Teens await arrest after Comcast attack

Updated at 12:15 p.m. PDT to clarify that Comcast wasn't technically hacked, but that its domain and Web site were hijacked.

Two teenagers who say they hijacked Comcast's Web portal on Thursday also say they expect to be arrested for their actions.

"I wish I was a minor right now because this is going to be really bad," 19-year-old "Defiant" told Wired's Kevin Poulsen, who managed to get a one-hour phone interview with Defiant and his 18-year-old cohort "EBK."

"I slept in my clothes, because the last time they came, I was in my underwear with my dong hanging out and shit," Defiant said of a past raid.

On Thursday, Comcast's portal was defaced, leaving some e-mail subscribers without service. On the site, the hackers referenced their group: "KRYOGENICS Defiant and EBK RoXed Comcast."

The teens say that after they initially managed to take control of Comcast's registrar account at Network Solutions, they called the company's technical contact to tell him, but he dismissed their claim and hung up on them.

That response angered EBK, who says he then decided to redirect traffic from Comcast's site to other servers. "I wasn't even really thinking," he said. "Plus, I'm just so mad at Comcast. I'm tired of their shitty service."

Meanwhile, the teens say they did not grab user names and passwords during the hack, even though they could have.

[The_Decider]

Holy crap Elinor, Comcast wasn't hacked. It was DNS poisoning. Maybe you should have read the feed back to the original CNET story as that writer got skewered for saying Comcasts web page got hacked. Comcasts home page was NOT hacked!!!!!!

[elinormills]

You are correct. Thanks for pointing that out.

[The_Decider]

Holy crap Elinor, Comcast wasn't hacked. It was DNS poisoning. Maybe you should have read the feed back to the original CNET story as that writer got skewered for saying Comcasts web page got hacked. Comcasts home page was NOT hacked!!!!!!

[The_Decider]

Holy crap Elinor, Comcast wasn't hacked. It was DNS poisoning. Maybe you should have read the feed back to the original CNET story as that writer got skewered for saying Comcasts web page got hacked. Comcasts home page was NOT hacked!!!!!!

[fafafooey]

They should string him up by his "dong". And what does this kid know about Comcast's "service" - his mommy is probably paying his cable bill.

[Penguinisto]

Dunno... they were merely pranking. Compared to what someone could've done with comcast.com (or .net?), their actions were at most fairly harmless. As example, imagine someone hijacking a domain name and having it lead to a page that looks just like the real one, except that it contains a big fat trap that simultaneously stores attempted logins and downloads trojans disguised as "updates". Long story short, Comcast should quietly drop the charges, cut off service to the kids, and be thankful that Comcast itself didn't get strung up by its collective "dong".

[baswwe]

he is right. it is crap.

[ittesi259]

fafafooey, one doesn't have to pay the bill to understand whether or not service is good or bad. I bet constant router resets and dropped IP's that fail to renew like they should are all to be ignored because someone else my receive the bill? Oh and lets not forget that I'll never see the actual boadband speeds they advertise that I pay for because of unwillingness to upgrade infrastructure.

[bryanjavor]

Comcast should entertain the notion hiring him. Give him the tools he needs to become even more adept at hacking and pay him for everytime he can break in and explain the vulnerability...

[luidavinci]

Exactly. They should have taken his call seriously in the first place nd hire him as a freelancer to help them find ways to strengthen their infastructure from other hackers.

[TV James]

Technical support. Ha.

Yeah, they should hire this guy and fire the guy who took the call.

[Zero187]

These kids shouldn't get in too much trouble for what they did, but definitely something. Kinda funny how it was really for nothing whatsoever. Hopefully these fools won't reproduce and spoil the evolution cycle any further.

[umbrae]

Any threat against a company should be taken seriously. If they warned Comcast and they did not fix it; then they got what they deserved. This should show Comcast customers how Comcast treats their security.

I don't have any customers, but if I got a call about this it would be fixed ASAP!

[luidavinci]

Indeed!

[CC_Reader]

Only if they have a dress code. Wouldn't want him working in his underwear with his dong hanging out. The kid's a train wreck.

[olderguy2]

The kid said, "the last time they came". So he was arrested at least once before for the same offense. A lot of good that did. Maybe some serious time should be leveled for his second offense. I'm tired of people being malicious thinking they have the right to injure a company and getting away with a slap on the wrist. Maybe chopping off the thumbs? smile

[olderguy2]

The kid said, "the last time they came". So he was arrested at least once before for the same offense. A lot of good that did. Maybe some serious time should be leveled for his second offense. I'm tired of people being malicious thinking they have the right to injure a company and getting away with a slap on the wrist. Maybe chopping off the thumbs? smile

[spruceman]

How Comcastic !!!!!

