Preventing Times, Twitter-Type AttacksAssessing the Risk of Using Domain Registrars
In the wake of domain name systems attacks this week aimed at The New York Times, Twitter and other media sites, security professionals in all sectors should take specific mitigation steps, experts say.
See Also: 2016 State of Threat Intelligence Study
Those steps include improving their vendor management of domain registrars and adopting IPv6, the new Internet protocol that provides enhanced IT security and authentication. Some organizations also should consider becoming their own domain registrar.
The Syrian Electronic Army, which is believed to be a group of hackers who support President Bashar al-Assad of Syria, attacked Melbourne IT, the domain-name registrar used by the Times, Twitter and the British version of the Huffington Post, on Aug. 27, temporarily disrupting traffic and services to the media companies' websites [see Times, Twitter Attacks Raise New Alarms].
Melbourne IT said its investigation found that the DNS records of several domain names it manages, including that of the nytimes.com, were changed, according to published reports. Domain registrars such as Melbourne IT take domain names that users click on or type in to their browsers, such as nytimes.com, and render them into numerical IP address, such as 18.104.22.168.
Attacks Traced to India
Theo Hnarakis, the departing chief executive of Melbourne IT, told the Financial Review, an Australian business newspaper, that the incursion was traced to India-based perpetrators. Hnarakis said the hackers fooled staff at a U.S.-based reseller of Melbourne IT services into handing over the login and passwords to the registrar server, which allowed someone to access and change key details for the websites.
The Financial Times says the reseller is likely to be Corporation Services Co., which purchased Melbourne IT's digital marketing division and, along with it, contracts for The New York Times and Twitter website records for $152.5 million in March.
Hnarakis said Melbourne IT was made aware of the attacks at 6 a.m. Australian EST on Wednesday (4 p.m. EDT on Tuesday). "This could happen to anyone, it just happens to be our turn," Hnarakis told the newspaper.
Assessing Risk of Registrars
But some security experts believe that such an intrusion can be prevented if proper precautions are taken.
Too many organizations fail to conduct the proper risk assessment to determine whether their domain registrars provide adequate security, says Patricia Titus, former chief information security officer at security provider Symantec, IT integrator Unisys' federal systems unit and the U.S. Transportation Security Administration.
"Organizations are in a hurry to do something, and they don't check all the necessary boxes for security, and they end up having a situation like this," Titus says. "Then, all of a sudden, there's a knee-jerk reaction to get it fixed. If they had done it right in first place, they wouldn't have to spend all this time fixing their reputation and apologizing to customers. It chips away at trust."
Titus says some companies should consider becoming their own domain registrar. "Two companies I worked at in the private sector had discussions about bringing it back in house because of the trust relationship," she says.
Better Vendor Management
Tom Kellerman, vice president of cybersecurity for IT security provider Trend Micro, says too many companies don't properly vet their registrars and don't do a good job managing them.
"Do you have someone you can call at the registrar?" Kellerman asks. "Do you even know who to call?
Kellerman says organizations must make sure their registrars regularly patch BIND, the open-source software most registrars use to manage domain services.
He also recommends organizations move to IPv6, the new Internet protocol that provides better security and authentication.
"Even after you sustain an attack like this, be very wary and do a full assessment to ascertain whether or not any unique pages or articles on your site as you brought them back online are basically watering holes for the Syrian Electronic Army," he says.
Watering holes allow a hacker to tie malware to content, so when users access an article from a newspaper website or click on a link in a social network feed, they'll unwittingly download malware.
The attack on registrars don't create watering holes, but they could camouflage disreputable actions by hackers.
"We've seen this happen before," Titus says. "Everybody is focused on the front door and getting things back up and running because that's what the public sees, when, in fact, something else much more nefarious is going on in the backend."