A big security news event last night and today is that the Twitter.com Web site was hacked and content on the site replaced. TechCrunch reported it and it has been picked up globally.
But - was the Twitter.com website really hacked? We now know it was not so.
There are four ways that users typing in Twitter.com would have seen the Iranian Cyber Army page.
Hack The Web Site
First, the hackers could have compromised the machines that run the Twitter.com Web pages, and replaced that content with their own content. A few years ago, this was one of the most popular ways of hacking sites, but high traffic Web site owners these days deploy very good security measures and are quite careful about who gets access to their production servers, what software is run on them, and how quickly security holes are patched.
Frankly, there are easier ways to "hack" a Web site without actually touching the Web site itself — just steal access to their e-mail accounts and get their password to their DNS administration account so you can redirect all traffic aimed at the Web site and have it go somewhere else. That is what seems to have happened , according to recent media reports.
Hack The Registrar Account
The Twitter.com domain is registered at Network Solutions, one of the oldest domain name registrars. Network Solutions hosts some of the world's top brands and has been in business since the start of the commercial domain name business. They have also been a frequent (and sometimes successful) target of hacking attempts (the most recent one I recall is the June 2009 compromise of 573,000 debit & credit cards).
If the bad guys did manage to hack into the registrar account for Twitter.com, then they would have been able to touch and control anything related to the domain name. This includes the ability to change the ownership of the domain name, technical instructions for where e-mail for Twitter.com is sent, and finally instructions for where users typing in Twitter.com should be redirected to.
This is serious stuff, of course. The ICANN Security & Stability Advisory Committee (SSAC) has been publishing advisories on this threat for years, most recently as SAC040 (available in 8 languages on the SSAC Web site), asking registrars and Web site owners to exercise care in their security practices.
Hack The Managed DNS Provider
If the registrar account was not compromised, then the hackers could have used their third and equally devastating line of attack — overwhelm security on the DNS servers for Twitter.com and gain access to the Control Panel at the DNS provider.
DNS servers are a kind of automated Internet directory service which instructs your web browser or your Tweetdeck (or other API) software where to find the site twitter.com. Web sites with a lot of traffic such as Twitter often contract with specialized companies who build large scale infrastructure to ensure that users looking for the website can get the Internet directory assistance quickly and reliably — using a service called Managed DNS.
A few companies (including Afilias, my employer) provide Managed DNS service. Managed DNS is an increasingly important tool that companies deploy to ensure that their web site is always accessible and highly available online. (In Twitter's case, this is provided by DynDNS).
If access to the DynDNS Control Panel did get hacked (and recent reports indicate that this might be the root cause), then it would be equally easy to redirect all traffic, with potentially little notice to Twitter. This is why I like features like user group permissions, IP address restrictions and the automatic security alert SMS feature in the Afilias Managed DNS product — you need a rapid alert mechanism if your site's traffic is being hijacked.
Hack The DNS Resolver
Of course, even if the Web site was locked down tight, the registrar had world class security and the Managed DNS provider was near impregnable, it is possible to just insert spurious directory (DNS) information so that Web browsers will always be given the wrong address of the Web site.
This may sound far-fetched, but it is actually really easy to do. The core infrastructure of the Internet was built in the days when security was an afterthought, and hackers can exploit that vulnerability easily. Called a "man-in-the-middle" attack, it is most devastating when insecure wireless (WiFi) networks are taken over (imagine the free Internet at Starbucks being taken over by a rogue machine, which then controls all access to any Web site you want to go to).
In the case of twitter.com, it is unlikely that this happened — the hacker would have to insert the spurious directory (DNS) information into resolvers all over the world. But such an attack is very effective within an ISP or a company that runs its own resolvers which get compromised.
Could DNSSEC Have Helped?
Some folks have already asked me if DNSSEC could have prevented Twitter.com traffic from being hijacked.
In this case, the answer is, "No". DNSSEC protects you when the correct information is in the DNS and your browser (or local resolver) validates the signed information.
But if the DNS Resolver had been hacked, only DNSSEC would have helped — no other solution is 100% effective, and your browser would never go to the wrong site.
You need to practice good security. This is sometimes more an art than a science.
• Read the SSAC SAC040 report - there are some immediately implementable ideas there.
• Use a reliable Managed DNS service provider
• Pick a domain name registrar who practices good security
• Ask for instant security alerts, such as with SMS updates
By Ram Mohan, Executive Vice President & CTO, Afilias
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Minds + Machines