[kjam_productions]

While I'm not condoning what they did, they are right about one thing. Comcast's service sucks! Crappy customer service, worse technical support and on and on. Everyone thinks they are capping your upload speeds in Bittorrent...think again. They cap ALL uploads speeds regardless of what you're doing. I have a weekly podcast that takes over three hours to upload to Podbean. The truth is, they wouldn't give a damn what people are doing with their service if they would upgrade their infrastructure. Hell I'd even pay a higher price for a more stable and faster service. Instead, they oversell their capacity and then degrade the service of their users as a result. I just switched to AT&T, though I don't really believe they will be much better. However, as a former employee, I can honestly say they don't oversell their capacity. Once the limit is reached, they won't open additional accounts in that particular area until enough potential subscribers request the service and then they add the necessary 'pairs' to extend the service for that region...fingers crossed.

[zeroplane]

Comcast!

It's Craptastic!

[tacit]

It's easy to understand their frustration.

I and other part-time and full-time security researchers often find huge, gaping security holes, in ISPs and businesses and even institutions like banks, only to be ignored when the security holes are reported. I've personally seen ISPs refuse to fix security holes that allow every Web site they host to be hijacked, compromising the personal financial details of every business and ecommerce site on their server; I've seen people continue to host fake "phishing" sites that pretend to be sites like eBay or PayPal, and allow Net users to have their account names and passwords stolen. I've seen Net service companies become angry and hostile when told that the customer details they keep can be stolen, and refuse to fix the problem even when technical details of the security flaws are explained to them.

I've seen ISPs and businesses refuse to fix their site security when their Web servers are overrun by computer viruses that let the virus writer eavesdrop on everyone who visits the site, and capture credit card numbers as they're being typed in.

I've seen banks refuse to fix their Web security even when they know that their customers' bank account numbers and passwords are exposed. I've seen big-name retailers refuse to fix their security even when they know for a fact that their customers' credit card numbers are being stolen.

Does that make it OK to hack these sites? No, of course not. These kids deserve to be arrested.

But the Comcast technician who screwed up, and then hung up on them when they tried to tell him he screwed up? That guy deserves to be arrested, too.

[OokiiMamoru]

Better yet, why not allow very hefty bankrupting class action lawsuits when a problem has been documented and not fixed within a reasonable time frame.

[Dr_Zinj]

Actually, the most ethical and moral thing to do for a white hat hacker would be to redirect all hacked sites to a single page that explicitly tells the user that they have been hijacked from that site, which companies hosted and used the site, the nature of the vulnerability, who was notified at the company(s) of the vulnerability, when they were notified, and how many times, and a phone number and e-mail to that company's CEO and Customer Service departments.

Make a counter for each bad site to keep track of traffic to be able to tell how many users affected (and possible monetary losses). And offer the users a return to the company page link (if they really want to use it after that).

You might be brought up on charges, you might be brought to trial, and you might receive jail time and fines. But you can cripple these moronic companies with loss of business due to bad publicity. And who knows, maybe get them to actually fix their vulnerabilities.

I'd go so far to say that this is actually what the U.S. Government should be doing if they were really concerned about pro-active internet security.

[paulej]

If they were able to access Comcast's account at Network Solutions, then this suggests that Comcast has a real security issue. I think they deserve the kick in the rear. People want to punish the teenagers, but for what? Logging into an account and changing a few DNS values? Sure, quite disruptive, but if I were Comcast, I would be more worried about firing somebody for allowing such sensitive information to get out the door. If those boys were really bad, they certainly could have planned an elaborate scheme where they could have put up a fake Comcast, fake Google, and fake everything else ... collecting user's passwords for all kinds of sites. It's absolutely amazing that Comcast could be so careless. Or, was it Network Solutions that is to blame? In any case, they ought to find out how they keys to their little part of the Internet got out into the public.

[The Harper]

I don't get it... Wouldn't the teenagers have to perform DNS poisoning on one of the Comcast servers for this to happen? How loose is Comcast's infrastructure to allow that to happen? And if we're talking about Comcast's CORPORATE website... Isn't that hosted by some other ISP? I'm going to WHOIS and find out who that is, and advise my clients to never use them E V E R.

[The_Decider]

Nope, it has nothing to do with Comcast and everything to do with Network Solutions. You might want to brush up on DNS and possible DNS attacks if you are in a position to advise anyone, especially paying customers.

[Douglas W. Goodall]

The error that Comcast made here started when they outsourced their DNS. They should have hosted their own DNS servers in a secure location. They should have used simple industry standard procedures to protect their Internet profile. Once the intruders had the username and password for the Network Solutions management console, they had the ability to change the domain registration data. That includes the IP numbers of the primary and secondary nameservers as well as the whois data. While the domains where pointed at Network Solution nameservers, the advanced dns tools at Network Solutions allowed the intruders to change the DNS data in Comcast's zones at will. For example, setting www.comcast.net to an IP of their choice. Any script kiddie could easily change the domain data with the simple point and click web tools at Network Solutions. The person that provided them with the username and password is not responsible enough to hold their position, whether they were at Comcast or Network Solutions. Most IT professionals know better than to give out passwords over the phone to anyone. We all know about "Social Engineering". There are plenty of smart IT people standing in line for work these days, and there should be at least one open position after this.

[The_Decider]

There are more reasonable solutions to protest crappy service. The fact that they could have caused major havoc and didn't will likely net them less time. I just can't believe they would actually call them to tell them.