A DNS hijacking attack left Twitter temporarily affected for about an hour early on Friday. The initial attack has left many users scratching their heads while spreading the belief that Twitter's servers themselves were commandeered by hackers in the name of the "Iranian Cyber Army". Not so. It now seems that Twitter's DNS …

COMMENTS

House rules Send corrections

This topic is closed for new posts.

Friday 18th December 2009 13:30 GMT Anonymous Coward

I lol'd

Seriously!

0 0
Friday 18th December 2009 14:49 GMT rcox1

No compromise?

Ferguson writes. "This has the net effect of making it look like, in this example, servers belonging to Twitter were compromised when in reality that was not the case."

Well, I guess that might technically be the case, but instead anyone using Twitter during that time had their account credentials compromised. There are millions of Twitter desktop clients using basic authentication and thousands of API users doing automated things during the night that were most likely compromised.

This was a huge breach and whether Twitter itself was compromised the net effect is actually the same to a user using a logged in account.

1 1
This post has been deleted by its author
1. Monday 21st December 2009 06:02 GMT Steve Roper
  
  Re: More tedious censorship
  
  El Reg can't publish information like that for legal reasons. 1) they could get sued by the registrar or domain host, and 2) it could compromise any court case Twitter starts against the registrar or domain host. But I'm sure that if you signed an agreement to meet all their legal costs in the event of such an occurrence El Reg might be happy to publish your comments!
  
  0 0
Friday 18th December 2009 16:30 GMT Alastair 7

@rcox2

"There are millions of Twitter desktop clients using basic authentication and thousands of API users doing automated things during the night that were most likely compromised."

Didn't read the bit about the API not being affected, then?

0 0
Friday 18th December 2009 22:05 GMT M.

Why Worry About MSN?

In the article, Trend Micro's Rik Ferguson is quoted as saying "...imagine the potential to criminals if they could pull this off against any site requiring log in credentials, such as PayPal, eBay, MSN, Facebook..."

How could Mr. Ferguson miss the most important point - that thousands (or more) of Twitter accounts were opened to compromise by this DNS-based attack?

What's the point of "imagining" whether MSN (or other) sites were affected? We already have proof that one of the most popular social applications' websites *was* open to compromise. Let's focus on that.

Now, let's get to what the article *should* have said - Everyone with a Twitter account, change your account's password. Even if you have a supposedly-"hard-to-guess", or "complex" password -- it doesn't matter. If you logged in to Twitter (or if your web browser held your session open) while the DNS attack was underway, its password was potentially compromised, or its session tokens were potentially stolen.

Change your Twitter account password, and move on with your life.

1 0
1. Saturday 19th December 2009 18:09 GMT Jim Morrow
  
  Re: Why Worry About MSN
  
  >> Change your Twitter account password, and move on with your life.
  
  better still, don't have a twitter account. get a life instead.
  
  1 0
2. Monday 21st December 2009 06:02 GMT Martin Edwards
  
  Pharming
  
  I'm pretty sure he means imagine the potential if a fake login page was used (pharming). That didn't happen did it? There wasn't anywhere for users to enter their details? The potential for stealing cookies... yeah, I guess you can't rule that out.
  
  It highlights what a weak link DNS can be. In future, pharming might become more of a reality -- and no amount of client-side security or user education will help.
  
  0 0
Monday 21st December 2009 03:10 GMT John Smith 19

Aren't DNS registrars for profit IT companies?

In which case they supply some of the core internet infrastructure.

This would seem to be more about them than Twitter since a pollution of their data will presumably circulate round the net in fairly short order.

But I would admit if my account had been busted I would have changed passwords by now.

0 0
Monday 21st December 2009 05:59 GMT Anonymous Coward

"All your SOA records are belong to us" ?

:snark : *tweet tweet* AYBABTU *tweet* WTH? and how did the DNS servers allow this compromise, one might wonder....

@M: Good point about the session tokens. I know it's minor, but a boffin like myself just might overlook it, on a bad day - and on a good day, I wouldn't be at work.

What do I think then? I think, we need to bring back the Max Headroom show. for reals.

0 0
Monday 21st December 2009 11:27 GMT Anonymous Coward

No mention of DNSsec as the saviour

Of course not, it won't protect against the kind of attack reported here. What would kaminsky do?

0 0
Monday 21st December 2009 13:05 GMT Gianni Straniero

cui bono?

Would flattening Natanz be a disproportionate response to this incident? We need a "tinfoil hat" icon, I believe.

0 0
Monday 21st December 2009 13:35 GMT Matthew Collier

@Martin Edwards and DNSsec savior AC...

...would this not work? Client side, for "important" sites only (i.e. not Twatter or Facespace), you could check that the IP address that resolves from DNS, is registered with the correct company? (I'm thinking, grep for the "main" part of the domain name, in the response from querying something like ARIN (which is what WHOIS, does, right?))

Presumably, you'd need a Firefox extension to carry out the task (or, build it into a browser directly, if you are a browser vendor (or building an open source browser))?

Just a thought I had back when the orginal "Dan-attack" stuff happened last year...

0 0