The internet's critical IANA body – which allocate IP addresses and manage global DNS – was not compromised by hackers who broke into domain-name overseer ICANN's systems, the organization has stressed.
In a brief update published Friday morning, ICANN noted: "We have confirmed that the attack has not impacted any IANA-related systems. The ICANN staff members whose passwords were compromised did not have access to the IANA functions systems."
It goes on to note that the IANA mechanisms that make changes to the very top level of the internet's structure are "a separate system with additional security measures that have not been breached."
ICANN, which runs the IANA body under contract from the US government, gives some vague information about its general security procedures noting that it "employs multiple levels of protection for its most critical services. While the attackers were able to breach the outermost layer of defenses, our on-going investigation indicates our most critical systems were not affected."
While today's statement was clearly published to assure people that the internet's core systems were not hacked by a relatively unsophisticated attack (cough, cough, CNN), the missive leaves a series of important questions unanswered, and raises questions over the organization's basic security procedures.
ICANN is keen to stress that its IANA system was not compromised because at the moment it is deeply involved in attempting to bag the contract to run IANA on a semi-permanent basis.
Any questions over its ability to run that process securely could scupper everything, and deliver a massive blow to the non-profit.
But it is unclear how much additional security is built into the IANA systems. The "spear phishing" attack was sent to icann.org email addresses and IANA staff use the same domain for their email, so it could easily be that ICANN was lucky rather than secure.
Quiet on details
The seeming unwillingness to share basic information on its security policies raises the question over whether they are any in place at all, or if they meet the baseline of what you would expect from an organization with such a critical role in the running of the internet.
Like all decent news organizations, The Register uses two-factor authentication for our email and our editing systems. We now know that ICANN doesn't for many of its more mundane systems, including its corporate blog, its government-only wiki, and the system that stores the DNS zone files for the world's registries.
While we can assume – or hope – that the same is not true for the critical IANA computers, it is clear that staff email does not have two-factor auth: something that is especially concerning since we now know that emails from ICANN to the US government are in themselves sufficient to make a change to the top-level of the internet.
We would like to assume that various security procedures are enforced: the requirement for different passwords for each system; the use of complex, machine-generated passwords; secure and encrypted storage of passwords; enforced periodic password changes; physical dongles; annual security education and review for all staff; and so on.
For some reason, non-profit ICANN doesn't seem willing to put people's minds at ease. On one level, that's understandable: any information provided publicly could be used by miscreants to shape an attack – it's just good OPSEC, in other words.
On the other hand, providing no information is a luxury only companies that have not had their computers compromised through an attack that most internet organizations would brush off can really afford. ®