News

 

 

AFRINIC became aware of a WHOIS data privacy and security issue and we wanted to share the details of the incident with you.

In the process of handling a request for support from a researcher with access to our authenticated FTP site that provides a redacted bulk WHOIS database dump file, we noticed that those who were authorised for the bulk WHOIS service could access a second file that contains information such as email addresses, phone numbers and password hashes. Upon noticing this issue, the file has since been removed from the site.

 

Bulk WHOIS Service

AFRINIC offers a redacted bulk WHOIS database dump through an authenticated FTP site. This dump filters email addresses, phone numbers and password hashes and it’s principally provided to support Internet operations, technical research and statistics.

Access to this FTP site is granted following a procedure that requires filling a form and it is reviewed by staff for approval.

 

Affected WHOIS Dump File

The publication of this file started in 2011 as part of an inter RIR collaboration to provide a global resource service (GRS).

Over the period the mechanism to share this information changed, however, due to automated processes the publication of this file continued to happen in error.

 

Exposure Level

The database objects that were being published contained confidential information such as password hashes, organisation emails and phone numbers.

The potential risk in accessing password hashes includes the possibility that the plain text format can be derived. If a threat actor is able to derive the passwords, they can be able to make modifications to WHOIS database objects that are protected by a specific maintainer.

As the access to this information goes back several years, we are not in a position to determine whether this information was used to compromise the contents of the WHOIS database.

Currently, the exposed data that is at risk is as follows:

  1. 12,536 email addresses,
  2. 5,272 phone numbers, and
  3. 1,633 maintainers using CRYPT and/or MD5 password hashes.

This data relates to 2,281 organisations. 

The WHOIS database supports three password hashing mechanisms: BCRYPT, MD5 and CRYPT. Presently, only BCRYPT is considered secure against brute force attacks.

There have been continuous efforts to improve the security of the database. The improvements included the partial deprecation of CRYPT and MD5 authentication mechanisms that were done in November 2017. Consequently, a user could no longer create or update their maintainer(s) with a password hashed using these algorithms.

Furthermore, effective December 2020, we fully deprecated support for CRYPT and MD5 authentication mechanisms such that the passwords that are hashed by these two mechanisms would no longer work on updating other objects, except to allow an update of the maintainer object with an acceptable authentication mechanism.

After realising this data exposure we have taken further steps to completely disable support for the two authentication mechanisms.

Currently, at least 92% of the maintainers are protected using BCRYPT hashes, PGP and X-509 Certificates.

We wish to further clarify that these maintainer passwords are not to be confused with the passwords used to access the members portal.

With regards to organisation emails and phone numbers, access to such information may lead to abuse and other undesirable purposes such as unsolicited emails and phone calls other than serving the purpose of the WHOIS database.

 

Actions Taken

  • The file containing personal data has been removed and is thus no longer accessible to unauthorised persons.
  • Support for CRYPT and MD5 has been completely disabled.
  • The Data Protection Commissioner has been duly notified as per requirements of the Data Protection Act 2017
  • Communication to resource holders and authenticated FTP users with access to bulk WHOIS data.

 

Further Actions

  • The FTP site will be revised to ensure that the previously authorised users are validated again. Credentials will be issued for a limited period of time.
  • Further system security reviews are ongoing.

 

We apologise for any inconvenience this may have caused.

 

Eddy Kayihura 

Chief Executive Officer

AFRINIC

 

 

 

 

 

Two-factor authentication (2FA), sometimes referred to as two-step verification or dual-factor authentication, is a security process in which users provide two different authentication factors to verify themselves. This process helps to protect better both the user's credentials and the user’s resources.

For MyAFRINIC portal users, the two authentication factors are:

  1. The account password
  2. A one-time six-digit security code.

The code is generated by a third-party Time-based One-Time Password (TOTP) authenticator, defined as an open standard in RFC6238. Any application that supports TOTP can be used for two-factor authentication.

2FA implementation for the MyAFRINIC portal is an optional but highly recommended security feature, as it adds a layer of security to the authentication process. If enabled, you will be required to enter your password and the six-digit security code; generated by a TOTP authenticator on a device you control, typically a smartphone; whenever you sign in.

 

Prerequisite for two-factor authentication.

You must first install a TOTP application on your smartphone or tablet before enabling two-factor authentication in MyAFRINIC. Some examples are:

You may choose your own authenticator of choice other than the ones listed above.

 

How do I enable Two-Factor Authentication?

Enabling 2FA is a straightforward procedure; the following steps should get it enabled:

  1. Log into Myafrinic Account
  2. Click on “My Account”, then select Security
  3. Select the "2-Factor Authentication" button.
  4. Select setup. When setting up the authenticator app, you can either:
    • Scan the QR-code displayed, or
    • Enter the “Secret Key” manually.
  5. Use the six-digit from the app to conclude the setup.
    • If your six-digit security code does not match, please check that your phone has an automatic time zone setting selected.
  6. A demo guide can be found here.

 

Once 2FA is enabled, you will be required to supply both authentication factors every time you log in and access information from Myafrinic. You will be required to enter your NIC-HDL and password first, and then you will be asked to "enter the security code generated by your authenticator app".

In most cases, just launching the authenticator app will generate a new code. You should enter this code to gain access to your account. In most authenticator apps, the auto-generated code is valid for 30 seconds only. You should use the code within that time; otherwise, it will expire, and a new code will be generated. You may refer to your authenticator app's documentation for specific instructions.

 

What if I can't generate the six-digit code?

If you find yourself in a situation where you cannot access the authenticator app, you will need to use a backup security code to sign in to the Myafrinic portal. The backup code is a 10-character one-time code you can use in place of the OTP code to access your account.

When you have enabled the 2FA authentication, you will find the “Generate Backup Codes” button under the 2-Factor Authentication section. The backup codes will be generated when the button is clicked, and the system will give you 5 one-time use backup codes. Write these down or print out, and store them in a safe place. Each Backup Code can only be used once; however, you can generate a new set of codes at any time.

If you are locked out of your account and do not have the backup security code, please contact us.

 

What if I don't have or want to use a smartphone?

A smartphone with an authenticator app makes it very easy to use 2FA, but in principle, you can use any application capable of generating Time-based One-Time Passwords. For example, the OATH Toolkit allows you to generate security codes from the command line. The man page will give you details on how to use the application. The other option could be the OTP Manager, another simple application for managing One Time Password (OTP) tokens.

 

Can I disable 2-factor authentication after enabling it?

Yes. 2FA is optional but a highly recommended security feature. You can disable the functionality by navigating to the Security page of your “My Account” section, clicking the button "Disable” button".

 Important Note:

On 24 June 2021 during the scheduled maintenance to add the 2FA feature on MyAFRINIC, the change was rolled back as we encountered some issues. We provided the report on our status page at https://status.afrinic.net/#notice-121229

We are now expecting the deployment in the second week of July.