Agency: No security breach during .my domain glitch
No customers’ data was breached during a technical glitch that caused many Malaysian websites with the .my domain name to be inaccessible, says its sole agent.
Many Malaysians had woken up on the second day of Hari Raya unable to access certain sites using the .my domain, with most of those affected being banking and e-commerce websites as well as local news portals, including The Star Online.
The glitch is the latest in a series of problems faced by MyNic, the sole administrator responsible for the domain and an agency under the Communications and Multimedia Ministry.
By 3pm yesterday, MyNic said it had restored the .my domain but that more time would be needed for the .my domain names to be repropagated to the world.
“Some .my sites will take more time to be restored as the Domain Name Servers (DNS) cycles its cache,” it said.
MyNic said the broken chain of trust between the .my DNS it ran and the Internet Assigned Numbers Authority (IANA) had rendered many websites with the domain unreachable.
The agency said it was working with Internet security platform Verisign and IANA, and would con- tinue to monitor the situation with the aid of the Malaysian Communication and Multimedia Commission.
It said it was also facing “technical issues related to DNSSEC (Domain Name System Security Extensions) with IANA”.
DNSSEC is a technology that stops DNS data from being modified by digitally “signing” the data.
Hack In The Box CEO Dhillon Kannabhiran, a security expert, said the onus was on MyNic to ensure the security of the .my domain.
“How many more times are we going to accept ‘technical problems’ as an excuse before MyNic takes issues like these seriously?
“The fact that it took the team over 10 hours to inform customers is unacceptable,” he said.
Kannabhiran said while data on the customers’ servers might remain safe, it was possible that
the glitch could have caused traffic destined for these servers to be redirected elsewhere.
In July 2013, the . my DNS was compromised so that users got an unpleasant surprise when many of the . my websites that they surfed showed a message from a hacker.
Two months later, Malaysians visiting Google Malaysia at google. com.my were redirected to a hacker’s website due to the . my DNS being compromised again.
In 2015, unauthorised modifications to the . my DNS redirected traffic meant for websites such as Google Malaysia and Yahoo! Malaysia to a rogue site.
IT security services company LGMS founder CF Fong said it was very frustrating to see the domain registrar not doing enough to protect its systems.
“Imagine the losses for e-commerce companies when their sites are not accessible.
“I’m wondering if these businesses will file a class suit against the domain registrar for negligence,” he added.
In a tweet, Communications and Multimedia Minister Gobind Singh Deo had asked for a full report on the issue by next week.
Internet user Fong Yew said she could not access several local news websites and a cinema site.
“I wanted to buy movie tickets online but wasn’t able to access the site. I hope they are able to rectify this quickly,” she said.
Another user, who only wanted to be known as Arman, said he had wanted to do some urgent bank work online.
“I had no choice but to go to the bank,” he said, adding, however, that some other websites with the .my domain could be accessed without problems at noon.
Twitter user @saradalina said some government sites with the gov.my domains were also inaccessible.
Checks by The Star found that certain government sites were inaccessible while others were working.