How NY Times Could Have Shielded Itself from Hack Attack
On Tuesday afternoon (Aug. 27), the New York Times' website became inaccessible, and was spotty much of Wednesday (Aug. 28). How could one of the biggest media companies in the world go down for a day or more?
Turns out the New York Times' website was hit with a domain name system (DNS) attack, in which hackers target the system that matches a website URL (like nytimes.com) to the servers where that website's content is stored. None of the New York Times' content was affected; people just couldn't find it.
The Kicker: Simple security etiquette might have prevented the attack.
The New York Times' DNS records are managed by an Australian-based company called Melbourne IT, a domain registrar similar to the American company GoDaddy.
It appears that the hackers who hit the New York Times were able to penetrate Melbourne IT's security by acquiring an administrator's username and password.
Marc Frons, the New York Times' chief information officer, said in the Times' own article on the hack that the culprit appears to be “the Syrian Electronic Army, or someone trying very hard to be them.”
That doesn't tell us much. The Syrian Electronic Army, or SEA, is a group of hackers that appears to be loosely affiliated with or sympathetic to the regime of Syrian President Bashar al-Assad. The SEA has also been very active lately: in the last few months it's claimed responsibility for attacks on The Onion, NPR and the blog of British reporter Jon Snow (no relation to "Game of Thrones").
What is a DNS attack?
DNS is an essential part of the Internet's information architecture.
"DNS has been in place essentially since the Web started… [and] from its very origins it was not built to support the Web as it exists today," said Kevin O'Brien, an enterprise solutions architect from Cloudlock, a cloud-based data security company.
According to O'Brien, DNS has a number of structural flaws, which the New York Times hackers exploited to bring the website down.
Here's how DNS works: When you want to go to a website, you type in that website's domain name. In the New York Times' case, that's nytimes.com, the rights to which it purchased from a domain name registrar, in this case, Melbourne IT.
When Melbourne IT registered that domain name, it created an entry in the DNS registry that connected "nytimes.com" to the internet protocol (IP) address of the New York Times' servers, 184.108.40.206.
This registry is necessary because domain names were designed to be easily understood by humans, not by computers. Domain names do not point to Web content in a way that a computer can understand. Similarly, IP addresses are not user-friendly for humans.
So when you type "nytimes.com," your Web browser connects you to one of the many DNS servers on which the registry is stored and matches that text to the corresponding registered IP address 220.127.116.11.
The hackers zeroed in on the source. They acquired a Melbourne IT username and password, entered the registrar's system, and altered the DNS records that then went out to DNS servers across the Internet.
O'Brien likened DNS servers to a phonebook: people can search the book by a person's name and find the entry that connects the person to a telephone number. What the hackers did is like changing the number next to the New York Times' name in the phonebook.
That alteration probably took about 15 minutes to make, O'Brien said. Once the hackers made the change, it took a while for that change to propagate to the Internet's DNS servers.
For a brief window, typing nytimes.com into your browser led you, not to the Times' servers, but to a SEA-themed website containing the message "Hacked by Syrian Electronic Army."
Most of the time, though, browsers were simply unable to locate an IP address associated with the domain name www.nytimes.com, resulting in a browser error message.
Technically, websites don't need domain names, and the Times site never really went down. But to access it, you would have had to know the IP address 18.104.22.168 and enter it into your browser.
How to Prevent a DNS Attack
Could the New York Times have prevented this attack? As is always the case with online security, there's no such thing as foolproof. That said, there are a few things that the Times, and Melbourne IT, could have done to make this attack more difficult and perhaps even impossible to pull off.
For example, they could have done a registry lock. Often, DNS registrars give their customers this option, which when implemented makes it very difficult for anyone to alter the DNS records that govern the links between a domain name and an IP address. The disadvantage of a registry lock is that it lengthens the amount of time necessary to make any structural changes to the registry.
However, O'Brien pointed out that the hackers didn't do any fundamental damage to either the New York Times' or Melbourne IT's website architecture. Rather, they acquired login credentials, either by theft or by tricking an employee into revealing them. It's the difference between bashing down a door and stealing a key.
"The reason I would characterize this hack as relatively immature is [because] someone got a username and password and got into the [Melbourne IT] system. They didn't do anything super-technical or complicated. It wasn't that Melbourne IT fundamentally failed, it's that precautions weren't put into place."
Precautions that could have been implemented include two-factor authentication, which requires people wishing to log into a system to know a password and then enter a second piece of information — usually a string of numbers texted to a cellphone. Without the correct cellphone — which is harder to steal than a password — hackers would be unable to penetrate the system.
But what about the DNS architecture itself? If the backbone of the Internet is fundamentally flawed or outdated, is it time to replace DNS with a better system?
"This crops up from time to time, and there are ideas for other kinds of record management," O'Brien said. For example, some experts have suggested some type of browser extensions that would help "share the load" of connecting domain names with IP addresses.
However, implementing that kind of sweeping change would mean a massive overhaul to the way the Internet works. "You'd need someone with authority on a governmental level, and probably an intergovernmental level, to create an Internet that didn't rely on DNS," O'Brien said.
Internet architecture hasn't changed in years, which means it’s not likely to change any time soon.
"You can go back to the mid-'90s and see that at the time some pretty significant vulnerabilities [in DNS] were being exposed by prominent hackers," said O'Brien. "And here we are in 2013 and we're still vulnerable."