📷 Aides in court 'This Swift Beat' 🎶 ✍️ Submit a column National parks guide
TECH
U.S. Army

ID security CEO: 'NYT' hackers did their homework

Byron Acohido
USA TODAY
Bill Conner is CEO of Entrust

The extended online outage of the New York Times highlghts a profound, long-standing security weakness in digital commerce: the pervasive use of a simple user name and passwords to access online accounts.

We use single-factor authentication — a user name and password — to gain access to everything from e-mail to financial accounts to network controls. Here's how the Syrian Electronic Army (SEA) took advantage:

The SEA did its homework. They established that the New York Times purchased its domain name, www.nytimes.com, from VeriSign, and that VeriSign subsequently delegated control of Internet traffic going to the Times' website to a registrar, Melbourne IT. Melbourne IT then delegated that same control to numerous Internet service providers, including an ISP in India. This chain of trust on which the Domain Name System, or DNS, stands, is completely routine.

The SEA focused on the weakest link, executing a spear-phishing attack that successfully obtained the user name and password of at least one administrator at the Indian ISP, says Bill Conner, CEO of identity management firm Entrust.

With that foothold in the ISP, the hackers moved up the DNS trust chain. They were next able to manipulate www.nytimes.com, redirecting traffic at Melbourne IT, so that anyone trying to reach the legitimate website got directed to a bogus site.

"Imagine an attack where I walk in to the office where the telephone records are kept, and I fraudulently rewrite all the numbers associated with the New York Times," says Mike Lloyd chief technical officer at security firm RedSeal Networks. "In the physical world, this attack wouldn't be practical. In the online world, this same attack is much more practical, and quite hard to prevent."

Entrust CEO Conner says it's clear to the cybersecurity community that a spear-phishing attack was used to obtain the user name and password to the account of an administrator at the Indian ISP. What's not clear is if that same user name and password allowed the SEA hackers deep access into Melbourne IT.

"It's very possible that user name and password goes all the way up through the registrar, and that's what people are sorting through right now," says Conner.

Wade Williamson, senior security analyst at firewall company Palo Alto Networks, says the SEA is going further down the trust chain.

"Instead of hitting NYT directly, they are hitting them at the DNS level. These types of attacks have been seen in the past, where instead of defacing a website, the attackers route the victim's traffic to the attacker's site," says Williamson.

What the SEA is doing is not high-level hacking. The attackers took as much advantage as they could from the fact that obtaining a user name and password can be done by simple trickery. Figuring out how far that can take you is merely a matter of diligence.

"In this scenario, it was apparently a partner for Melbourne IT that was compromised," says Williamson. "Low-tech in concept, but obviously effective."

Featured Weekly Ad