NY Times website hacked for 2 days--how vulnerable are we all?

The New York Times website has been hacked by the Syrian army, and has been unusable for the past two days.( Short but serious article describing the damage ).

This isn’t a typical simple attack like a denial-of-service. The hackers got into the domain-name registration system,( at a company called Melbourne-IT), and took full control of the web site.

Mebourne-IT is a “domain registrar” company–I don’t know what that means, but I assume that they know everything about how the WWWeb works at the highest levels, and have very good security experts.

And I assume the NYTimes is a large enough entity that it has a full computer department , with in-house employees working 24 hours a day–including computer security experts.
Yet they have been hacked and rendered helpless for the past couple days.

Now, at a news site, the amount of damage the hackers can do is limited…
They can steal credit card info from all the website’s paying subscribers, (and they can publish fake news if they want to), but that is not the end of the world.

What worries me is : If this can happen to the NYTimes, can it also happen to, say, the large banks?
Or what about the stock markets? etc, etc, etc
I assume that military hardware is kept separate from us common folk who use Windows and regular web browsers, so the 1980’s movie War Games was not realistic. And I suppose the same is true of major government institutions like the Fed.
But what about the regular banks? They are open to any citizen who logs into his account from a totally unsecured computer. They presumably route their customers through companies like MelbourneIT mentioned above.
This seems like a bad James Bond movie…
Is there a realistic possibility that an evil genius with a cat on his lap could actually sit in his bunker and take control of major institutions? Does Citibank or Wells Fargo have better computer security than the NY Times? Could one hacker shut down an entire economy?

in short…Are we all doomed? :slight_smile:

That is a hilariously naive assumption. There are approximately eleven billion domain registrars in the world and most of them are run by dolts.

The NY Times has been on the verge of bankruptcy for years and has made massive cutbacks in every department, but that’s not really relevant. “They” haven’t been hacked. Their DNS provider was.

Yes, and it has.

If you mean the actual trading platforms, its unlikely. If you mean electronic brokers, yes, and it has.

Whatever helps you sleep at night…

No, my feeling is most banks run their own DNS or use reputable DNS providers, but plenty of smaller banks probably don’t. In any case, bank websites can be and often are breached, either through DNS shenanigans, or simple credential phishing.

No. The cat would be in the way of the keyboard.

Citibank and Wells Fargo? Yes. Aunt Mabel’s Credit Union and Pie Shop in Peoria? Maybe.



Both of those are extremely adorable assumptions.
Seizing the high ground of the domain registration merely entitles the attacker to redirect the address to another site — which could be an altered copy of the real thing — and means the ‘owners’ of the domain cannot control the use of that domain name: it gives no access to the site or any of it’s databases.

I would say domain-hijackers should be shot; but being in Syria that wish might be redundant.

Yes, this is much being overblown. It wasn’t even the NYT that was hacked.

Relevant XKCD.

MelbourneIT is an extremely reputable, enterprise domain registrar. The Huffington Post and Twitter also trust MelbourneIT to handle their domains. It’s not like the NYTimes got their domain from Bob’s DNS Shack.

OK, first, the hackers are a group calling themselves the Syrian Electronic Army, not the actual Syrian army.

Second, if I’m understanding it right, they just took control of DNS servers and redirected traffic from the NYT to their own server. Imagine that someone is able to convince all the taxi drivers in NYC that the Empire State Building is in New Jersey. You hop in a cab, and, oh no! It looks to you like terrorists have destroyed the ESB and turned it into a 7/11! That’s what happened here. The NYT website was fine, but no one was able to get to it. Instead they were shunted off to the hackers site.

Incidentally, my bank, and I assume most others, send a secret confirmation back to me, based on my user name, before I enter my password. If that confirmation isn’t right, I’m not supposed to log in. That would prevent this kind of hack from compromising my account. Even if they perfectly simulated the bank’s login page, they wouldn’t know the secret confirmation.

Good for them.

My registrars are very well-regarded too: didn’t stop someone copying part of my then email address and tricking them into transferring a domain into their control. Took six months with ENOM to get it back. ( I also have thoughtful feelings regarding ENOM, and still more thoughtful feelings regarding ICANN, all of which are highly respected bodies that work just well enough. )
The fact that some bastard pulled it off against MelbourneIT shows that they are no better at security than my registrars — who are admirable most of the time.

