Those behind the widespread intrusion into government and corporate networks exploited seams in U.S. defenses and gave away nothing to American monitoring of their systems.
Russian government hackers engaged in a sweeping series of breaches of government and private-sector networks have been able to penetrate deeper into Microsoft’s systems than previously known, gaining access to potentially valuable source code, the tech giant said Thursday.
Recent news articles have all been talking about the massive Russian cyber-attack against the United States, but that’s wrong on two accounts. It wasn’t a cyber-attack in international relations terms, it was espionage. And the victim wasn’t just the US, it was the entire world. But it was massive, and it is dangerous.
We’ve all seen the pop-ups on our laptops or phones: “Update is available, click here to download.”
We’re constantly urged to do as we’re told because these software updates improve our apps by boosting cyber-security and removing glitches.
The details are still trickling in, but it seems possible that the latest Russian cyberattacks against the Departments of Homeland Security, Treasury and State; the National Institutes of Health; and possibly dozens of companies and departments will turn out to be one of the most important hacking campaigns in history.
Some kinds of online aggression are “noisy,” almost certain to draw attention, as the multifaceted Russian attack on the 2016 presidential election was. And some are “quiet,” more reminiscent of the subtle spy-vs.-spy operations fictionalized in the novels by the great John le Carré, who died Dec. 12.
Prime Minister Scott Morrison says Australian organisations, including governments and businesses, are currently the targets of sustained attacks by a sophisticated foreign “state-based” hacker.
In recent weeks there have been a number of high profile hacking attacks on sites such as the New York Times’. The attack resulted in newspaper website being unavailable for periods of time forced staff to take care sending emails.The attack, the New York Times noted in a statement, “was carried out by a group known as ‘the Syrian Electronic Army, or someone trying very hard to be them.’ The group attacked the company’s domain name registrar, Melbourne IT. The Web site first went down after 3 p.m.; once service was restored, the hackers quickly disrupted the site again. Shortly after 6 p.m., Mr. Frons said that “we believe that we are on the road to fixing the problem.”Previously the Syrian Electronic Army had hacked other newspaper websites including the Washington Post and the Financial Times as well as the administrative contact information for Twitter’s domain name registry records.The attack came about when the Syrian Electronic Army “acquired the user login and password for a US-based [domain name] reseller via a ‘spear phishing’ email – closely targeted to the user to fool them into passing the details into a fake site. ‘The attack has been sent to a variety of staff of our reseller,'” Theo Hnarakis, Melbourne IT’s chief executive told Australian Associate Press, according to a report in The Guardian.Then the hackers, armed with login details and password, were able to change registration details for the New York Times and Twitter, pointing the domain names to servers of their choice effectively hijacking the sites.Following the attack, “Verisign rolled back changes to the name servers and added a so-called registry lock to NYTimes.com. This prevented further changes even if initiated by the registrar,” security firm CloudFlare reported on a blog posting.These registry locks are becoming increasingly popular. Earlier in 2013 the .au registry, AusRegistry, launched a new security measure called .auLOCKDOWN that allows .au domain name owners to lock their domain name records and prevent unauthorised changes.The AusRegistry version of the lock, the company notes, “combats the type of incident seen with the New York Times by adding an additional layer of authorisation at the .au registry level. Only authorised individuals who are verified are permitted to alter domain name records.”The lock mechanism also “prevents mistakes from occurring, where domain names are accidentally updated.” This was what happened “in June when access to LinkedIn was unavailable for half a day due to an error made by a service provider, rather than a malicious attack.”Putting a registry lock on a domain name “prevents even the registrar from making changes to the registry automatically,” CloudFlare notes. To check if there is a registry lock on your domain name, run a whois query against the domain if it is, it will include “three status lines: serverDeleteProhibited, serverTransferProhibited, and serverUpdateProhibited.”Back onto the hack on the New York Times, CloudFlare notes on their blog posting that “quick action by OpenDNS and Google limited the impact on their customers, web surfers using other recursive DNS providers continued to be served hacked results. Unfortunately, because recursive DNS servers cache results for a period of time, even after the records were corrected, many name servers were still pointing to the incorrect locations for affected domains.””The registrar of the primary domain the Syrian Electronic Army was using as a name server for the domains they hacked revoked the domain’s registration this afternoon. Since the cache TTL on the domain was relatively short, shortly after the domain was revoked traffic largely stopped flowing to the malware infected sites. That did not mean all hacked sites came back online. In some places, DNS recursors continue to have the cached bad records. They will expire over the next 24 hours and traffic to sites will return to normal.”And it is not always easy to put in place a registry lock. CloudFlare says registrars do not make it easy “because they make processes like automatic renewals more difficult.” But CloudFlare says “if you have a domain that may be at risk, you should insist that your registrar put a registry lock in place. It’s worth noting that while some of Twitter’s utility domains were redirected, Twitter.com was not — and Twitter.com has a registry lock in place.”
Leading domain name registrars Name.com, Melbourne IT, Moniker and Xinnet have admitted they were hacked in a brazen cyberattack last week, with the four companies believed to be responsible for around six million domain name registrations.Name.com have given the most comprehensive coverage of what happened on their blog, saying that their security team alerted the company “that unauthorised individuals had accessed [their] database. After doing some digging [the company] found that the attack seemed to be geared toward a few specific accounts. The hackers had a target and name.com was a means to that end.”The posting goes on to note “the information that was accessed includes usernames, passwords, physical addresses, email, hashed passwords and encrypted credit card data. EPP codes (required for domain name transfers) are not stored in the same place so those were not compromised.” To help out the “techies who are wondering”, they explain the “encryption on the credit card information is 4096 bit RSA.”All customers were required to do a password reset since the password hashes were compromised.The registrar, with almost half a million registrations, is the 27th largest registrar by total domains, according to Webhosting.info.The hack is believed to have been done by hacker group Hack the Planet (HTP) who have claimed responsibility in their attempt to hack into Linode, a virtual private server hosting firm, reported IDG.However the method of advising clients of the hack and to reset passwords was criticised in some quarters. The alert email advising of the hack “instructed recipients to click on a link in order to perform a password reset, a method that was criticised by some users and security researchers, because it resembles that used in phishing attacks,” said the IDG report.”The problem with encouraging people to click email-borne links (which could have come from anywhere, or could point to anywhere) for anything relating to logging in or password reset is this: it softens them up to email links that end up at ‘enter your password’ dialogues, wrote Paul Ducklin on the Sophos NakedSecurity blog.”That plays into the hands of phishers, so please don’t do it.”
The Go Daddy outage Monday that saw extensive service interruptions to its webhosting operations was not caused by hackers or other “external influences” the company said, but rather “due to a series of internal network events that corrupted router data tables.”The intermittent service outages started shortly after 10:00 US Pacific Time and services were fully restored by 16:00.Once Go Daddy identified the issues causing the problems, they then advise they took corrective actions to restore services and have implemented measures to prevent this from occurring again.They also advise that at no time was any customer data at risk or were any of their systems compromised.There were claims from Anonymous through the Twitter handles @AnonymousOwn2r and @AnonymousOwn3r, had caused the outage with a distributed denial-of-service attack (DDoS).Go Daddy manages around five million web hosting accounts but there is no information as to how many were affected.