New York Times site hack shifts attention to registry locks
Mechanism provides relatively easy way to mitigate risk of unauthorized DNS changes, security researchers say
Computerworld - One way that owners of major websites can mitigate the risk of their domains being hijacked like The New York Times' site was on Tuesday is to apply what is known as a registry lock on the domain, security researchers say.
A registry lock is basically a mechanism under which any requests for changes to a domain name server have to be manually verified and authenticated by a top-level domain owner like Verisign and NeuStar, which operate the dotcom and dotbiz domains respectively.
A registry lock provides an additional layer of protection against DNS tampering and is particularly useful in situations where a domain name registrar might be compromised, the security researchers said.
On Tuesday, The Times blamed a prolonged website outage on a hacking attack at the company's Australia-based domain name registrar, Melbourne IT.
The Times said hackers belonging to the Syrian Electronic Army (SEA) gained access to the company's DNS records by compromising its domain name registrar. The attackers then used that access to change the paper's DNS record so it was pointing to systems in Syria and Moscow.
Melbourne IT, in turn, blamed the outage on one of its resellers, whose account was apparently compromised and used to change several domain names, including that of The Times, Twitter and others.
H.D. Moore, chief research officer at security vendor Rapid7, said registry locks make it much more difficult to make such DNS changes.
Typically, changes to name servers are handled directly by domain registrars such as Melbourne IT and not by the top-level domain owners. A registry lock prevents the registrar from making any changes on its own and instead allows changes to be made only with the approval of the top-level owner.
"Instead of updating a record through your registrar's website, you have to contact the [Top Level Domain] owner instead and go through a secondary form of authentication," Moore said. "It makes sense for big brands, but does impose a maintenance penalty on organizations who change DNS providers frequently."p>
At the time of the attack, many of the major websites hosted by Melbourne IT did not have a registry lock in place, Moore said. Among the companies using Melbourne IT are Yahoo, Google, Microsoft, Ikea, AOL and dozens of other major site owners.
While there is no evidence that the attackers made changes to any of these domains, they were potentially vulnerable, Moore said. "In other words, things could have been much worse."
Since the attacks on The Times, several of the websites using Melbourne IT as a registrar have applied registry locks, Moore said. Among the websites that appear to have put a lock in place are the Huffington Post, Mapquest, Starbucks and Twitter's TweetDeck. However, many other major websites using Melbourne IT have not done so yet, and remain vulnerable.
Matthew Prince, co-founder of CloudFlare, saiddomain registrars generally do not make it easy for website owners to request registry locks, however. "[Locks] make processes like automatic renewals more difficult," Prince said in a blog post. "However, if you have a domain that may be at risk, you should insist that your registrar put a registry lock in place."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Streamline Data Protection with IBM Tivoli Storage Manager Operations Center IBM Tivoli Storage Manager (TSM) has been an industry-standard data protection solution for two decades. But, where most competitors focus exclusively on Backup...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts