The Washington Post

Attacks like the one against the New York Times should put consumers on alert

(FILES)People walk by the entrance to US newspaper 'The New York Times' in New York, in this March 8, 2011 photo. (EMMANUEL DUNAND/AFP/Getty Images)

The Syrian Electronic Army’s high-profile attacks against the New York Times and Twitter have drawn a lot of attention — and raised some anxious questions about vulnerabilities across the Web.

The type of attack used Tuesday is known as a domain name system, or DNS, hijacking, as explained in detail by my Washington Post colleague Timothy B. Lee. In short, this type of attack changes information within the DNS, a system that essentially acts as a phonebook for the Internet by directing users who type in a Web address to the right place. A DNS hijack, as Lee explained, changes where users get directed when they type in an address such as or In the case of Tuesday’s attacks, the hackers were able to get access these records through a third-party company, Melbourne IT, that registers domain names.

The SEA used this method to cause mischief and publicize what it was doing, but security researchers said that others could cause more damage than that.

For example, F-Secure security advisor Sean Sullivan said that hackers may be able to use this method to redirect users logging into something like a banking Web site to a false version of the company’s log-in screen and trick people into logging in.

But, Sullivan noted, this might not be effective for large-scale attacks, and hackers would not be able to duplicate the appearance of a secure connection — the “https” that graces the front of nearly every Web address for a financial institution, and lets people know the site they’re on is secure.

Timo Hirvonen, a security analyst at F-Secure, said that anyone who gets sent to a fake page should get a notification that the site they’re visiting isn’t verified. Users, then, should pay close attention to alerts that pop up, or make sure that they’re on an “https” site before entering sensitive information.

This sort of attack can be a difficult thing to protect against, said Kenneth Geers, a senior global threat researcher at the security firm FireEye. Organizations with complex Web pages, he noted, not only have to beef up their own security, but also must rely on a number of other organizations such as Melbourne IT.

“It must be maddening for the New York Times and Twitter,” he said. “The [information technology] supply chain on which they depend is just too large.”

An attack on The Washington Post and other organizations earlier this month offers another example of how complicated it can be to keep every aspect of a Web site secure. In that attack, members of the SEA breached a third-party content supplier called Outbrain and used it to redirect traffic on certain Post article pages.

Complexity is the enemy of security, Geers said, and getting the security of everyone who contributes to a site at the same level is extremely difficult — if not impossible.

These attacks, which continued to effect some users of the Times and Twitter well into Wednesday, may have such long-lasting effects for two reasons, said Kenneth Geers, a senior global threat researcher at the security firm FireEye.

For one, it takes a while for DNS information to move throughout the network — which could explain why some, but not all, users had trouble with the sites under attack. Geers also said that those in charge of security for the Times and Twitter may not have expected this kind of attack, and were caught unaware. And in some cases of DNS attacks, he said, hackers may have planted code within company networks that renews its attack even after it’s been resolved.

“Some networks may never be the same” after this kind of attack, he said.

A previous version of this story misspelled the name of Timo Hirvonen. This version has been corrected.

Hayley Tsukayama covers consumer technology for The Washington Post.
Show Comments

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.