New York Times hack highlights weakness in registrar security

The recent hacks of The New York Times and Twitter websites demonstrate the need for significant changes in the way companies approach security with their domain registrars, experts say.

On Tuesday, a pro-Syrian government group known as the Syrian Electronic Army (SEA) breachedÃ'Â the companies' Australian domain name registrar, Melbourne IT, in a spear phishing attack. In the case of The Times, people heading to the site were sent instead to another site that contained malware.

The redirect lasted only a short time before the name server used by the attackers for the hijacked domains was shutdown, said CloudFlare, which played a "small part" in neutralizing the hack.Ã'Â

Nevertheless, The Times' website remained offline for several more hours while the damage was repaired.

Twitter suffered far less damage because it had a registry lock in place that prevented Melbourne IT's system from making automatic updates to the micro-blogging site's name servers. As a result, the SEA, which has attacked other media outlets in the past, was only able to change the domain name records for a single imager server. As a result, some Twitter users were unable to view images and photos.

Hacking into a website's domain registrar is a major security breach. In a worst-case scenario, hackers can intercept email and redirect visitors to an imitation site where anything they input, such as user names and passwords and credit card numbers, can be intercepted.

"It's a very, very powerful position [for the hackers] to be in," said Wolfgang Kandek, chief technology officer for Qualys.

Other businesses are expected to look closely at the additional security Twitter used to avoid the damage suffered by The Times, experts say.

[Also see:Ã'Â Three types of DNS attacks and how to deal with themÃ'Â |Ã'Â After Twitter, NY Times hacks, top Internet brands at risk]

Registrars generally prefer to avoid applying registry locks, because it makes automatic renewals much more difficult. Nevertheless, they are likely to deploy the feature more often in the future.

"I do think it's going to be something that companies are going to be demanding from their registrars moving forward," said Jaeson Schultz, threat research engineer for Cisco.

While automated features can be a plus, users need to recognize they are trading more risk for convenience. Therefore, some services, such as changes to a domain registry, should never be automated, Kandek said.

Registrars should also consider monitoring for anomalies that would raise a red flag. Changing a registry for a site that has been in operation for a long time usually happens very rarely.

"That should be the type of operation that gets checked immediately afterwards," Kandek said.

The hackers appeared to have compromised a reseller's account as part of the hack into Melbourne IT's administrative control panel. "While we are only speculating at this point, it's possible that there was a security vulnerability in the reseller interface that allowed a privilege escalation to take over control of other Melbourne IT customers," CloudFlare said.

Having a third party play a role in the breach highlights that even if a company does everything right from a security perspective, it often has no control over other companies in a supply chain. Because registrars are the equivalent of a hacker jackpot, they have to be more vigilant about the security of their partners.

"They make really attractive targets and their security ought to be better than any one organization that they're hosting a domain for," Schultz said of registrars.

Melbourne IT is not the only registrar to suffer a breach. In April, Network Solutions reported a large-scale infection of sites it hosted. The attackers were able to inject malicious code into the sites.

Melbourne IT, which provides domain name registration in most of the major national and global top-level domains, is considered above average in security. Nevertheless, the recent hack demonstrates no registrar is safe.

Jamie Blasco, lab director for AlienVault, said:Ã'Â "This will be an example that will show [customers] how they can perform better risk assessments."

Read more about access control in CSOonline's Access Control section.

Join the CSO newsletter!

Error: Please check your email address.

Tags SEAThe New York TimesIdentity & Access | Access ControlDNS attackNetworkingCloudFlareIdentity & Accessmanagementnew york timessecurityAccess control and authenticationSyrian Electronic ArmyMelbourne ITtwitterNew York Times DNS hackaccess controldomain registrars

More about CiscoMelbourne ITQualys

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place