InfoSec News

2nd Update: The root problem appears to be mitigated now. However, many DNS servers now have bad results cached. Please flush the cache of your recursive DNS servers.
Host names and IP addresses to watch:
ns1.yumurtakabugu.com. or 68.68.21.195

ns2.yumurtakabugu.com. or 68.68.21.196

ns3.yumurtakabugu.com. or 68.68.21.197

ns4.yumurtakabugu.com. or 68.68.21.198


IP Address used as A record for affected domains: 68.68.20.116
In particular IP addresses may change at any time. Please keep watching them and remove from blacklist as appropriate.
---
There have been several widespread defacements reported to us today. It appears their DNS name server entries all point to the same thing as seen below:
ups.com.85621INNSns1.yumurtakabugu.com.

ups.com.85621INNSns2.yumurtakabugu.com.

ups.com.85621INNSns4.yumurtakabugu.com.

ups.com.85621INNSns3.yumurtakabugu.com.


Here are a few examples of the sites so far:
ups.com

theregister.co.uk

acer.com

telegraph.co.uk

betfair.com

vodafone.com

nationalgeographic.com
The one commonality is they allappear to be all registered via ascio.com
More details as we learn more.

UPDATE: This IP is hosted by BlueMile. We have contacted themand they are aware of the situation and working on it. (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
The tally of digital certificates stolen from a Dutch company in July has exploded to more than 500, including ones for intelligence services like the CIA, the U.K.'s MI6 and Israel's Mossad, a Mozilla developer said Sunday.
 
Now you see it, now you don't: Samsung Electronics erased all traces of the Galaxy Tab 7.7 from its exhibition stand at the Internationale Funkausstellung (IFA) in Berlin on Saturday, just two days after launching the tablet there.
 
Internet Storm Center Infocon Status