Here's how Google Palestine was hacked; local root server confirms repair
As other outlets are reporting,
Google.ps, Google's landing page was hacked yesterday, to protest
the naming conventions on Google Maps. Four hackers named
Cold z3ro, Haml3t, Sas, and Dr@g took responsibility, naming
themselves as members of Hackteach, a Palestinian website that
features tech news and hacker forums.
Hackteach, whose site title
in Arabic (شبكة غضب فلسطين) loosely translates as
"Network of the rage of Palestine," reported on the hacking, posting
two videos simply showing the doctored page.
Google insisted that its servers were not breached; a Google spokeperson informed both the Washington Post and The Next Web:
"Some users visiting google.ps
have been getting redirected to a different website; Google
services for the google.ps domain were not hacked. We’re in contact
with the organization responsible for managing this domain name so
we can help resolve the problem."
Anas Anbtawi, a member of the local Palestinian geek community who looked into the hack, confirmed that Google itself was not breached, but rather, the hack was simply a DNS hijack. Meaning: hackers didn't reach Google's servers, but simply tapped into pnina.ps, (the Palestinian National Internet Naming Authority), the root Domain Name Server (DNS) for all local DNSs in Palestine. The hackers were then able to redirect traffic from google.ps to an IP in Romania, which then connected to a site in Latvia.
Another re-routing went through an IP in Morocco that was hosted by Genious Communications, a Casablanca-based web hosting startup that has bootstrapped its way to local success.
PNINA confirmed the hack to other local members of the Palestinian tech community today. One member wrote:
"PNINA confirms that it has been
targeted by a hacking attempt that resulted in changing the DNS
records for google.ps and a couple of other domains by a hacker
with registered IP from Morocco.
PNINA restored the original data within a short period of time and we are analysing the accident in order to take the necessary measures to ensure the safety and reliability of our systems.
All the (.PS) authoritative name servers have the correct data and in full synchronisation of the ccTLD master records. Some of the name servers kept the old/falsified records for some time until the data is refreshed from their caches.
A full report with all details and remedy actions will be issued shortly.
Have a good and safe night."
This isn't the first time a hack
like this has happened; this April, a Bangladeshi hacker claimed
hacking google.co.ke, Google's Kenya landing page. The hacker
also re-routed Google's traffic using servers in Latvia, Morocco,
The Peeks community on Facebook, Palestine's biggest grassroots tech community, with over 3,000 members, mostly shrugged off the hack. Several wondered why a pro-Palestinian hacker would only target a Palestinian site, while others cautioned users against going to the site in case malware was present.
"Just to be in the safe side, use a trusted DNS," said a former employee of Paltel, one of Palestine's two major telecom networks.
"Good intention, but misguided execution," posted Ahmad Al-Najjar, a senior data consultant at Data Strategy, an IT consulting company based in Michigan.
The fact that the hack only
penetrated the root Palestinian DNS explains why they didn't go
after any other regional root DNSs, says Anbtawi. "If they were
good hackers, as they claimed, why did they only attack