The unique hack on The New York Times by the Syrian Electronic Army

The unique hack on The New York Times by the Syrian Electronic Army

At around 1:19 pm on August 27, 2013, a researcher found out that the New York Times website was not loading. We knew the New York Times tech team, so we sent an email to check.

A few minutes later, the New York Times’ Citio called us. Then a number of cloudfair teams gathered in a conference hall to remove the hack.

Registrar and Registries

To understand the attack, you need to understand three main things about the Internet.
1) Registries, 2) Registrars and 3) DNS Providers The New York Times dot com is a top-level domain (TLD).

When you purchase a domain, you also have the right to put the name of the server inside the TLD registers.
The registrar is the organization that buys and manages your domains. New York Times.com is managed by a registrar named Melbourne IT.

Melbourne IT is listed as one of the most trusted registrars. Along with the New York Times, it is also used by large organizations such as Twitter and the Huffington Post.

When you open the New York Times.com, your browser looks at the domain against the Internet’s DNS network. That is the first step in the request. A query that extends to DNS providers.

Most ISPs provide duplicate DNS. Companies like OpenDNS and Google provide public services. They provide globally distributed DNS services used by millions of people.

Repeated DNS providers follow a DNS chain that starts at the root and then hide the results from the same DNS providers to reduce the TLD registry and upstream.

For some time period which is also called TTL. By compromising any step in the DNS chain, the attacker can capture some or all of the site’s traffic. This is what happened.

registrar compromise

The New York Times has publicly stated that its registrar has been attacked by the Syrian Electronic Army. Although we are in contact with Melbourne IT, we do not know how the attack was carried out. We do not know how the attacker updated the New York Times server name without authorization.

In Melbourne IT, hackers would send bad records from registrars to verisine registers. (Verisine manages .com TLD) The New York Times.com put the server name in the registry – ns6.boxsecured.com and ns6.boxsecured.com The correct server names should be as follows – DNS.EWR1.MYTIMES.COM and DNS = SEA1.NYTIMCO. . Melbourne IT initially failed to correct bad registry entries.

After the Syrian Electronic Army posted on its Twitter feed, it is understood that the hackers gained access to Melbourne IT’s administrative control panel.

When we went to the New York Times to fix bad records with Melbourne IT, we came across two big DNS providers, Open DNS and Google.

Cloudfair, OpenDNS and Google entered the conference hall and found the New York Times.com site redirected to an Internet space (IP address) that was full of phishing and malware. However, the malware distribution was not immediately visible.

The OpenDNS team updated other servers whose server names were updated by the Syrian Electronic Army. I was able to take care of them too. We found many domains updated, including many Twitter and Huffington Post domains.

As mentioned above, these organizations used Melbourne IT. What Melbourne IT compromised was that it didn’t just manage the New York Times account.

Prevention of bad

In the registry, Verisine changed the old server name and locked the registry on New York Times.com. It does not allow for later changes, even if the registrar wants to.

Open DNS and Google reduced the impact on customers but not the web servers that other DNS providers are using. They are showing hacked results.

Duplicate DNS servers keep hidden results for a while. Although the records are verified, the servers of many affected domains show incorrect locations.

The registrar of the primary domain, which was the server name used by the Syrian Electronic Army to hack, the domain registration was canceled.

The hidden TTL of the domain was short and traffic to the malware infected sites was almost stopped after the domain was canceled. This does not mean that all hacked sites are returned online.

In some places, DNS rescuers get hidden bad records for a while. They expire on their own for 24 hours and the traffic to the sites is normal.

How to keep yourself safe

It was a very strange attack. Melbourne IT is considered to have a higher level of security than other registrars. We are confident that they will provide full details of the attack. Once discovered, organizations will be able to understand the attack and defend themselves.

About Melbourne Itico Stack

An email from independent journalist Matthew revealed that hackers had used a Melbourne IT domain reseller account in the attack. Melbourne IT’s reseller system was in danger, allowing attackers to attack other Melbourne IT users’ domains.

The hack also showed that damage can be done by redirecting the site’s DNS. DNS is more important than the heart of the internet or web. The routing of the email also depends on the DNS, how the root message is sent to the right server.

One of the tasks is to keep all the domains in Rix in one place and lock the registry on your domain. Because of this, the registrar himself cannot change the registry.

If you jump to a hoax query against your domain, you will get a registry lock. Which is found in three status lines. Server Delete Prohibited, Server Transfer Prohibited, and Server Up date Prohibited.

Registrars generally do not allow registry lock requests easily because it is cumbersome in processes such as automatic renewals. But if your domain is at risk, you should proceed with registry lock.

Some of Twitter’s utility domains were redirected, but Twitter.com did not. Twitter.com has a registry lock. We spend time building technical networks. Coastal human networks are more enjoyable than effective ones.

(Published by Matthew Prince in August 2013)

.

Source link

Rabins Sharma Lamichhane

Rabins Sharma Lamichhane is senior ICT professional who talks about #it, #cloud, #servers, #software, and #innovation. Rabins is also the first initiator of Digital Nepal. Facebook: rabinsxp Instagram: rabinsxp

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *