The weak link in the New York Times hack

The Syrian Electronic Army's attack on The New York Times sheds light on a critical DNS security soft spot. Melbourne IT's reseller may have been broken into rather simply but the NYT's failure to use registry locks is a worry.

The "spear phishing" attack on one of Melbourne IT's resellers, which led to the assault on the New York Times and Twitter has highlighted the continuing deficiencies in securing the critical infrastructure of the internet. 

The attack perpetrated by the Syrian Electronic Army (SEA) may have targeted high profile websites, but access was gained by circumventing the security perimeter of the reseller. More importantly, the mode of infiltration was far from complicated. 

Melbourne IT's outgoing CEO Theo Hnarakis told AAP that the attackers got access to its US client's username and password through a spear phishing campaign.

Spear phishing is when the attempts are directed at specific people or companies - in this case, Melbourne IT's US-based reseller, which purchases domains in bulk from Melbourne IT and resells them to end users.

Mr Hnarakis said that a malicious link was sent to a variety of staff of the reseller, a few of whom unwittingly clicked on the link to divulging their personal login details. 

These valid details where subsequently used by the hackers to gain access to the registry. 

“Telephone directory of the internet” 

While spear phishing is a relatively common mode of intrusion, the SEA's attack also sheds light on a lesser known issue in the infosec sector, the use of registry locks, or the lack thereof.

According to Nominum’s senior executive sales director Carl Braden, the hack has given “high visibility” to the issue of domain name system (DNS)-related hacks and their potential to manipulate genuine web traffic.

These hacks target the companies that help maintain what Braden calls the “telephone directory of the internet” and in the worst case scenario the hacker can do more than just shut down a site – they can essentially control and manipulate genuine web traffic.

With the right planning, hackers can hypothetically emulate the effects of distributed denial of service attack, clogging low capacity websites with the traffic from a high use webpage.

The hacker could also set up a fake page that impersonates the target site and then direct traffic to that site. With The New York Times, the hacker could have set-up a fake landing page with incorrect articles.

If this site was say, a bank, the hacker could wait for unsuspecting users to enter in their details and then use them to access their accounts.

The usefulness of registry locks

In this latest case, Melbourne IT did reveal that its customers could protect against these kind of attacks with add-on feature called “registry lock”.

From Mr Braden’s understanding, this kind of feature only allows company administrators to alter a site’s DNS settings. Without it, the reseller or – depending on the level of security of the company – anyone who has gained access to the system that maintains these DNS settings can alter it, and consequentially control the target site's traffic. 

Mr Braden said that this feature was included in his company’s DNS security offering. Technology Spectator is currently seeking comment from Melbourne IT as to why this service is an add-on rather than staple with its system. 

However, Melbourne IT did say in a statement that it was reviewing additional layers of security that it could add to our accounts.

The importance of the lock-in features is highlighted in the impact of the breach on New York Times and Twitter.

In New York Times’ case, the company could have provided itself an extra layer of protection by locking access to its DNS registry.

The lock-in feature means that even if a registry where the data is stored is broken into, hackers require extra authentication to make changes to the address or redirect traffic.

Security firm Rapid7 researcher HD Moore told The Wall Street Journal that Twitter had lock-in controls in place which prevented the SEA hackers from disrupting the site’s operations.

In Twitter’s case, although the SEA was able to break in to the registry and list itself as a site administrator, it was unable to change address or redirect traffic.