Australia-based organization distributes and manages IP addresses and AS numbers in 56 Asia-Pacific economies, holds annual conferences focused on internet policy development, and provides internet maintenance training through the APNIC Academy.
This article was updated on June 23 with comments from APNIC.