The dust is still settling from yesterday's attacks on Twitter and the New York Times, but observers have already gained valuable insight into the methods that made the hacks possible. The LA Times is reporting that the hacks originated with a phishing email sent by the Syrian Electronic Army to the CTO of MelbourneIT, the DNS registrar for both Twitter and the New York Times. The emails were convincing enough to trick one of Melbourne's resellers into giving up login credentials, which gave the hackers a crucial opening. From there, they were able to acquire the credentials of one of MelbourneIT's resellers, and go to work redirecting NYTimes.com visitors to the SEA's own IP address.
MelbourneIT is known as one of the most secure DNS providers
A Cloudflare post went into more detail on the aftermath of the hack, in which the Times called in outside help from Google, Cloudflare and OpenDNS. The bad records entered by the hackers quickly moved upstream to Verisign, the top-level registrar for nytimes.com, which resulted in major outages and redirections. Strangely, MelbourneIT was unable to fix the registry itself, so the team went to work at every level of the DNS system, from Verisign's top-level registry to the various servers connecting Verisign to MelbourneIT.
The attacks are especially ominous because MelbourneIT is known as one of the most secure DNS providers in the business, a reputation that earned them the trust of large institutions like the Times. As the Cloudflare post put it, "this was a very spooky attack." If Melbourne is vulnerable to phishing, observers worry that any DNS-dependent service could be similarly vulnerable, including email routing. One solution suggested by MelbourneIT is the rarely used "registry lock" service, which prohibits any automated changes to the DNS registry. Registrars rarely grant registry locks because of the logistical burden involved, but after this week's hacks, they may become more common.