DNS attack hijacks Twitter
A DNS hijacking attack left Twitter temporarily affected for about an hour early on Friday.
The initial attack has left many users scratching their heads while spreading the belief that Twitter's servers themselves were commandeered by hackers in the name of the "Iranian Cyber Army".
It now seems that Twitter's DNS records were altered. That means surfers trying to reach the website directly via name resolution services were thrown over towards a fake domain, while the site itself and micro-blogging applications that plugged into Twitter's API - such as TweetDeck or mobile phone apps - were unaffected by the attack.
A status message on Twitter's blog explains:
As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully.
Rik Ferguson, a security consultant at Trend Micro, explained that this type of DNS hijacking usually involves compromising the systems at the registrar responsible for the DNS records of the victim company before altering the relevant DNS records, in a blog posting here.
"These changes mean that when you or I type a web site address into our browsers, we are directed not to the real web site but to a second site, set up by the hackers, in this case the 'Iranian Cyber Army'," Ferguson writes. "This has the net effect of making it look like, in this example, servers belonging to Twitter were compromised when in reality that was not the case.
"These sorts of attacks are usually limited to hacktivism activities like this one today, but imagine the potential to criminals if they could pull this off against any site requiring log in credentials, such as PayPal, eBay, MSN, Facebook," he added.
Twitter was far from the only web site affected by the compromise. Other less high-profile sites also displayed the content posted by the previously unknown Iranian Cyber Army.
The attack against Twitter and other web sites follows a spate of attacks against registrars over the last month or so, according to defacement archive Zone-h.
Surfers getting hijacked more commonly arises as the result of malware on client PCs, but the latest run of attacks shows that compromised DNS records can also be a problem. "Companies should be monitoring their DNS resolution on several servers to become aware as early as possible when this kind of attack takes place," Ferguson advised. ®
Re: Why Worry About MSN
>> Change your Twitter account password, and move on with your life.
better still, don't have a twitter account. get a life instead.
Why Worry About MSN?
In the article, Trend Micro's Rik Ferguson is quoted as saying "...imagine the potential to criminals if they could pull this off against any site requiring log in credentials, such as PayPal, eBay, MSN, Facebook..."
How could Mr. Ferguson miss the most important point - that thousands (or more) of Twitter accounts were opened to compromise by this DNS-based attack?
What's the point of "imagining" whether MSN (or other) sites were affected? We already have proof that one of the most popular social applications' websites *was* open to compromise. Let's focus on that.
Now, let's get to what the article *should* have said - Everyone with a Twitter account, change your account's password. Even if you have a supposedly-"hard-to-guess", or "complex" password -- it doesn't matter. If you logged in to Twitter (or if your web browser held your session open) while the DNS attack was underway, its password was potentially compromised, or its session tokens were potentially stolen.
Change your Twitter account password, and move on with your life.
@Martin Edwards and DNSsec savior AC...
...would this not work? Client side, for "important" sites only (i.e. not Twatter or Facespace), you could check that the IP address that resolves from DNS, is registered with the correct company? (I'm thinking, grep for the "main" part of the domain name, in the response from querying something like ARIN (which is what WHOIS, does, right?))
Presumably, you'd need a Firefox extension to carry out the task (or, build it into a browser directly, if you are a browser vendor (or building an open source browser))?
Just a thought I had back when the orginal "Dan-attack" stuff happened last year...