The Tech Herald

Twitter was not hacked - its DNS was hijacked (Update 2)

by Steve Ragan - Dec 18 2009, 11:45

Twitter was not hacked - their DNS was hijacked

Update2:

We have confirmation that the guess was 100% accurate. Backed by our source and comments by Tom Daly, the CTO for Dyn Inc., in The Washington Post. Twitter still has not issued a statement or admitted that email was compromised.

 

Update 1:

Dyn Inc., which was founded in 1998, launched its enterprise global DNS offering, the Dynect Platform, in 2007. They provide DNS services to over 12 million home and small business users through DynDNS.com, while running the DNS for some rather large and highly trafficked websites. One of its top customers is Twitter.

Earlier this morning, Jeremy Hitchcock, Dyn Inc. CEO, and Kyle York, VP of Sales and Marketing for Dyn Inc., confirmed that no one has logged into Twitter's Dynect account without authenticated credentials. They are not providing a full statement on the issue until both Twitter and Dyn Inc. are able to further investigate how this went down.

After talking with Dyn Inc., The Tech Herald has put the pieces together about what happened with the Twitter DNS hijacking incident.

If we're right, then the chain of events that led to the Twitter DNS hijacking offers two lessons. The first is that it pays to be vigilant, even when others are not. The second lesson is that if you are made aware of failings in password policy once, you should learn from that lesson and make every effort to avoid the same mistakes.

This observation comes from this point. "[Dyn Inc.'s] system was not improperly accessed and no one has logged into Twitter's Dynect account without authenticated credentials."

Here is what happened in our opinion. We're hoping Twitter or Dyn Inc. will correct us later and either confirm or deny this.

An unknown group, or perhaps a single person, compromised a Twitter staffer's email account. After that, the compromised email account is used to issue password change request on Twitter's Dynect account. The password reset process is completed, and at this point the person(s) posing as a Twitter staffer gets the reset password via email.

From there they make DNS modifications and point www.twitter.com to a new site hosting the "This Site Was Hacked" image.

So why was the overall time for the DNS hijacking so short?

Simple, Dyn Inc. probably knew something was up. They would tend to watch their larger accounts like a hawk, and notice little changes in communications or sudden passwords resets. This would make them feel uneasy, so perhaps they called someone working overnight at Twitter or maybe even woke some of the staff in the middle of the night. Maybe they called the person who supposedly requested the password change.

If this was the case, then Dyn Inc. would have known that the DNS changes were malicious, and promptly reversed them. This would explain the short window of compromise.

However, the problem here, if our guess is correct, is that Twitter is once again caught with their pants down. If this is what happened, then this just one more case of the company having their email compromised.

We'll keep watching the story and update as needed. Comment below and tell us what you think of our guess.

Original Article:

Overnight, Twitter, along with what looks like 50 other sites, fell victim to DNS hijacking by a group calling itself the Iranian Cyber Army. For Twitter at least, the redirection started at about 10 p.m. PST, and lasted about at best for about an hour.

It is worth noting, there was no compromise to any server used by Twitter, despite what the headlines in today’s new say. Also, only Twitter’s domain was impacted, the API service continued to function as normal.

“As we tweeted a bit ago, Twitter's DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we've investigated more fully,” reads a notice on the Twitter blog.

The message left by the “ICA” as it were, when loosely translated, talks about the U.S. controlling the Internet by managing access. But the U.S. doesn’t, “We Control and Manage [the] Internet By Our Power…”

Really, aside from printing the fact Twitter was not hacked, there is little need to give this so-called Army the press for their message. So what happened and how?

“This kind of DNS hijacking usually involves compromising the registrar responsible for the DNS records of the victim company; the attackers then make unauthorised changes to the DNS records… This has the net effect of making it look like, in this example, servers belonging to Twitter were compromised when in reality that was not the case,” noted Rik Ferguson from Trend Micro.

We have asked Network Solutions for information, as well as Dyn Inc. If we hear back we’ll update this story.

Google listed several domains impacted by the group, at one time, but it would appear that they are cleaning up the mess as very few sites are online with the defaced index page. At the time this article was being written, pastebin.com and mowjcamp.org were the only ones serving up the page.

Around the Web

Comment on this Story

comments powered by Disqus
Security
Index
News
 
Features
Reviews

From Autosaur.com

Monaco Grand Prix Circuit Map

Infiniti Red-Bull have released a Monaco Grand Prix circuit map showing a string of G-Force and speedo readings recorded in their cars on a normal lap. The team also described the most complicated turns on the track: Turn 1, Sainte Devote, sees drivers hit the barrier if they come into corner just 1km/h too fast [...]

The post Monaco Grand Prix Circuit Map appeared first on Autosaur.

Daniel Day-Lewis and Yasmin Le Bon at Mille Miglia rally in Italy

Jaguar have released a cool little film about their experience at this year’s Mille Miglia car rally in Italy — featuring stars including triple Oscar-winner Daniel Day-Lewis and model Yasmin Le Bon. The video has short interviews with several of the famous participants about taking part in the 1,000-mile event, which celebrates the original Mille [...]

The post Daniel Day-Lewis and Yasmin Le Bon at Mille Miglia rally in Italy appeared first on Autosaur.

Man wins Batman version of Nissan Juke

A BATMAN fan has won a special version of the Nissan Juke inspired by the films — and which has a string of features more normally seen on the Batmobile. Adam Williams was presented with the matt black vehicle after a real Batmobile (well, as real as they get) was driven through the streets of the [...]

The post Man wins Batman version of Nissan Juke appeared first on Autosaur.