You may have heard the news — a group of hackers calling themselves the Syrian Electronic Army is wreaking havoc (or at the very least mischief) across the Web against several targeted sites. One of the high-profile sites affected by the attacks is the New York Times official site (NYTimes.com). So what exactly happened?
The news service’s servers were never touched. All the data on those computers is just fine — or at least none of those machines were targeted directly by the hackers. Instead, you have to take a look at how the Internet works.
You can think of the Internet like a series of reference librarians (you thought I was going to say tubes, didn’t you?). One of these reference librarians is a registry. Registries maintain the database for top level domains (TLD) like .com, .org and .net. We’re concerned about the .com TLD because that’s what the New York Times uses — NYTimes.com. This librarian’s job is to help direct traffic to the proper Web server hosting the site through cross referencing databases that match Web servers to URLs.
Another reference librarian is the recursive Domain Name System (DNS) server. This reference librarian’s job is to look at the initial request and send it on to the appropriate registry. So when you ask to go to a site (NYTimes.com), the librarian looks at the TLD (.com) and then directs the request to the appropriate registry (in this case, Verisign).
Assuming everything is hunky dory, your request will reach the appropriate Web server, which will then send to you the requested material (in this case, the New York Times Web site). But what if you were able to convince the registry reference librarian that the Web server for that site had changed? You might need to do that for legitimate reasons — perhaps you’re upgrading your machines and need to migrate to new servers. That’s when you make a change with your registrar.
OK, so what the heck is a registrar? These are the companies responsible for reserving a specific domain name for your site (like NYTimes.com). It’s through these companies that you secure your Web site’s URL, assuming it’s available. In this case, the registrar was MelbourneIT, a company known to have pretty good security.
The Syrian Electronic Army managed to hack into MelbourneIT and change the name servers’ addresses from the legitimate ones to servers the hackers owned. These changes eventually pushed through to the registry, which updated its records. At that point, anyone trying to get to NYTimes.com got redirected to a hacker-owned site hosting a variety of malware.
It’s a nasty problem — fixing it immediately would only reduce, not eliminate, the damage. That’s because DNS servers keep a cache of requests to speed things along. For a while, that cache would include the incorrect name servers for sites like NYTimes.com. So while the information on the Times’s servers would remain intact and the registry might switch to the appropriate servers, incoming traffic still ended up in the wrong place.
This is a pretty big problem. It’s not just Web traffic that goes through this system — it’s everything on the Internet, including email. Okay, now we know what happened — how did the hackers get access to MelbourneIT’s system to make these changes in the first place?
If you watch movies, you might think the hackers gathered around a computer terminal and tried to decrypt a complicated password one letter at a time. Or maybe they did that thing where they guess the password after three tries. But none of that was necessary. They got the information through good old social engineering. In other words, they tricked someone into giving them access.
This happens more frequently than you would think. A good, secure system is hard to break into. But it’s relatively easy to trick people into helping you gain access to something that should be secure. In this case, the hackers used a spear phishing email — this is a message that is targeted at a specific person with the intent to convince that person to hand over vital information. And it worked.
The hackers gained access through a MelbourneIT reseller’s account. The reseller handled several .com accounts, including NYTimes and Twitter. The hackers then went to work switching out name server addresses so that they could spread their malware across large swathes of the Internet.
Not all affected sites fell prey to the hackers’ plan. Some of the sites have what is called a registry lock. This prevents the registry from updating changes in server migration automatically. So while the hackers might try to hijack the traffic to a particular Web site, a registry lock keeps those detours from becoming active.
The point I’m trying to make is that we have to be vigilant if we want security to mean anything. Sure, it’s possible to design a bad security system. But even the strongest system isn’t any good if we human beings aren’t careful. Frankly, everything will be way safer once the robots take over.