The Syrian Electronic Army’s high-profile attacks against the New York Times and Twitter have drawn a lot of attention — and raised some anxious questions about vulnerabilities across the Web.
The type of attack used Tuesday is known as a domain name system, or DNS, hijacking, as explained in detail by my Washington Post colleague Timothy B. Lee. In short, this type of attack changes information within the DNS, a system that essentially acts as a phonebook for the Internet by directing users who type in a Web address to the right place. A DNS hijack, as Lee explained, changes where users get directed when they type in an address such as nytimes.com or washingtonpost.com. In the case of Tuesday’s attacks, the hackers were able to get access these records through a third-party company, Melbourne IT, that registers domain names.
The SEA used this method to cause mischief and publicize what it was doing, but security researchers said that others could cause more damage than that.
For example, F-Secure security advisor Sean Sullivan said that hackers may be able to use this method to redirect users logging into something like a banking Web site to a false version of the company’s log-in screen and trick people into logging in.
But, Sullivan noted, this might not be effective for large-scale attacks, and hackers would not be able to duplicate the appearance of a secure connection — the “https” that graces the front of nearly every Web address for a financial institution, and lets people know the site they’re on is secure.
Timo Hirvonen, a security analyst at F-Secure, said that anyone who gets sent to a fake page should get a notification that the site they’re visiting isn’t verified. Users, then, should pay close attention to alerts that pop up, or make sure that they’re on an “https” site before entering sensitive information.
This sort of attack can be a difficult thing to protect against, said Kenneth Geers, a senior global threat researcher at the security firm FireEye. Organizations with complex Web pages, he noted, not only have to beef up their own security, but also must rely on a number of other organizations such as Melbourne IT.
“It must be maddening for the New York Times and Twitter,” he said. “The [information technology] supply chain on which they depend is just too large.”
An attack on The Washington Post and other organizations earlier this month offers another example of how complicated it can be to keep every aspect of a Web site secure. In that attack, members of the SEA breached a third-party content supplier called Outbrain and used it to redirect traffic on certain Post article pages.
Complexity is the enemy of security, Geers said, and getting the security of everyone who contributes to a site at the same level is extremely difficult — if not impossible.
These attacks, which continued to effect some users of the Times and Twitter well into Wednesday, may have such long-lasting effects for two reasons, said Kenneth Geers, a senior global threat researcher at the security firm FireEye.
For one, it takes a while for DNS information to move throughout the network — which could explain why some, but not all, users had trouble with the sites under attack. Geers also said that those in charge of security for the Times and Twitter may not have expected this kind of attack, and were caught unaware. And in some cases of DNS attacks, he said, hackers may have planted code within company networks that renews its attack even after it’s been resolved.
“Some networks may never be the same” after this kind of attack, he said.
A previous version of this story misspelled the name of Timo Hirvonen. This version has been corrected.
Follow The Post’s new tech blog, The Switch, where technology and policy connect.