Modernizing Authentication — What It Takes to Transform Secure Access
Late yesterday afternoon, my twitterstream lit up like fireworks that The New York Times Website was down. Once again rampant early speculation was that an attack had occurred—and this time (as opposed to the last time) it had.
In a brazen attack against domain registrar Melbourne IT, host for NYtimes.com, Twitter, Huffington Post and other big names, the Syrian Electronic Army (SEA) was able to gain access to the DNS records for those sites. The SEA was then able to redirect traffic away from the legitimate sites to its own.
I reached out to Melbourne IT (yup, all the way in Australia) and got the official word back from Bruce Tonkin, chief technology officer, about what happened.
He sent me the following statement:
"We have now identified that a targeted phishing attack was used to gain access to the credentials of users of a Melbourne IT reseller account. We have obtained a copy of the phishing email and have notified the recipients of the phishing email to update their passwords. We have also temporarily suspended access to affected user accounts until passwords have been changed."
So, to recap here my friends: The NYtimes.com and other big-name Websites were downed not by any direct error of their own, nor by any direct error from their domain registrar, but by a third-party reseller that clicked on a phishing email.
That's nuts. How can the security of one of the premier media destinations on the planet be left at the mercy of a reseller account, thousands of miles away in Australia? Something is clearly wrong with this picture.
Going a step further, I also got another statement sent to me by Tony Smith, general manager of Corporate Communications at Melbourne IT. In that statement, the company noted that once Melbourne IT was aware of the issue, they "locked the affected records from any further changes at the .com domain name registry."
A "domain lock" is a common security feature that does not allow for changes or movement on a given domain without additional authorization.
To add further insult to injury, as to why NYtimes.com was affected and other domains hosted by Melbourne IT were not, it appears as though the Times did not take advantage of the critical domain lock security feature that all domain registrars provide.
"For mission critical names we recommend that domain name owners take advantage of additional registry lock features available from domain name registries including .com—some of the domain names targeted had these lock features active and were thus not affected," Melbourne IT noted in a statement sent to me.
So, The New York Times, apparently did NOT lock the metaphorical front door. That doesn't sound like something that any native New Yorker I know would ever admit too.
Pouring even more salt on this open wound, the SEA attacked Melbourne IT's own blog this morning, publicly defacing it with the message, "Hacked by SEA, Your server security is weak."
This whole incident serves to illustrate a very important lesson. There is always a weak link in security, and sometimes it's outside of your own direct control. Vigilance is the only answer, always monitoring what's going on and making sure you have a plan for remediation when and if something bad happens.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.