📷 Aides in court 'This Swift Beat' 🎶 ✍️ Submit a column National parks guide
TECH
U.S. Army

Q&A: HD Moore drills down on aftermath of NY Times hack

Byron Acohido
USA TODAY
HD Moore is chief research officer at Rapid7

SEATTLE -- HD Moore, chief research officer at vulnerability management firm Rapid7, has been keeping a close eye on the aftermath of the Syrian Electronic Army's disruption of websites of the New York Times, Huffington Post and Twitter. Here's a drill down of what Moore has pieced together with regard to the unfolding scramble to lock down domain names.

CT: So how were you able to figure out which Melbourne IT clients were exposed and which ones have applied registry locks?

Moore: I walked through the top 250 Alexa sites and ran a whois query. The response from this query indicated whether MelbourneIT was the registrar and whether the registry lock had been applied.

CT: So who is instigating the lock downs? Is this action being taken individually by each company for each domain?

Moore: Yes, it appears that all registry locks have been driven by the brand owner.

CT: What is the general practice with regards to who is responsible for applying such locks?

Moore: The general practice is to not apply registry locks at all, as they introduce a hurdle for future changes and transfers. It seems that for some brand owners of high value domains, such as Twitter and Microsoft, these locks were in place as a practical safeguard against attacks on the registrar. The lock must be enabled by the domain owner and in order to unlock the domain, the owner must contact the manager of the top-level domain (TLD), this would be Verisign for all .com domains. And the registrar itself has no control until the domain has been unlocked. The TLD manager requires extensive verification to unlock a domain.

CT: Twitter got hacked, though? Can you explain what happened to Twitter versus what happened to the New York Times?

Moore: Twitter.com's registry was locked at the time of the attack. This prevented the attackers from changing the DNS records for the primary Twitter domain. However, locks were NOT in place for twitter.co.uk, twimg.com, tweetdeck.com, or t.co. These domains process quite a bit of Twitter's service traffic. The twitter.co.uk and twimg.com domains were hijacked a period of time by the SEA.

CT: Are there other Melbourne IT customers still exposed?

Moore: The majority of "big brand" Melbourne IT customers do not have the registry lock in place. This may leave them vulnerable if a similar attack occurs in the future. My guess is that Melbourne IT will be applying extraordinary effort to avoid a repeat of this issue and may introduce additional safeguards.

The use of a registry lock is essentially the customer saying they do not trust the registrar. MelbourneIT should recommend that a registry lock is put in place until they can demonstrate significant improvements to the security of their reseller accounts. This adds work for the customer, the registrar, and the TLD manager for each domain, but is the only practical short-term solution. Not all domain owners may care enough about the risk to make this change. I would argue that a registry lock should be considered mandatory for any domain that has the potential to affect millions of users if compromised.

CT: Can you provide an updated number of the domains that have been locked as of today?

Moore: The list I am working from only includes 98 domains managed by Melbourne IT. They manage hundreds of thousands of domains, but these 98 are either in the Alexa Top 250 or related to this week's attacks. Domains ending in .co.uk do not share whether a registry lock is in place. Of this list of 98 domains, the following have had registry locks put in place organized by date:

Locks in place as of 6:00pm CT August 27th, 2013

· fidelity.com

· google.com

· microsoft.com

· nytimes.com

· twitter.com

· yahoo.com

Locks in place as of 10:00am CT August 28th, 2013

· engadget.com

· fidelity.com

· google.com

· huffingtonpost.com

· mapquest.com

· microsoft.com

· nytimes.com

· patch.com

· starbucks.com

· t.co

· techcrunch.com

· tweetdeck.com

· twimg.com

· twitter.com

· vine.co

· yahoo.com

Locks in place as of 10:00am CT August 29th, 2013

· cisco.com

· engadget.com

· fidelity.com

· google.com

· huffingtonpost.com

· mapquest.com

· microsoft.com

· nytimes.com

· patch.com

· t.co

· techcrunch.com

· tweetdeck.com

· twimg.com

· twitter.com

· vine.co

· yahoo.com

The domains I am monitoring that still do not have locks in place include:

· a8.net

· aa.com

· acrobat.com

· adobe.com

· adultadworld.com

· angelfire.com

· antena3.com

· anz.com

· aol.co.uk

· aol.com

· autoblog.com

· bancomer.com.mx

· barnesandnoble.com

· bbandt.com

· bigresource.com

· billdesk.com

· brainyquote.com

· canon.com

· cdiscount.com

· chron.com

· cibc.com

· cosmopolitan.com

· crunchbase.com

· dailyfinance.com

· directv.com

· discover.com

· discovercard.com

· discovery.com

· earthlink.net

· euronews.com

· funshion.com

· gettyimages.com

· givemesport.com

· hightail.com

· hinet.net

· hm.com

· howstuffworks.com

· hsn.com

· huffingtonpost.ca

· hyatt.com

· ibm.com

· icq.com

· ikea.com

· inmotionhosting.com

· istockphoto.com

· jalan.net

· jetstar.com

· joystiq.com

· lego.com

· lufthansa.com

· lycos.com

· mail.com

· mcafee.com

· mediatakeout.com

· moneysavingexpert.com

· monster.com

· monsterindia.com

· moviefone.com

· neimanmarcus.com

· norton.com

· prnewswire.com

· redbubble.com

· rikunabi.com

· royalmail.com

· sfgate.com

· siteadvisor.com

· sonymobile.com

· standardchartered.com

· starbucks.com

· symantec.com

· tom.com

· toshiba.com

· tradedoubler.com

· tripod.com

· univision.com

· victoriassecret.com

· vmware.com

· watchtower.com

· whois.net

· xero.com

Featured Weekly Ad