About Those NY Times and Twitter Attacks: What Really Happened

General news media mostly do a terrible job covering tech issues. And in the case of the attacks, allegedly by the Syrian Electronic Army, that effective took nytimes.com off-line for a good part of Tuesday, the tech media haven’t done too well either. One of the big problems is the use of the word “hack” to describe any attack, as in “the Times web site was hacked.” In fact, neither the Times site, nor twitter.com, which was attacked less successfully, was ever touched.

To understand what happened, you have to know a bit about the Domain Name Service, which is both a great strength and a great weakness of the internet. Its strength is that its distributed design has let the net scale seemingly without limits to handle orders of magnitude more sites that were even envisioned by its designers. Its weakness is that it is, at least in its standard form, insecure.

If I want to load www.nytimes.com, the Times home page, my browser generates a DNS query that will poll a hierarchy of DNS servers until it finds one that can  report that the address corresponds to In the case of nytimes.com, access to the DNS database is controlled through an Australian company, Melbourne IT, through which the  Times has registered its domain name.

The successful attack was not against the Times  itself but Melbourne IT, a domain registrar and hosting company. According to Timothy B. Lee of The Washington Post‘s The Switch blog, the Syrian Electronic Army got access to Melbourne IT through credentials of a legitimate customer. Once inside, the attackers were able to change any records that hadn’t been locked down tightly, and that included nytimes.com. All they had to do was change the DNS record to point to a site of their choice–an attack known as DNS hijacking–and nytimes.com effectively disappeared.

This is probably the least effective way to attack a web site. Because of the distributed nature of DNS, changes take hours to percolate through the system. I never lost access to nytimes.com, probably because I go to the site a lot in its correct address was cached locally. It was also quick and easy for the Times to set up an alias that let people route around the damage to find the site.

The attackers did less well with Twitter, whose DNS account, also at Melbourne IT, was locked down. All they were able to do was change Twitter’s record in the whois database to indicate that twitter.com was owned by the Syrian Electronic Army. But since the whois database (accessible through www.whois.com) is not actually used in the DNS lookup process,  the Twitter change had no practical effect.

The lesson, of course, is that if you own a domain, make sure it is locked down so that only you can make changes.