NYT hactivist attack shows need for registry locking

Syrian hacktivist attack on New York Times website highlights the need for registry locking, says communications and analysis firm Neustar

The Syrian hacktivist attack on the New York Times website highlights urgent need for registry locking, says communications and analysis firm Neustar.

The site was unavailable after the Syrian Electronic Army (SEA) that supports Syrian president Bashar al-Assad was able to access the domain name system (DNS) settings for the site.

The SEA breached the NYT’s domain name registrar Melbourne IT and changed the DNS record to point to systems in Syria and Russia.

Melbourne IT blamed the NYT outage on one of its resellers, whose account was compromised.

Setting up a registry lock provides a relatively easy and inexpensive way to mitigate risk of unauthorised DNS changes, said Rodney Joffe, senior technologist at Neustar.

The bad thing about being able to access DNS setting is that attackers can redirect visitors to malicious sites, he told Computer Weekly.

This can have a huge financial impact ranging from hundreds of thousands to millions of dollars through lost business, but it can also cause brand damage by association with exposure to malware, said Joffe.

Applying a registry lock provides protection by requiring any changes to a domain name server to be verified and authenticated by the website owners.

A registry lock provides protection against DNS tampering, even if an attacker is in possession of a username and password of if a domain name registrar is compromised as happened in the NYT attack.

Twitter's best practice commended

Twitter was also targeted by the SEA, but impact was minimal because the attackers were unable to change DNS settings because the microblogging site has a registry lock in place.

Read more about supply chain security

According to Joffe, all website owners should follow Twitter’s example in line with industry best practices published by the internet’s main governance body Icann.

Security firm Rapid7 notes that in the immediate aftermath of the SEA attack on the NYT site, several unlocked domains at Melbourne IT rushed to put registry locks in place, including Starbucks.

Failure to put registry locks in place puts any company, its customers and its brand at risk, and yet this threat can be blocked for under $100, said Joffe.

“Considering the high risk of attack and the low cost of protection, it is mind boggling that relatively few large companies have registry locks in place,” he said.

According to Rapid7, around 90 company websites hosted by Melbourne IT did not have registry locks in place at the time of the SEA attack, including adobe.com, ibm.com, mcafee.com, and royalmail.com.

Neustar has seen an increasing number of attempts by attackers to access domain name setting since May, but the targets have not included high-profile domain name until the past two to three weeks.

Changing landscape of threats

It is just another evolution in the threat landscape that companies will have to bear in mind when updating their information security strategies, said Joffe.

Companies will have to adjust their defence strategies, he said, just as they have done in the past three years as they have moved from defence only to include elements of mitigation.

“They have realised that no matter how hard they worked and how much effort they put in into their infrastructure, they had to prepare for attacks,” said Joffe.

The threat landscape has demanded a shift from building higher thicker walls to what can be done when an attacker breaches those defences, he said.

Attackers are also beginning to go after the weakest links in the supply chain, which means that information security strategies need to extend beyond an organisation to its business partners.

Kenneth Geers, senior global threat analyst at FireEye said the method of attack on the NYT may indicate that the SEA has begun going after media organisations’ supply chains.

“Rather than attacking a large firm directly, the SEA is opting to identify weaker links between the firm and other partnering organisations that they use for business operations.

“This is because the victim firm may not have as much control over the operational security employed by the partners, so the partners are an easier target to focus on,” he said.

Geers said it is likely that this type of attack will continue as long as supply chain security remains weak.

Read more on Hackers and cybercrime prevention