Yesterday was quite a wild ride for me… I started the day out by joining a clients Christmas Party’s and later rolled over to the Arvada DNote to see one of my favorite local bands; Wendy Woo so I missed all the action with the latest and greatest from Twitter. Here are a few snippits of what happened… According to status.twitter.com they were calling the attack /downtime due to a DNS Compromise.
We’ve received multiple tips right around 10 pm that Twitter was hacked and defaced with the message below. The site is currently offline. We’re looking into this and waiting on a response from Twitter.
The message reads:
Iranian Cyber Army
THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY
U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don’t, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To….
NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA?
WE PUSH THEM IN EMBARGO LIST
Update: – We have just found out that the same defacement is appearing at at least one other site, mawjcamp.org. We are not able to see what was at this domain before, but it is now displaying the same defacement that Twitter was only a few minutes ago.
Twitter does not have the best record with security issues.
Update 2.: Twitter.com is down, status.twitter.com is down (not useful, perhaps they should host it at blogger).
Update 3.: It is suggested that if you use the same password on your Twitter account with other accounts, now would be a good time to change your password on those other accounts.
Update 4.: There is a history between Iran and Twitter.
Update 5.: There is speculation at the moment that this may be a DNS redirect, which means that the Twitter.com domain has been redirected to the defacement page.
The latest – Twitter wasn’t hacked by the Iranian Cyber Army
Twitter (not) hacked by Iranian Cyber Army
The initial attack has left many users confused and widespread belief that the Twitter servers themselves were compromised. This does not appear to have been the case. The latest update on the Twitter blog says
“As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully.”
This kind of DNS hijacking usually involves compromising the registrar responsible for the DNS records of the victim company, the attackers then make unauthorised changes to the DNS records. These changes mean that when you or I type a web site address into our browsers, we are directed not to the real web site but to a second site, set up by the hackers, in this case the “Iranian Cyber Army”. This has the net effect of making it look like, in this example, servers belonging to Twitter were compromised when in reality that was not the case.
These sorts of attacks are usually limited to hacktivism activities like this one today, but imagine the potential to criminals if they could pull this off against any site requiring log in credentials, such as PayPal, eBay, MSN, Facebook. One has to wonder how quickly the attack would be noted if the dummy site was an exact replica of the victim and was simply there to harvest credentials and redirect the user then into the real site. This attack is called Pharming and currently mostly happens as a result of local malware modifying individual PCs, not through the compromise of global DNS records, but the potential is demonstrably there. Companies should be monitoring their DNS resolution on several servers to become aware as early as possible when this kind of attack takes place.