What the SEA did was mindlessly simple. It simply compromised Melbourne IT, an Australian DNS register reseller, with a phishing attack. Once it had its hands on the reseller's credentials, the group simply logged in and changed the NYT and Twitter domain name records — that is, their addresses as far as your web browser and other internet programs are concerned.
A website's real address is usually an IPv4 (Internet Protocol version 4) numeric address, such as 126.96.36.199, which is an NYT address. Since people aren't likely to remember an address like that, or the even longer addresses used by IPv6, the next generation of IP addresses, DNS translates the IP addresses into human-readable ones, such as zdnet.com.
Once this was done, these bogus IP addresses spread from one DNS server to another. The result was that over an approximately 24-hour period, the bad addresses spread throughout much of the world. This ensured that users went to fake websites instead of the real ones.
Fortunately, the problem was spotted quickly. The NYT, CloudFlare, OpenDNS, and Google started researching the problem, and tracked it back to Melbourne IT.
From where CloudFlare sits, and subsequent problems with Melbourne IT, it appears that SEA "hackers gained access to Melbourne IT's administrative control panel". From there, it was easy to change the DNS addresses.
It was simple because, as with most DNS providers and for most DNS records, there is no real security on DNS addresses. If someone comes along with what appears to be the right level of security, there's no double-checking to make sure that you are indeed the CTO of the NYT or Twitter or his or her authorized representative.
In short, if you break into a domain registry with the right login ID and password, you don't need to break into the site itself. You control where any visitors will go, while all the time they'll think they're going to the real site.
This is even more troubling because, as Prince wrote, "This was a very spooky attack. Melbourne IT is known for having higher security than most registrars."
That may help users, but what about companies and groups that don't want their site addresses hijacked in the first place? Prince said, "There is one sensible measure that domains at risk should all put in place immediately. It is possible to put what is known as a registry lock in place for your domain. This prevents even the registrar from making changes to the registry automatically."
Domain registrars don't like to do this. They would prefer to make it easy for you to update, change, and renew your site without involving any time-consuming manual steps. "However," said Prince, "if you have a domain that may be at risk, you should insist that your registrar put a registry lock in place. It's worth noting that while some of Twitter's utility domains were redirected, Twitter.com was not — and Twitter.com has a registry lock in place."
Not sure if you do? Run a whois query against your domain. If it includes the following three status lines: serverDeleteProhibited, serverTransferProhibited, and serverUpdateProhibited, then you have a registry lock in place.
If you have reason to believe that your site may be at risk, call up your domain registrar and insist on getting your domain name locked down. If you don't, you're in danger of, at the very least, having your site down for a few hours, or, at the most, having your online reputation ruined and your customers buried in malware.