The attack that took down Twitter Dec. 17 used legitimate credentials to log in and redirect Twitter.com to a site purporting to be under the control of the Iranian Cyber Army. The incident underscores the importance for businesses of keeping an eye on DNS security.
New details about the
attack
that disrupted Twitter Dec. 17 have begun to emerge.
According to Twitter, the DNS (Domain Name System) settings for Twitter.com
were hijacked, resulting in roughly 80 percent of the traffic from the site
being redirected elsewhere from 9:46 p.m.
to 11 p.m. PST.
Apparently, the attackers got their hands on a valid set of Twitter
credentials and used them to compromise the DNS records. A spokesperson for
Dyn,
the DNS company that services Twitter, said
an authenticated user logged into the Dynect platform and redirected the site.
None of Dyn's other customers were affected, the spokesperson said.
"During the attack, we were in direct contact with our DNS provider,
Dynect (Dyn)," blogged
Twitter
co-founder Biz Stone. "We worked closely to reset our DNS as quickly
as possible. The motive for this attack appears to have been focused on
defacing our site, not aimed at users
-we
don't believe any accounts were compromised."
Twitter users were redirected to a page that read: "Iranian
Cyber Army ... This Website Has Been Hacked by
Iranian
Cyber Army."
The attack put a spotlight on
DNS
security. According to Rick Howard, director of security intelligence at
VeriSign iDefense, DNS is often overlooked from a security perspective in favor
of application and operating system vulnerabilities, though in his opinion
enterprises are less likely to allow recursive DNS queries than a few years ago
due to increased awareness of the
problems
that can arise.
"Few [enterprises] have in-house DNS experts or dedicated staff, yet
nearly all their Internet communication heavily relies on the DNS system,"
Howard said.
"Basic DNS monitoring is sorely lacking," he continued. "While
enterprises may monitor DNS availability, and are increasingly aware of DDoS [distributed
denial of service] attacks targeting domain name servers, simple monitoring for
DNS integrity is often overlooked. Enterprises should also pay attention to the
rollout of DNSSEC, which mitigates some attacks, but is not yet widely
available."
Enterprise DNS services will come under more pressure as targeted attacks
against businesses and governments increase, said Ray Dickenson, CTO
of Authentium.
"Motivations for criminals and other malicious operators to attack
companies include stealing intellectual property and cyber-extortion that
involves threats to reveal sensitive information or otherwise embarrass a
company or brand unless money is paid," Dickenson said.
When it comes to popular
Web
2.0 sites like Twitter, it can be expected that attackers will increasingly
paint a bull's-eye on them as a means of spreading political messages, noted
Dave Marcus, director of Security Research and Communications at McAfee.
"The larger trend behind this attack is hacktivism-activist groups want
millions of people across the world to see their message, and this time they
did it by architecting a redirect on Twitter, causing the Website to suffer
downtime," Marcus said.
Email
Print
