How the Syrian Electronic Army took out the New York Times and Twitter sites

How the Syrian Electronic Army took out the New York Times and Twitter sites

Summary: The short, snappy answer is: "All too easily." Here's how it appears to have happened.

SHARE:

Once more, the Syrian Electronic Army (SEA), a pro-Syrian strongman Bashar al-Assad organization, has struck on the internet.

This time, SEA hit The New York Times (NYT), Twitter, and other popular sites. Unlike previous attacks that relied on phishing attacks to gain password information from the target site's authorized users, SEA is using the weak security of the internet's master address book, the Domain Name System (DNS), to re-route internet traffic from its real destination to SEA-controlled sites.

glowing-keyboard-hacker-security-620x202

What the SEA did was mindlessly simple. It simply compromised Melbourne IT, an Australian DNS register reseller, with a phishing attack. Once it had its hands on the reseller's credentials, the group simply logged in and changed the NYT and Twitter domain name records — that is, their addresses as far as your web browser and other internet programs are concerned.

A website's real address is usually an IPv4 (Internet Protocol version 4) numeric address, such as 170.149.168.130, which is an NYT address. Since people aren't likely to remember an address like that, or the even longer addresses used by IPv6, the next generation of IP addresses, DNS translates the IP addresses into human-readable ones, such as zdnet.com.

Tony Smith, Melbourne IT's general manager of corporate communications, admitted, "The DNS records of several domain names on that reseller account were changed, including nytimes.com."

Once this was done, these bogus IP addresses spread from one DNS server to another. The result was that over an approximately 24-hour period, the bad addresses spread throughout much of the world. This ensured that users went to fake websites instead of the real ones.

In the event, this part of the SEA's scheme failed. As the group tweeted, "The @nytimes attack was going to deliver an anti-war message but our server couldn't last for 3 minutes." These servers appear to be located in Russia, which is Syria's most important ally.

At this point, you might be asking yourself, "How could an Australian DNS reseller possibly change the DNS records for the NYT around the world?" The answer is: Easily.

DNS was never designed with security in mind. While some weaknesses, such as DNS cache poisoning, are being repaired with new programs such as Domain Name System Security Extensions (DNSSEC), others are still there.

Matthew Prince, CEO of CloudFlare, a web performance and security company, explained what happened in this case: After the hacked reseller account was used to change the IP addresses, the bogus addresses were automatically sent all the way up to the top-level domain (TLD) and then down to most of the other DNS services.

Fortunately, the problem was spotted quickly. The NYT, CloudFlare, OpenDNS, and Google started researching the problem, and tracked it back to Melbourne IT.

From where CloudFlare sits, and subsequent problems with Melbourne IT, it appears that SEA "hackers gained access to Melbourne IT's administrative control panel". From there, it was easy to change the DNS addresses.

It was simple because, as with most DNS providers and for most DNS records, there is no real security on DNS addresses. If someone comes along with what appears to be the right level of security, there's no double-checking to make sure that you are indeed the CTO of the NYT or Twitter or his or her authorized representative.

In short, if you break into a domain registry with the right login ID and password, you don't need to break into the site itself. You control where any visitors will go, while all the time they'll think they're going to the real site.

This is even more troubling because, as Prince wrote, "This was a very spooky attack. Melbourne IT is known for having higher security than most registrars."

So, what can you do? Some DNS resolver sites, such as OpenDNS, have a list of bad IP addresses and domain names, and automatically block "all requests that are coming from the known bad name servers."

That may help users, but what about companies and groups that don't want their site addresses hijacked in the first place? Prince said, "There is one sensible measure that domains at risk should all put in place immediately. It is possible to put what is known as a registry lock in place for your domain. This prevents even the registrar from making changes to the registry automatically."

Domain registrars don't like to do this. They would prefer to make it easy for you to update, change, and renew your site without involving any time-consuming manual steps. "However," said Prince, "if you have a domain that may be at risk, you should insist that your registrar put a registry lock in place. It's worth noting that while some of Twitter's utility domains were redirected, Twitter.com was not — and Twitter.com has a registry lock in place."

Not sure if you do? Run a whois query against your domain. If it includes the following three status lines: serverDeleteProhibited, serverTransferProhibited, and serverUpdateProhibited, then you have a registry lock in place.

If you have reason to believe that your site may be at risk, call up your domain registrar and insist on getting your domain name locked down. If you don't, you're in danger of, at the very least, having your site down for a few hours, or, at the most, having your online reputation ruined and your customers buried in malware.

Related stories:

Topics: Security, Browser, Networking, Web development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

14 comments
Log in or register to join the discussion
  • So, how's that Arab Spring working out for you, NYT?

    It's working so well everywhere else.
    Vesicant
    • It's working great, huge improvement over the previous dictators.

      Shame about the Russian state-sponsored hackers calling themselves the "Syrian Electronic Army" mucking things up, tho.
      Wilf Tarquin
      • Tell that to a Christian in Egypt?

        .
        QAonCall
  • Thanks, I've immediately locked my domain name

    Good tip!
    pjotr123
  • Much informative

    But I would think through Phishing, they might have gotten one account and that one account can make this much difference? MelbourneIT might have better security than other registrars, but I would say definitely they need to up their security a bit.
    spicycheeks
  • abc123 password?

    That happens when sys admins uses abc123 as password!
    ssamayoagt
    • What a coincidence!

      That's the combination to my luggage!
      RoverDaddy
  • Registrars using 2 factor authentication

    Can anyone share names of registrars and DNS providers using 2 factor authentication for personal accounts? My DNS provider (dnsmadeeasy) offers this but only for corporate accounts at a hefty price. It should really be a minimum standard now.
    harmlessdrudge
  • Registrars can only modify their own domains?

    One implication made in this article is that if someone compromises ANY registrar they can compromise ANY domain. Presumably any given registrar can only modify domains under its control - i.e. Melbourne IT control the twitter.com and nytimes.com domains and hence could be affected?

    A slightly moot point I guess because ultimately it makes no difference if your registrar is compromised.
    sidepipeuk
  • Amazon

    They are mad cause Amazon Bought the times,,,
    sightsandsounds
  • Physical presence?

    +1 for the article.

    I wonder if large companies with well established domain names and gateway IPs shouldn't insist upon making a plane trip to said registrar to meet for a day, check in, and perform a formal DNS change request right there. Does the NYT have to change its DNS records that often? I shouldn't think so.
    rcasey101
  • Always another false flag justification

    Sorry if I have trouble believing that the "Syrian Electronic Army " actually exists. Isn't it a coincidence that right when we are getting ready to knock off another country (Syria) we are provided with another convenient excuse?

    Someone please name another country in the world, aside from the United States, that exists in a state of constant unending war (albeit an occasional cold one).
    Astringent
    • More on Syria

      http://www.nationalreview.com/corner/357156/ron-paul-chemical-weapons-false-flag-andrew-johnson
      Astringent
  • Easy way in

    I have a scientific hacker friend - does it all for fun - he is a mathematician by trade.
    He says that virtually all real breakins are one of two ways:
    Phishing - works every time. Fastest.
    Insider - disgruntled employee often 3rd worlder when its "political".

    Brute force attacks are nowadays basically, science fiction.
    He privately under covenant, explained to me the above case before it happened.
    Demonstated ease of getting in to stupidly supplied notebooks via WiFi which carry access to amazing amounts of corporate data. 99.99999% of which is never required in the field.

    What are these low-level staffers doing to need this instant access openly?
    Jack Rigby