New York Times site hack shifts attention to registry locks
Mechanism provides relatively easy way to mitigate risk of unauthorized DNS changes, security researchers say
Computerworld - One way that owners of major websites can mitigate the risk of their domains being hijacked like The New York Times' site was on Tuesday is to apply what is known as a registry lock on the domain, security researchers say.
A registry lock is basically a mechanism under which any requests for changes to a domain name server have to be manually verified and authenticated by a top-level domain owner like Verisign and NeuStar, which operate the dotcom and dotbiz domains respectively.
A registry lock provides an additional layer of protection against DNS tampering and is particularly useful in situations where a domain name registrar might be compromised, the security researchers said.
On Tuesday, The Times blamed a prolonged website outage on a hacking attack at the company's Australia-based domain name registrar, Melbourne IT.
The Times said hackers belonging to the Syrian Electronic Army (SEA) gained access to the company's DNS records by compromising its domain name registrar. The attackers then used that access to change the paper's DNS record so it was pointing to systems in Syria and Moscow.
Melbourne IT, in turn, blamed the outage on one of its resellers, whose account was apparently compromised and used to change several domain names, including that of The Times, Twitter and others.
H.D. Moore, chief research officer at security vendor Rapid7, said registry locks make it much more difficult to make such DNS changes.
Typically, changes to name servers are handled directly by domain registrars such as Melbourne IT and not by the top-level domain owners. A registry lock prevents the registrar from making any changes on its own and instead allows changes to be made only with the approval of the top-level owner.
"Instead of updating a record through your registrar's website, you have to contact the [Top Level Domain] owner instead and go through a secondary form of authentication," Moore said. "It makes sense for big brands, but does impose a maintenance penalty on organizations who change DNS providers frequently."p>
At the time of the attack, many of the major websites hosted by Melbourne IT did not have a registry lock in place, Moore said. Among the companies using Melbourne IT are Yahoo, Google, Microsoft, Ikea, AOL and dozens of other major site owners.
While there is no evidence that the attackers made changes to any of these domains, they were potentially vulnerable, Moore said. "In other words, things could have been much worse."
Since the attacks on The Times, several of the websites using Melbourne IT as a registrar have applied registry locks, Moore said. Among the websites that appear to have put a lock in place are the Huffington Post, Mapquest, Starbucks and Twitter's TweetDeck. However, many other major websites using Melbourne IT have not done so yet, and remain vulnerable.
Matthew Prince, co-founder of CloudFlare, saiddomain registrars generally do not make it easy for website owners to request registry locks, however. "[Locks] make processes like automatic renewals more difficult," Prince said in a blog post. "However, if you have a domain that may be at risk, you should insist that your registrar put a registry lock in place."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- The Truth About Virtual Computing for CAD If you're a user of graphics-intensive software such as 3D modeling, simulation and analysis, and visualization, you might be skeptical about moving to...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Why Are Customers Really Deploying an NGFW? It seems every IT Security expert is talking about the NGFW, but what are people really doing? This webcast covers 5 real-world customer... All Malware and Vulnerabilities White Papers | Webcasts