The attack that took down Twitter on 17 Dec. used legitimate credentials to log in and redirect Twitter.com to a site purporting to be under the control of the Iranian Cyber Army
The incident underscores the importance for businesses of keeping an eye on DNS security.
New details about the attack that disrupted Twitter on 17 Dec. have begun to emerge.
According to Twitter, the DNS (Domain Name System) settings for Twitter.com were hijacked, resulting in roughly 80 percent of the traffic from the site being redirected elsewhere from 9:46 p.m. to 11 p.m. PST.
Apparently, the attackers got their hands on a valid set of Twitter credentials and used them to compromise the DNS records. A spokesperson for Dyn, the DNS company that services Twitter, said an authenticated user logged into the Dynect platform and redirected the site. None of Dyn’s other customers were affected, the spokesperson said.
“During the attack, we were in direct contact with our DNS provider, Dynect (Dyn),” blogged Twitter co-founder Biz Stone. “We worked closely to reset our DNS as quickly as possible. The motive for this attack appears to have been focused on defacing our site, not aimed at users—we don’t believe any accounts were compromised.”
Twitter users were redirected to a page that read: “Iranian Cyber Army … This Website Has Been Hacked by Iranian Cyber Army.”
The attack put a spotlight on DNS security. According to Rick Howard, director of security intelligence at VeriSign iDefense, DNS is often overlooked from a security perspective in favor of application and operating system vulnerabilities, though in his opinion enterprises are less likely to allow recursive DNS queries than a few years ago due to increased awareness of the problems that can arise.
“Few [enterprises] have in-house DNS experts or dedicated staff, yet nearly all their Internet communication heavily relies on the DNS system,” Howard said.
“Basic DNS monitoring is sorely lacking,” he continued. “While enterprises may monitor DNS availability, and are increasingly aware of DDoS [distributed denial of service] attacks targeting domain name servers, simple monitoring for DNS integrity is often overlooked. Enterprises should also pay attention to the rollout of DNSSEC, which mitigates some attacks, but is not yet widely available.”
Enterprise DNS services will come under more pressure as targeted attacks against businesses and governments increase, said Ray Dickenson, CTO of Authentium.
“Motivations for criminals and other malicious operators to attack companies include stealing intellectual property and cyber-extortion that involves threats to reveal sensitive information or otherwise embarrass a company or brand unless money is paid,” Dickenson said.
When it comes to popular Web 2.0 sites like Twitter, it can be expected that attackers will increasingly paint a bull’s-eye on them as a means of spreading political messages, noted Dave Marcus, director of Security Research and Communications at McAfee.
“The larger trend behind this attack is hacktivism—activist groups want millions of people across the world to see their message, and this time they did it by architecting a redirect on Twitter, causing the Website to suffer downtime,” Marcus said.