Patrick Lambert sounds a warning about protecting your web infrastructure from insider threats. Here's what happened to CyanogenMod.
If you follow the security news, you may have heard the name Cyanogen recently. And if you are an Android enthusiast, you may know what CyanogenMod is. For many people, these names may mean nothing, yet what happened to them is something very scary, and something that can happen to many businesses. Inside of a single day, they lost their online presence, including their website, domain name, and email accounts. They even found out that many potential customers were paying large sums of money to someone who impersonated the team leader, and collected funds into his own bank account. Here's what happened, why it could happen to you, and how to make sure you're safe.
CyanogenMod is the most popular community-based ROM for Android. A ROM is simply the firmware, or operating system, that runs on a device. When you buy a smartphone that runs Android, the operating system comes from the manufacturer, which is a basic version of Android from Google, along with some added features by Motorola, LG, Samsung, or whichever company made your phone. But many people don't like that their smartphones come with these extra features, and would prefer to have a custom version of Android. Cyanogen is the nickname of Steve Kondik, one developer who decided to make his own custom version of Android, calling it CyanogenMod. Over the years, it became a very popular project, and a whole team was formed around it, along with a web presence at cyanogenmod.com, its own email addresses, a hosted email server, and so on. But last month, the team found out some horrific things. First, it appeared as if one person was impersonating Steve and had some companies duped into paying him fees to use CyanogenMod. This was the person who owned and controlled both the web presence, domain name, and email servers. As such, it made it trivial to do anything he wanted, without others knowing about it.
Since going public about it, the situation resolved itself, and the domain name was transferred to the team, but what happened highlights a very bad mistake that can happen in many organizations. It all started out years ago, when CyanogenMod first began. Back then, the mod wasn't that popular, so it was mostly provided through forum postings. When someone decided to offer a domain name so that the project would have its own website, it seemed like a good idea. But the mistake was not being attentive as to who owned the various resources that the team began using, and who controlled them. While CyanogenMod is a non-profit organization, and started in a fairly ad hoc way, this is something that can happen in companies as well. There are two key things to keep in mind about any type of digital resource or web service. First, those resources have to be registered in someone's name. Then, they have to be controlled by somebody.
In the case of domain names, usually these get registered at registrar sites, like GoDaddy or Verisign. Any time you register a new domain, you have to enter someone as the owner, and then provide the configuration information, such as DNS servers, account username, and password. There is no direct link between a domain name and a company. Basically, whoever has the name and password to access the account at the registrar's website can do any modification to that name. Often, that's a very vulnerable part of your infrastructure. Who registered the domain, and who has the login information? Usually, it's not the owner or CEO, it's a technician, the IT manager, or whoever knew most about computers and the Internet when the company first started. The same can be true for hosted email accounts like Google Apps or Exchange, and any other online service your company depends on.
So if your company or organization doesn't have a clear, written policy stating who is the owner of these resources, and who has access to the accounts, you may be in for a bad surprise when that person happens to be hit by a downsizing and decides to get revenge. The problem is that these accounts are usually accessed very rarely, perhaps once a year to renew the registrations. So it's easy for them to be overlooked. Finally, a lot of evil can be done without anyone even knowing about it if the company doesn't have a system of checks and balances in place. A single person should not, for example, have complete administrative access over the organization's Google Apps account, used by everyone in the company to send corporate email. It's far too easy for someone to do exactly what happened to CyanogenMod, which apparently went undetected for a long time. There should be sanity checks in place, so that no one can impersonate someone else, steal sensitive data, or change configuration files in ways they shouldn't be. While many organizations already do this for on-premise systems, it's very easy to forget things like domain registrars or hosted email providers.