It seems no stone was left unturned in the hurricane of mass confusion surrounding last week’s hack of The New York Times.
What else can you expect when you combine a high profile target (the New York Times), with an obscure issue (DNS security) and a local company (Melbourne IT) ,where it’s difficult to comprehend their core business is at best of times, let alone on a tight deadline.
Amidst all the information one figure seems to stand out. Bloomberg reported that if The New York Times paid a mere extra $50 per year for a “registry lock” it could have prevented the Syrian Electronic Army from taking down its site.
To explain: a registry lock is a layer of security that prevents anyone from tampering with any given website's DNS (or the code that helps identify a site on the web). Altering this code allows any savvy hacker to redirect traffic or - as seen with The Times - bar access to a particular site.
This extra lock usually garners an additional fee, that's paid on top of the annual amount a company is paying, to maintain its web address listing. As for the price, depending the additional features it has attached to the address, it could range anywhere between less than $10 to up to $100 per year. For instance, web addresses that are tied to some form of email functionality cost more than those that don’t.
So, on Bloomberg’s logic the cost for extra security would total to be at most $150 per year, per web address. That’s still pocket change for a media company that posted $489.8 million in total revenue last quarter.
As for whether this extra $50 is worth it, Twitter paid for this kind of service, and surfaced from the Syrian Electronic Army’s attack relatively unscathed. Then again, Twitter paid the price for neglecting DNS security back in 2009 when it was hacked by the Iranian Electronic Army.
Something just doesn’t add up. If it was so cheap, and so simple, then why did why did The New York Times - a company dependant on web traffic - skimp on this feature that would protect its site?
Well, in short, web address security may be relatively cheap but it’s not so easy to understand.
A "Swiss Bank" scenario
Bloomberg’s $50 per year figure might not be altogether correct. But having said that, there's no ‘correct’ figure to begin with.
Technology Spectator posed the cost question to two companies that set up web addresses: the firm at the centre of this storm, Melbourne IT and another provider, NetRegistry. Within the industry, these companies are known as registrars. Neither one could give us a concrete figure on security costs, as they both said that the annual price is negotiated depending on the client’s needs.
Melbourne IT’s CIO Bruce Tonkin likened its lock system to a “swiss bank” scenario, where clients could pay more for less layers of automation and more layers of authentication and manual security. In this instance, he said prices can range anywhere from over $100 to $500 per address depending on how many checks and balances a company decides to put in place.
This is the reason why registry locks aren’t automatically allocated to all web domains, Tonkin explains. The types of hurdles put in place, be it passwords, or extra phone calls with secret passphrases, or even locks preventing certain parties from changing the DNS settings need to be negotiated and price is set depending on how much legwork the company gives the registrar.
And to make matters even more complex, companies can also opt for an extra layer of security that’s offered by some of the separate organisations that store all of these addresses - the registries. But again, this comes at an additional, shifting level of cost, with the registrar - not the registry - actually deciding how much is charged for the added feature.
Securing the domain
According to NetRegistry CEO, Larry Bloch, convincing clients that they to spend more than the minimum to secure their web address has always been a tough proposition.
“I know from our own experiences, that when customers are paying $6 a year or $10 per year for a domain name, it’s very difficult to convince them they need to spend hundreds per year on securing them,” he said.
Tonkin agrees. He says awareness and cost are the two factors that stop most of his customers from investing in web address security. While the cost is nothing in terms of the overall operations of a business, it's enough to raise red flags in a company.
“The person that’s paying the bills goes: ‘that’s beyond my authority’. They say: ‘I can pay for the registration of the name for $100, but $1000, I need to get senior management approval’… so they don’t do it,“ he explains.
As for Tonkin’s point on awareness, there’s an argument that The New York Times’ hack will prompt more companies to take web address security more seriously. But remember, Twitter was hacked back in 2009, and that seemingly had little impact on this idea around protecting web addresses. Except of course for Twitter, which did get its act together.
Bloch says that the hack should get major web operators to tighten their security but warns that the overwhelming complexity and a lack of standardisation of the available solutions makes it a knotty proposition for most companies.
The best sales tool in this field seems to be personal experience, so perhaps there’s some truth in Twitter’s situation. A company only need to be burnt once, for it to realise its need for this kind of security.
That being said, this whole cyber-security issue must feel like a bottomless money pit for The New York Times. It's been attacked by Chinese hackers earlier this year, and now the SEA seems keen to further target the organisation. It keeps throwing resources at the problem and plugs one leak, only to have the hackers exploit a new one.
Cyber security may be cheap in the overall scheme of things, but if you're continually paying more to bolster your defences then the costs start to add up - certainly to more than just $50.