Security 'Misstep' Left Times Vulnerable - Wall Street Journal

Security experts say the New York Times website was brought down because of an IT "misstep" that allowed hackers to redirect users. Members of the Syrian Electronic Army hacked into the Times' registrar, a third party company where the site's underlying Internet address is stored, and changed it to bring users to the group's own site, Eileen Murphy, a spokeswoman for the news company, told CIO Journal. The Times site is now back up, she said, although some users may still be redirected to the incorrect address, still saved to some computers. Security experts, who viewed online registry records captured during the attack, say the hackers were able to temporarily bring down the site because the Times did not lock access to its domain name system registry. Locking the domain would have prevented any changes to the address without a second authentication from the Times, or their administrator. DNS links a website's everyday URL to an underlying numerical name. The hackers were able to direct visitors to the New York Times site to an unrelated numerical destination. Without the lock, hackers only needed to gain access to the Times' registrar, MelbourneIT, where the DNS data was stored, and change the address, pointing users to a hacker controlled site. The hackers reportedly gained access to the registrar through a "phishing" attack against a reseller that purchases domains in bulk from MelbourneIT and resells them to end users like the Times. The hackers fooled a user of the reseller into entering login information into a fake page created by the hackers. "If you don't have the domain locked down, it's fairly easy to attack," said John Kindervag, a Forrester analyst. For example, while the hackers gained access the registry of Twitter.com, the core domains were locked and users were not redirected to the hackers' site. Because the domain itself was locked, the Syrian Electronic army was able to list itself as the administrator of the site, but that had little effect on Twitter's operations. The group "couldn't modify the [address] and redirect the reader somewhere else," said HD Moore, a researcher at Rapid7, a security firm. Ms. Murphy, the Times spokeswoman, said accessing the registrar requires a password. But the company didn't feel the extra layer of authentication at the Times "was necessary given what was supposed to be the secure atmosphere of our registrar," Ms. Murphy said. "In light of this attack and the apparent vulnerability, we are tightening our security accordingly." Any internet user can easily determine if a registry is locked. Easily accessed online registry lookup tools tell users who a site is registered to and whether the domain is locked — information that the core architecture of the Internet intentionally makes public. Rodney Joffe, an advisor to ICANN, the organization that controls the assignment of domain names, says that body recommends domains be locked, and he could not envision a scenario where the registry would intentionally be left unsecured. "It was likely a misstep," Mr. Joffee said. "Someone didn't realize the account was set up that way." Write to Joel Schectman at joel.schectman@wsj.com via Technology - Google News http://news.google.com/news/url?sa=t&fd=R&usg=AFQjCNGHaGsVrEsHJvALAvAs1YorRImQjA&url=http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-311485/

Put the internet to work for you. via Personal Recipe 2598265