New York Times hack highlights weakness in registrar security

The recent hacks of The New York Times and Twitter websites demonstrate the need for significant changes in the way companies approach security with their domain registrars, experts say.

On Tuesday, a pro-Syrian government group known as the Syrian Electronic Army (SEA) breached the companies’ Australian domain name registrar, Melbourne IT, in a spear phishing attack. In the case of The Times, people heading to the site were sent instead to another site that contained malware.

The redirect lasted only a short time before the name server used by the attackers for the hijacked domains was shutdown, said CloudFlare, which played a “small part” in neutralizing the hack. 

Nevertheless, The Times‘ website remained offline for several more hours while the damage was repaired.

Twitter suffered far less damage because it had a registry lock in place that prevented Melbourne IT’s system from making automatic updates to the micro-blogging site’s name servers. As a result, the SEA, which has attacked other media outlets in the past, was only able to change the domain name records for a single imager server. As a result, some Twitter users were unable to view images and photos.

Hacking into a website’s domain registrar is a major security breach. In a worst-case scenario, hackers can intercept email and redirect visitors to an imitation site where anything they input, such as user names and passwords and credit card numbers, can be intercepted.

“It’s a very, very powerful position [for the hackers] to be in,” said Wolfgang Kandek, chief technology officer for Qualys.

Other businesses are expected to look closely at the additional security Twitter used to avoid the damage suffered by The Times, experts say.

[Also see: Three types of DNS attacks and how to deal with them | After Twitter, NY Times hacks, top Internet brands at risk]

Registrars generally prefer to avoid applying registry locks, because it makes automatic renewals much more difficult. Nevertheless, they are likely to deploy the feature more often in the future.

“I do think it’s going to be something that companies are going to be demanding from their registrars moving forward,” said Jaeson Schultz, threat research engineer for Cisco.

While automated features can be a plus, users need to recognize they are trading more risk for convenience. Therefore, some services, such as changes to a domain registry, should never be automated, Kandek said.

Registrars should also consider monitoring for anomalies that would raise a red flag. Changing a registry for a site that has been in operation for a long time usually happens very rarely.

“That should be the type of operation that gets checked immediately afterwards,” Kandek said.

The hackers appeared to have compromised a reseller’s account as part of the hack into Melbourne IT’s administrative control panel. “While we are only speculating at this point, it’s possible that there was a security vulnerability in the reseller interface that allowed a privilege escalation to take over control of other Melbourne IT customers,” CloudFlare said.

Having a third party play a role in the breach highlights that even if a company does everything right from a security perspective, it often has no control over other companies in a supply chain. Because registrars are the equivalent of a hacker jackpot, they have to be more vigilant about the security of their partners.

“They make really attractive targets and their security ought to be better than any one organization that they’re hosting a domain for,” Schultz said of registrars.

Melbourne IT is not the only registrar to suffer a breach. In April, Network Solutions reported a large-scale infection of sites it hosted. The attackers were able to inject malicious code into the sites.

Melbourne IT, which provides domain name registration in most of the major national and global top-level domains, is considered above average in security. Nevertheless, the recent hack demonstrates no registrar is safe.

Jamie Blasco, lab director for AlienVault, said: “This will be an example that will show [customers] how they can perform better risk assessments.”