How Not to Get Hacked Like the New York Times
The Syrian Electronic Army's hacking of The New York Times website wasn't your standard spear-phishing scheme or brute force attack to steal passwords, meaning that best practices like creating strong passwords and avoiding links in fishy emails won't do much to protect against similar attacks in the future.
The Syrian Electronic Army's hacking of The New York Times website wasn't your standard spear-phishing scheme or brute force attack to steal passwords, meaning that best practices like creating strong passwords and avoiding links in fishy emails won't do much to protect against similar attacks in the future. Rather, the SEA hacked the Times's Domain Name Server, which is owned by an Australian company called MelbourneIT. MelbourneIT hosts the domain of The New York Times website, among others. The SEA has also since hacked MelbourneIT's blog website, posting the following message:
The site takeover aims to prove a point about MelbourneIT's security. The domain hacks of MelbourneIT's systems are what took down an entire news organization for hours and what large sites need to worry about.
Over at Quartz, Christopher Mims outlines the services MelbourneIT provides to The Times and other sites:
Melbourne IT is the company that the New York Times pays to be the steward of the numerical roadmap that tells every computer on the internet—including the one on which you’re reading this—how to find the servers that host the website of the New York Times. These servers are identified by an IP address, a unique set of numbers. You can use IP addresses directly if you know them; typing http://170.149.168.130 into your browser should get you to a relatively intact version of the New York Times’ site.
So the Times pays MelbourneIT — also known as a registrar — for its New York Times name. "When you type nytimes.com into your browser, your computer looks up the corresponding IP address with one of those servers, and sends you to it," adds Mims. (Meaning that, once you type in "nytimes.com" your computer has to go through the MelbourneIT registrar to send back the right page to you.) Somehow, the SEA hacked into MelbourneIT, took ownership of the Times's DNS and then diverted all of the paper's readers' requests elsewhere, which made the "nytimes.com" address useless. This, of course, is a bit of an oversimplification: For those who want more, CloudFlare, another DNS provider, has a detailed explanation.
Because MelbourneIT — a registrar CloudFlare says has "higher security than most" — got hacked, those hoping to protect themselves against a similar attack should considering paying registrars for extra security features "for mission critical names," Tony Smith, a MelbourneIT spokesperson told The Los Angeles Times's Paresh Dave. One such feature is a registry lock, which makes it more difficult for any person, including a hacker, to change the ownership of the domain. Twitter.com, for example, had a lock and suffered no outages, even though the SEA got into some of the company's other domains, like Twitter.co.uk. "Some of the domain names targeted on the reseller account had these lock features active and were thus not affected," Smith added.
How exactly the SEA got into MelbourneIT is still a mystery, making it much harder to determine how registrars can protect their companies from similar hacks. Mims guesses that a spear-phishing scam, in which hackers collect passwords by sending tricky emails with malicious links, gave the SEA access to the registrar. An e-mail from MelbourneIT to its customers said that a "reseller account" had been compromised, indeed suggesting somehow the SEA got a username and password combination (probably through spear-phishing). Update: The Los Angeles Times has confirmed that a spear-phishing attack led to hack. "Essentially, several people at the U.S. firm were duped by emails that coaxed them into giving up log-in credentials."
The lesson, then, as always is: Be careful what you click.