Protecting Domain Names From Hacking Through A Registry Lock

In recent weeks there have been a number of high profile hacking attacks on sites such as the New York Times’. The attack resulted in newspaper website being unavailable for periods of time forced staff to take care sending emails.The attack, the New York Times noted in a statement, “was carried out by a group known as ‘the Syrian Electronic Army, or someone trying very hard to be them.’ The group attacked the company’s domain name registrar, Melbourne IT. The Web site first went down after 3 p.m.; once service was restored, the hackers quickly disrupted the site again. Shortly after 6 p.m., Mr. Frons said that “we believe that we are on the road to fixing the problem.”Previously the Syrian Electronic Army had hacked other newspaper websites including the Washington Post and the Financial Times as well as the administrative contact information for Twitter’s domain name registry records.The attack came about when the Syrian Electronic Army “acquired the user login and password for a US-based [domain name] reseller via a ‘spear phishing’ email – closely targeted to the user to fool them into passing the details into a fake site. ‘The attack has been sent to a variety of staff of our reseller,'” Theo Hnarakis, Melbourne IT’s chief executive told Australian Associate Press, according to a report in The Guardian.Then the hackers, armed with login details and password, were able to change registration details for the New York Times and Twitter, pointing the domain names to servers of their choice effectively hijacking the sites.Following the attack, “Verisign rolled back changes to the name servers and added a so-called registry lock to NYTimes.com. This prevented further changes even if initiated by the registrar,” security firm CloudFlare reported on a blog posting.These registry locks are becoming increasingly popular. Earlier in 2013 the .au registry, AusRegistry, launched a new security measure called .auLOCKDOWN that allows .au domain name owners to lock their domain name records and prevent unauthorised changes.The AusRegistry version of the lock, the company notes, “combats the type of incident seen with the New York Times by adding an additional layer of authorisation at the .au registry level. Only authorised individuals who are verified are permitted to alter domain name records.”The lock mechanism also “prevents mistakes from occurring, where domain names are accidentally updated.” This was what happened “in June when access to LinkedIn was unavailable for half a day due to an error made by a service provider, rather than a malicious attack.”Putting a registry lock on a domain name “prevents even the registrar from making changes to the registry automatically,” CloudFlare notes. To check if there is a registry lock on your domain name, run a whois query against the domain if it is, it will include “three status lines: serverDeleteProhibited, serverTransferProhibited, and serverUpdateProhibited.”Back onto the hack on the New York Times, CloudFlare notes on their blog posting that “quick action by OpenDNS and Google limited the impact on their customers, web surfers using other recursive DNS providers continued to be served hacked results. Unfortunately, because recursive DNS servers cache results for a period of time, even after the records were corrected, many name servers were still pointing to the incorrect locations for affected domains.””The registrar of the primary domain the Syrian Electronic Army was using as a name server for the domains they hacked revoked the domain’s registration this afternoon. Since the cache TTL on the domain was relatively short, shortly after the domain was revoked traffic largely stopped flowing to the malware infected sites. That did not mean all hacked sites came back online. In some places, DNS recursors continue to have the cached bad records. They will expire over the next 24 hours and traffic to sites will return to normal.”And it is not always easy to put in place a registry lock. CloudFlare says registrars do not make it easy “because they make processes like automatic renewals more difficult.” But CloudFlare says “if you have a domain that may be at risk, you should insist that your registrar put a registry lock in place. It’s worth noting that while some of Twitter’s utility domains were redirected, Twitter.com was not — and Twitter.com has a registry lock in place.”