In recent weeks there have been a number of high profile hacking attacks on sites such as the New York Times’. The attack resulted in newspaper website being unavailable for periods of time forced staff to take care sending emails.The attack, the New York Times noted in a statement, “was carried out by a group known as ‘the Syrian Electronic Army, or someone trying very hard to be them.’ The group attacked the company’s domain name registrar, Melbourne IT. The Web site first went down after 3 p.m.; once service was restored, the hackers quickly disrupted the site again. Shortly after 6 p.m., Mr. Frons said that “we believe that we are on the road to fixing the problem.”Previously the Syrian Electronic Army had hacked other newspaper websites including the Washington Post and the Financial Times as well as the administrative contact information for Twitter’s domain name registry records.The attack came about when the Syrian Electronic Army “acquired the user login and password for a US-based [domain name] reseller via a ‘spear phishing’ email – closely targeted to the user to fool them into passing the details into a fake site. ‘The attack has been sent to a variety of staff of our reseller,'” Theo Hnarakis, Melbourne IT’s chief executive told Australian Associate Press, according to a report in The Guardian.Then the hackers, armed with login details and password, were able to change registration details for the New York Times and Twitter, pointing the domain names to servers of their choice effectively hijacking the sites.Following the attack, “Verisign rolled back changes to the name servers and added a so-called registry lock to NYTimes.com. This prevented further changes even if initiated by the registrar,” security firm CloudFlare reported on a blog posting.These registry locks are becoming increasingly popular. Earlier in 2013 the .au registry, AusRegistry, launched a new security measure called .auLOCKDOWN that allows .au domain name owners to lock their domain name records and prevent unauthorised changes.The AusRegistry version of the lock, the company notes, “combats the type of incident seen with the New York Times by adding an additional layer of authorisation at the .au registry level. Only authorised individuals who are verified are permitted to alter domain name records.”The lock mechanism also “prevents mistakes from occurring, where domain names are accidentally updated.” This was what happened “in June when access to LinkedIn was unavailable for half a day due to an error made by a service provider, rather than a malicious attack.”Putting a registry lock on a domain name “prevents even the registrar from making changes to the registry automatically,” CloudFlare notes. To check if there is a registry lock on your domain name, run a whois query against the domain if it is, it will include “three status lines: serverDeleteProhibited, serverTransferProhibited, and serverUpdateProhibited.”Back onto the hack on the New York Times, CloudFlare notes on their blog posting that “quick action by OpenDNS and Google limited the impact on their customers, web surfers using other recursive DNS providers continued to be served hacked results. Unfortunately, because recursive DNS servers cache results for a period of time, even after the records were corrected, many name servers were still pointing to the incorrect locations for affected domains.””The registrar of the primary domain the Syrian Electronic Army was using as a name server for the domains they hacked revoked the domain’s registration this afternoon. Since the cache TTL on the domain was relatively short, shortly after the domain was revoked traffic largely stopped flowing to the malware infected sites. That did not mean all hacked sites came back online. In some places, DNS recursors continue to have the cached bad records. They will expire over the next 24 hours and traffic to sites will return to normal.”And it is not always easy to put in place a registry lock. CloudFlare says registrars do not make it easy “because they make processes like automatic renewals more difficult.” But CloudFlare says “if you have a domain that may be at risk, you should insist that your registrar put a registry lock in place. It’s worth noting that while some of Twitter’s utility domains were redirected, Twitter.com was not — and Twitter.com has a registry lock in place.”
The website for the .be registry was hacked during the night on Saturday 27 July. DNS Belgium have issued a statement saying it was again the victim of a defacement with the hacking community apparently turning their sights on their website.
The cause was a vulnerability in an upload script which led to a leak in the Content Management System. This meant the hacker was able to deface the website. The website was restored within the hour and the vulnerable upload script was made inaccessible.
Leading domain name registrars Name.com, Melbourne IT, Moniker and Xinnet have admitted they were hacked in a brazen cyberattack last week, with the four companies believed to be responsible for around six million domain name registrations.Name.com have given the most comprehensive coverage of what happened on their blog, saying that their security team alerted the company “that unauthorised individuals had accessed [their] database. After doing some digging [the company] found that the attack seemed to be geared toward a few specific accounts. The hackers had a target and name.com was a means to that end.”The posting goes on to note “the information that was accessed includes usernames, passwords, physical addresses, email, hashed passwords and encrypted credit card data. EPP codes (required for domain name transfers) are not stored in the same place so those were not compromised.” To help out the “techies who are wondering”, they explain the “encryption on the credit card information is 4096 bit RSA.”All customers were required to do a password reset since the password hashes were compromised.The registrar, with almost half a million registrations, is the 27th largest registrar by total domains, according to Webhosting.info.The hack is believed to have been done by hacker group Hack the Planet (HTP) who have claimed responsibility in their attempt to hack into Linode, a virtual private server hosting firm, reported IDG.However the method of advising clients of the hack and to reset passwords was criticised in some quarters. The alert email advising of the hack “instructed recipients to click on a link in order to perform a password reset, a method that was criticised by some users and security researchers, because it resembles that used in phishing attacks,” said the IDG report.”The problem with encouraging people to click email-borne links (which could have come from anywhere, or could point to anywhere) for anything relating to logging in or password reset is this: it softens them up to email links that end up at ‘enter your password’ dialogues, wrote Paul Ducklin on the Sophos NakedSecurity blog.”That plays into the hands of phishers, so please don’t do it.”