Tag Archives: Hacking

Twitter and the NYT: what is DNS?

On Tuesday of this week, Twitter, the New York Times, Huffington Post and a raft of other websites suddenly found their traffic getting rerouted to servers Russia and Syria. The rerouting was due to a successful hack by a group calling themselves the Syrian Electronic Army, a name that brings to mind proto-Goth synth bands of the 80’s. Service was restored to most sites quickly enough, but you may be wondering: what the hell even happened?

I’ve covered the ins-and-outs of DNS in the past in the context of a particularly-vicious malware attack a little over a year ago. But now seems like as good a time as any to recap, since after all, most of the media is too busy primping and preening over the importance or lack thereof in the New York Times to inform you.

DNS stands for Domain Name Service, and in short, it’s sort of an address book for the Internet. The pretty alphanumeric domain names we all know and love, like chocolateandtomatosauce.com, horney0ldbabes.org or rochesterhomepage.net, are not the addresses computers recognize. Computers navigate the web by using large numbers assigned to each other computer, often notated by four numbers separated by dots, like 127.0.0.1.

Someone, somewhere needs to map all those domain names to their numbers, and that’s where DNS comes in.

What happened in the case of Twitter, NYtimes.com and so forth is that the SEA hacked into the Australian company that carries the official registration of those domain names. By changing the number associated with the domain name, they ensured that anyone looking up those addresses would get the wrong information.

Most people probably never saw any disruption at all. That’s because most ISPs carry their own copies of DNS records, refreshing that data only periodically. In the short term, this was always a pretty low-level threat. But the point was probably more to cause disruption and panic than to do any real damage.

Twitter is asking you to reset your password. Do it.

Every once in a while, we go through this. For one reason or another, Twitter asks to reset your password. Typically, they only send out emails asking you to do this when the situation’s gotten pretty wide-spread, and per TechCrunch, that is exactly the case with Twitter’s last set of emails.

Here is a copy of what the email looks like:

Hi, [name]

Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We’ve reset your password to prevent others from accessing your account.

You’ll need to create a new password for your Twitter account. You can select a new password at this link:
https://twitter.com/pw_rst/…

As always, you can also request a new password from our password-resend page: https://twitter.com/account/resend_password

Please don’t reuse your old password and be sure to choose a strong password (such as one with a combination of letters, numbers, and symbols).

In general, be sure to:

  • Always check that your browser’s address bar is on a https://twitter.com website before entering your password. Phishing sites often look just like Twitter, so check the URL before entering your login information!
  • Avoid using websites or services that promise to get you lots of followers. These sites have been known to send spam updates and damage user accounts.
  • Review your approved connections on your Applications page at https://twitter.com/settings/applications. If you see any applications that you don’t recognize, click the Revoke Access button.

For more information, visit our help page for hacked or compromised accounts.

The Twitter Team

The first thing that jumps out at me is: why the hell is Twitter sending out emails with links to reset your password? That’s like the phishing-est phish that ever phished a phish.

But what caused this problem in the first place? Well, the servers might have gotten hacked or something like that. But these are probably the least-likely scenarios.

The simplest answer is that some very popular web service that uses Twitter login was compromised. If you use Twitter to log into, say, Huffington Post and they subsequently get hacked, the permission you gave them to your account may be sufficient to allow them to tweet or DM on your behalf.

Another possibility is a wide-spread dupe site, such as those that fool users with “vanity phishing” DMs, may have gotten particularly active.

Regardless of whether this is an internal or external problem for Twitter, it is probably in your best interest to reset your password. Even if you haven’t gotten the email.

AND EVEN IF THIS EMAIL IS LEGITIMATE, NEVER, NEVER, NEVER CLICK LINKS IN EMAIL! Go to Twitter directly and reset your own password. Email links are just way, way too dangerous.

The Largest Global Cyber-Espionage Case in History

A single quote says just about everything about the sheer scale of this recently-discovered global hack:

“In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”

Global cyber-espionage operation uncovered | InSecurity Complex – CNET News.

The cyberattack, dubbed Operation Shady RAT (Remote Access Tool), affected no less than 70 organizations, public and private, across 14 countries. The United Nations, defense contractors, the US Department of Energy, businesses and “every company in every conceivable industry with significant size and valuable intellectual property and trade secrets.”

The list of countries affected includes the United States and several Southeast Asian nations. But the targets notably do not include China, suggesting to many that the perpetrator of this massive hack was the Chinese government. In addition to the scale of the attack and list of targeted countries, The Register also notes that one target in particular points the way:

“The interest in the information held at the Asian and Western national Olympic Committees, as well as the International Olympic Committee (IOC) and the World Anti-Doping Agency in the lead-up and immediate follow-up to the 2008 Olympics was particularly intriguing and potentially pointed a finger at a state actor behind the intrusions, because there is likely no commercial benefit to be earned from such hacks,” writes Mitri Alperovitch, McAfee’s VP of threat research.

Researchers at McAfee have managed to gain control of one of the Command and Control servers, but says more are out there. Therefore, it is probably too soon to say for sure what the complete list of affected companies and organizations is.

This malware-fueled global breach may go down as the largest transfer of intellectual property in the history of the Internet. It differs from the relatively automated attacks carried out by #Anonymous and #LulzSec because once computers were compromised with malware, they would then be controlled by a human operator who continued to widen the permissions of the affected machine to access even more sensitive data.

The attack is not over, either. And experts already measure the loss of data in petabytes.

More reading:

D’Ya Feel Safe, Yet?

The Department of Homeland “Security” gets it’s out of date PBX mail exchange telephone systems hacked, and the hacker procedes to make $12,000 worth of calls to the Middle East and Asia, presumably just to be a dick.

Now, two things about this worth remembering: first, this is a very, very old and very well-documented form of hacking that barely happens anymore in large companies because the PBX system is irrelevant with VoIP, which is the current state-of-the-art voice system.  So, not only are you as a tax payer paying for an outdated technology, but if DHS is going to use old crap, this is a vulnerability they should have known about and prevented.

Second, PBX is a very simple system, and there aren’t really any “rights administration” things as firewalls built in.  Once a hacker has gained access to a PBX system, they’re free to listen in on calls, listen to legitimate users’ voicemails and delete them if they please, and even re-route calls away from their intended destinations.  That the hacker chose to make calls to the Middle East and Asia on DHS’s dime is nothing short of amusing in the way of that classic hacker wit, but that it was even possible is actually quite a bit bigger a deal than the media will let on.