A DNS hijacking attack left Twitter temporarily affected for about an hour early on Friday. The initial attack has left many users scratching their heads while spreading the belief that Twitter's servers themselves were commandeered by hackers in the name of the "Iranian Cyber Army". Not so. It now seems that Twitter's DNS …
Ferguson writes. "This has the net effect of making it look like, in this example, servers belonging to Twitter were compromised when in reality that was not the case."
Well, I guess that might technically be the case, but instead anyone using Twitter during that time had their account credentials compromised. There are millions of Twitter desktop clients using basic authentication and thousands of API users doing automated things during the night that were most likely compromised.
This was a huge breach and whether Twitter itself was compromised the net effect is actually the same to a user using a logged in account.
El Reg can't publish information like that for legal reasons. 1) they could get sued by the registrar or domain host, and 2) it could compromise any court case Twitter starts against the registrar or domain host. But I'm sure that if you signed an agreement to meet all their legal costs in the event of such an occurrence El Reg might be happy to publish your comments!
"There are millions of Twitter desktop clients using basic authentication and thousands of API users doing automated things during the night that were most likely compromised."
Didn't read the bit about the API not being affected, then?
In the article, Trend Micro's Rik Ferguson is quoted as saying "...imagine the potential to criminals if they could pull this off against any site requiring log in credentials, such as PayPal, eBay, MSN, Facebook..."
How could Mr. Ferguson miss the most important point - that thousands (or more) of Twitter accounts were opened to compromise by this DNS-based attack?
What's the point of "imagining" whether MSN (or other) sites were affected? We already have proof that one of the most popular social applications' websites *was* open to compromise. Let's focus on that.
Now, let's get to what the article *should* have said - Everyone with a Twitter account, change your account's password. Even if you have a supposedly-"hard-to-guess", or "complex" password -- it doesn't matter. If you logged in to Twitter (or if your web browser held your session open) while the DNS attack was underway, its password was potentially compromised, or its session tokens were potentially stolen.
Change your Twitter account password, and move on with your life.
>> Change your Twitter account password, and move on with your life.
better still, don't have a twitter account. get a life instead.
I'm pretty sure he means imagine the potential if a fake login page was used (pharming). That didn't happen did it? There wasn't anywhere for users to enter their details? The potential for stealing cookies... yeah, I guess you can't rule that out.
It highlights what a weak link DNS can be. In future, pharming might become more of a reality -- and no amount of client-side security or user education will help.
In which case they supply some of the core internet infrastructure.
This would seem to be more about them than Twitter since a pollution of their data will presumably circulate round the net in fairly short order.
But I would admit if my account had been busted I would have changed passwords by now.
:snark : *tweet tweet* AYBABTU *tweet* WTH? and how did the DNS servers allow this compromise, one might wonder....
@M: Good point about the session tokens. I know it's minor, but a boffin like myself just might overlook it, on a bad day - and on a good day, I wouldn't be at work.
What do I think then? I think, we need to bring back the Max Headroom show. for reals.
Of course not, it won't protect against the kind of attack reported here. What would kaminsky do?
Would flattening Natanz be a disproportionate response to this incident? We need a "tinfoil hat" icon, I believe.
...would this not work? Client side, for "important" sites only (i.e. not Twatter or Facespace), you could check that the IP address that resolves from DNS, is registered with the correct company? (I'm thinking, grep for the "main" part of the domain name, in the response from querying something like ARIN (which is what WHOIS, does, right?))
Presumably, you'd need a Firefox extension to carry out the task (or, build it into a browser directly, if you are a browser vendor (or building an open source browser))?
Just a thought I had back when the orginal "Dan-attack" stuff happened last year...