I don’t think most people realise how shaky the security foundations of the web are. Real intrusive hacking has taken place against the very strongest tech firms in recent years, including Apple, Facebook, Microsoft, Oracle and the Linux Foundation. If these can’t be utterly secure, it’s a lot to assume the average domain reseller has mad security skillz.

Generally speaking, DNS attacks are much easier than actually hacking a company’s web server directly. Most of the time, they can be pulled of as a “social attack”. (Meaning: no computers were involved, they just called up the DNS provider and pretended to be an employee of the NYT, and the DNS provider didn’t do due diligence verifying their claim.)

That’s… quite an assumption. Not true however. See above.

That’s… quite an assumption. Newspapers and other “offline” businesses generally have a lot of trouble recruiting competent IT help and, from my experience, many of their web operations are outsourced anyway.

In any case, that isn’t relevant, since NYT wasn’t actually hacked, their DNS provider was. Right? For all we know, the NYT servers are secured like Fort Knox.

This type of attack doesn’t give the attacker any access to the company’s servers. The DNS provider is a completely different company at a completely different location running completely different servers. So unless NYT is lying about what happened, there’s no risk of data being lost.

This type of attack can be used against anybody with a domain name. But, again, the attacker doesn’t gain any access to the company’s servers.

The data isn’t routed through the DNS provider. The DNS provider is like a phone book. If you use the phone book to look up the number of your local pizza place, your phone call isn’t routed through the phone book. The company that published the phone book has no way of knowing whether you like pepperoni.

No. There’s a possible that they could redirect the domain to a fake sign on page and steal login data from customers. That’s about the sum of it.

Actually, The NYTimes website is rather unsophisticated. I wouldn’t be the least bit surprised if it got hacked.

Sort of. But to be specific: it was the domain registrar that was hacked, and the domain registration records that were changed. Not DNS servers or DNS providers.

Sources: NYT and Twitter.

Unsophisticated doesn’t necessarily mean insecure. Hosting a site full of static HTML pages eliminates a huge number of possible attack vectors, for example.

And actually the NYT employs quite a bit of interesting technology. I know some of the guys there who developed a completely custom application profiling tool, which they’ve since open-sourced. It’s very useful.

The NYT tells me I can only read their precious articles ten times a month and than I must pay and in response I say NYT can suck me and I hope they go down in hacker flames.

Their news gets pushed to the front of my news aggregator and is not my fault. I don’t necessarily want your stuff. Go to hell, NYT.

So because you don’t like their business model, they should be the victim of a crime?

In that case I’m heading down to the Wal-Mart with my rifle in tow.

Oh well then I’m calling the patriot act police on you mister! See you in Gitmo!

awww,shucks, guys…I didn’t know I was so cute …
But seriously–I know nothing about domains and how the web works, so I just really, really want to believe that there are smarter people than me who prevent the world from collapsing.

But I guess I’m wrong… :slight_smile:

Well, that made me feel better—UNTIL I read…

But I suppose we are all okay…because :

Note that a DNS redirect can lead to more direct site cracking.

E.g., employees logging into “mail.nytimes.com” would be redirected to the attackers’ web site which is doing a man-in-the-middle thing. The attackers feed the employees pages that are basically the real pages but are intercepting the user names and passwords. (If done right, the user doesn’t see anything different.) If you get the right employees’ login info, you can really do some damage.

One interesting thing I read about the NYT attack is that employees were warned about it via email. Umm, don’t you want them to not use email at all, so phone messages and such would be a better idea?

Scarfing up subscriber logins would be trivial but not nearly as damaging except to reputation.

(Note that MITM attacks can also be used to fake logins at banks and stuff that have those personalized user login pics and phrases. Which can be avoided by SSL stuff, which can be avoided by spoofed certs, which …)

Also, if certain internal web pages are doing lookups for webpages using the full domain name, they could be fooled as well into going to outside sites. If the programs executing these web pages have high privileges, lots of bad things can happen.


In short, a DNS hijack is a very bad thing.

Notifying employees in the office via email should be fine, unless NYT is set up very strangely, their intranet has its own DNS provider which is where their email client would look for its server.

For remote employees, who would have to engage the public DNS servers, you have a good point.