DNS takeover

How the Syrian Electronic Army “hacked” the New York Times, Twitter and the Huffington Post

August 28, 2013
August 28, 2013

sea_shot

As of this moment, the website of the New York Times is inaccessible to many people. It’s apparently the victim of an attack by the Syrian Electronic Army (SEA), the group of hackers that supports Syrian president Bashar al-Assad and who started out by hacking their ideological foes before it occurred to them they’d get more press by going after more visible targets.

But here’s the thing: Unlike previous attacks by the SEA, for example against the Twitter accounts of The Guardian, it seems more likely that this time, the SEA didn’t manage to filch passwords from anyone within the Times itself. As the Times itself has just reported, there has been an “attack on the company’s domain name registrar, Melbourne IT.” The same registrar apparently also hosts the domain names of other sites the SEA claims to have hacked, including Twitter and the Huffington Post, which also experienced brief problems.

In plain English, Melbourne IT is the company that the New York Times pays to be the steward of the numerical roadmap that tells every computer on the internet—including the one on which you’re reading this—how to find the servers that host the website of the New York Times. These servers are identified by an IP address, a unique set of numbers. You can use IP addresses directly if you know them; typing http://170.149.168.130 into your browser should get you to a relatively intact version of the New York Times’ site.

But since numbers are hard for humans to remember, there is a table of domain names like nytimes.com that correspond to IP addresses. The Times hires Melbourne IT to maintain this table, which is then copied across thousands of so-called domain-name servers across the internet. When you type nytimes.com into your browser, your computer looks up the corresponding IP address with one of those servers, and sends you to it. It takes a while for changes to the table at Melbourne IT to spread across the domain-name system, though, which is why some people can see the Times site right now and others can’t.

The above is, necessarily, something of a simplification. But the implication is this: The Syrian Electronic Army probably didn’t hack into any computers at the New York Times. (It might have done, to get passwords for the Times’s account at Melbourne IT; but if so, it would probably have picked up a bunch of passwords to other things, too. Of course, it might just be keeping them in reserve.)

Instead, and if the Times’s own report is to be taken at face value, the SEA hacked directly into Melbourne IT. And if so it most likely did it the same way it always does—through a “phishing” scheme in which spoofed emails are sent to unsuspecting people at the company and humans, being flawed, click on links within them that either harvest passwords or in some other way hijack their computers.

Its suggests that the SEA is getting creative about how it draws attention to itself, if not the causes which it supports.

Top News

Powered by WordPress.com VIP
Follow

Get every new post delivered to your Inbox.

Join 21,760 other followers