When hackers take down a website, their weapon of choice is often a less-than-subtle technique known as a denial of service attack, which merely overwhelms a siteâ€™ servers with junk traffic. But the trick that the hacker group known as the Syrian Electronic Army pulled against the New York Times, Twitter, and the Huffington Post UK Tuesday seems to have been very differentâ€“and potentially far more invasive.
On Tuesday evening, Australian domain registrar Melbourne IT confirmed the security communityâ€™s suspicions that it was the weak link that allowed the outages of the Timesâ€™ website, and very likely the attacks on Twitter and the Huffington Post as well. Melbourne IT, like other domain registrars, serves as an authority for the Webâ€™s domain name system, (DNS) telling DNS servers how to translate the domain names users type into their browsers or click on into the numerical IP addresses of the servers that host those websites. According to Melbourne IT, one of its resellersâ€™ accounts was compromised, giving the attackers the ability to change which DNS servers resolve their clientsâ€™ sites, essentially hijacking the sitesâ€™ traffic potentially including all web traffic and email. (The battle for control of the domains still continues for the Timesâ€“NYTimes.com remained offline as of Wednesday night.)
â€œWe are currently reviewing our logs to see if we can obtain information on the identity of the party that has used the reseller credentials, and we will share this information with the reseller and any relevant law enforcement bodies,â€ Melbourne ITâ€™s head of corporate communications wrote to me in an emailed statement.
The pro-Syrian government provocateur hackers known as the Syrian Electronic Army, however, havenâ€™t left the attackâ€™s source to the imagination. â€œHi @Twitter, look at your domain, its owned by #SEA :)â€ the group tweeted Tuesday afternoon, along with the link to Twitterâ€™s domain information, showing that they had changed it to the SEAâ€™s. The group also temporarily replaced the Timesâ€™ site with a page showing their logo, and a message that read â€œHacked by Syrian Electronic Army.â€
That level of takeover is far more serious than merely knocking a site offline or defacing it, points out David Ulevitch, who runs the DNS service OpenDNS and monitored the dayâ€™s hijinks. â€œThis isnâ€™t just an embarrassment for the New York Times, but a serious security threat,â€ he says. He suggests that confidential emailsâ€“say, from sensitive sources in Syriaâ€“could have been compromised, too. â€œIf email could be redirected and captured by the Syrian Electronic Army, youâ€™ve blown your confidential status.â€
Worse yet, an attacker could use the trick to set up a fake version of the site, complete with a seemingly valid SSL encryption certificate, and siphon usersâ€™ credentials, suggests HD Moore, chief research officer at the security firm Rapid7. â€œYou wouldnâ€™t have to man-in-the-middle a site for very long to get a crapload of credentials,â€ he says. â€œThey could have harvested for 15 minutes and gotten 10,000 passwords.â€
Iâ€™ve reached out to the New York Times and Twitter for more information about the extent of these potential breaches, and Iâ€™ll update this post if I hear back from them.
Update: Twitter security spokesperson Jim Prosser writes back that the Melbourne IT attackers had only limited access to its domain registration details and couldnâ€™t have pulled off the scenario that Moore describes, only changed the â€œWhoisâ€ details. â€œThe perpetrators werenâ€™t able to change the actual DNS address of the domain â€” just the written registration details,â€ writes Prosser. He declined to comment further on the record, and referred me to Twitterâ€™s official statement on the hack, which states that â€œno Twitter user information was affected by this incident.â€
Moore points out that Melbourne IT may have been lucky that its Syrian attackers limited their attack to Twitter, the Times, and the Huffington Post UK. In fact, 26 of the top 250 sites on the Web based on Alexa rankings use Melbourne IT as a domain registrar, including Google.com, Microsoft.com, Yahoo.com, Aol.com, and Adobe.com. Itâ€™s not clear why the hackers didnâ€™t use their access to go after more of those high-profile sites. â€œSomeone could have gone much further with this and had a much more devastating impact,â€ he says.
In its statement, Melbourne IT says that some of its clients were protected by a â€œregistry lockâ€ feature that would require further verification for any changes to a domain registry. â€œFor mission critical names we recommend that domain name owners take advantage of additional registry lock features available from domain name registries including .com,â€ the statement reads. â€œSome of the domain names targeted on the reseller account had these lock features active and were thus not affected.â€
But Moore says he checked Twitter.comâ€™s domain registration as the attack took place and could see that it had implemented what looked like that â€œlockâ€ safeguard, which seems to have failed to prevent the domain hijacking. â€œWhatever Twitter did, it didnâ€™t make a difference,â€ he says. (Update: As I noted above, Twitter disputes this.)
The Syrian Electronic Army, which supports Syrian dictator Bashar Al-Assadâ€™s regime in the countryâ€™s widening civil war, has emerged over the last year as a frequent disruptive force online. Using phishing attacks, itâ€™s hijacked the Twitter feeds of Justin Bieber, Angelina Jolie, the BBC, CBS, NPR, and even the Onion. In April, it used the AP feed to deliver false news that President Obama had been injured in an explosion at the White House, causing a temporary 150 point dive in the stock marketâ€™s Dow Jones Industrial Average.
Though the Times continues to battle its Syrian foes, Moore argues that the SEA could have used its Melbourne IT attack to inflict far more serious damage than any of those previous hacks. â€œThis comes off as kind of clumsy and a waste of a serious bug,â€ he says. â€œIt could have gone a whole lot worse.â€