Web Development

How Cyanogen lost their online presence: Don't let it happen to your business

Patrick Lambert sounds a warning about protecting your web infrastructure from insider threats. Here's what happened to CyanogenMod.

If you follow the security news, you may have heard the name Cyanogen recently. And if you are an Android enthusiast, you may know what CyanogenMod is. For many people, these names may mean nothing, yet what happened to them is something very scary, and something that can happen to many businesses. Inside of a single day, they lost their online presence, including their website, domain name, and email accounts. They even found out that many potential customers were paying large sums of money to someone who impersonated the team leader, and collected funds into his own bank account. Here's what happened, why it could happen to you, and how to make sure you're safe.

CyanogenMod is the most popular community-based ROM for Android. A ROM is simply the firmware, or operating system, that runs on a device. When you buy a smartphone that runs Android, the operating system comes from the manufacturer, which is a basic version of Android from Google, along with some added features by Motorola, LG, Samsung, or whichever company made your phone. But many people don't like that their smartphones come with these extra features, and would prefer to have a custom version of Android. Cyanogen is the nickname of Steve Kondik, one developer who decided to make his own custom version of Android, calling it CyanogenMod. Over the years, it became a very popular project, and a whole team was formed around it, along with a web presence at cyanogenmod.com, its own email addresses, a hosted email server, and so on. But last month, the team found out some horrific things. First, it appeared as if one person was impersonating Steve and had some companies duped into paying him fees to use CyanogenMod. This was the person who owned and controlled both the web presence, domain name, and email servers. As such, it made it trivial to do anything he wanted, without others knowing about it.

Since going public about it, the situation resolved itself, and the domain name was transferred to the team, but what happened highlights a very bad mistake that can happen in many organizations. It all started out years ago, when CyanogenMod first began. Back then, the mod wasn't that popular, so it was mostly provided through forum postings. When someone decided to offer a domain name so that the project would have its own website, it seemed like a good idea. But the mistake was not being attentive as to who owned the various resources that the team began using, and who controlled them. While CyanogenMod is a non-profit organization, and started in a fairly ad hoc way, this is something that can happen in companies as well. There are two key things to keep in mind about any type of digital resource or web service. First, those resources have to be registered in someone's name. Then, they have to be controlled by somebody.

In the case of domain names, usually these get registered at registrar sites, like GoDaddy or Verisign. Any time you register a new domain, you have to enter someone as the owner, and then provide the configuration information, such as DNS servers, account username, and password. There is no direct link between a domain name and a company. Basically, whoever has the name and password to access the account at the registrar's website can do any modification to that name. Often, that's a very vulnerable part of your infrastructure. Who registered the domain, and who has the login information? Usually, it's not the owner or CEO, it's a technician, the IT manager, or whoever knew most about computers and the Internet when the company first started. The same can be true for hosted email accounts like Google Apps or Exchange, and any other online service your company depends on.

So if your company or organization doesn't have a clear, written policy stating who is the owner of these resources, and who has access to the accounts, you may be in for a bad surprise when that person happens to be hit by a downsizing and decides to get revenge. The problem is that these accounts are usually accessed very rarely, perhaps once a year to renew the registrations. So it's easy for them to be overlooked. Finally, a lot of evil can be done without anyone even knowing about it if the company doesn't have a system of checks and balances in place. A single person should not, for example, have complete administrative access over the organization's Google Apps account, used by everyone in the company to send corporate email. It's far too easy for someone to do exactly what happened to CyanogenMod, which apparently went undetected for a long time. There should be sanity checks in place, so that no one can impersonate someone else, steal sensitive data, or change configuration files in ways they shouldn't be. While many organizations already do this for on-premise systems, it's very easy to forget things like domain registrars or hosted email providers.

About

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

7 comments
feral
feral

The problem for all companies and especially smaller businesses is they do not vet their employees to a level commensurate with the level of trust and access to be placed on them. Personnel security is the last thing businesses think of and never dig deep enough to determine if the person is a bad hire or potential "Trusted Insider". Government have a classification system in place and classify resources appropriately and vet people who have a need to know need to access. Businesses needs to bite the bullet and do the same, potential employees may not like the idea of a background check and interviews about their personal habits that may make them a risk, however if done correctly and with appropriate protection mechanisms they will accept it if they want the job.

RNR1995
RNR1995

Why is the web full of trolling English Teachers? If you do not like how people write, or speak Quit reading or listening

manuel
manuel

This exact problem happens often, unfortunately. It happened to me also. My former business partner hired a tech and provided him admin access to our domains. Then, I ran into a problem with my partner, who disappeared. The tech took over the business domains and is now selling them for $20k USD and refuses to give them back. I filed a complaint with the Rgistrar and provided government documents showing that I owned the company with the same name as the domains and even copies of old emails showing that domain. Their response was simply to file a complaint with ICANN's Uniform Domain-Name Dispute Resolution Policy (UDRP). Unfortunately, this can cost upwards of $2,600, depending on the tld. All that for a domain that costs some $12 a year. Good luck afterwards in trying to recuperate the fees from the thief. The following is a good article on how business owners should protect themselves from this type of hyjacking: http://www.virtualsilo.com/index.php/13-content-en/it-main/internet/6-control-your-website

greg.dargiewicz
greg.dargiewicz

The word "very" is used once per paragraph, except the final paragraph, where it is used twice. Do you seriously have nothing else to contribute?

Kevin P.
Kevin P.

Please stop overusing the word "very." Forcing your readers to stumble over excess verbiage does them a disservice. Thank you.

Kevin P.
Kevin P.

It's more like 6 times in 5 paragraphs. It makes it look like either the author is straining to make his points or that he's padding out the piece to meet some minimum word count. In addition, the post is basically a call to action for those of us overseeing security. Do we really need to be treated like children with condescending phrases about "very vulnerable" parts of our infrastructure and how "it's very easy to forget things like domain registrars or hosted email providers?" This kind of writing would never make it into a respectable publication.

neil
neil

I "very much" misread your comment and thought you were commenting on the article. It is now "very" obvious you were commenting on the grammar Nazi above. Very much agree with your sentiment.