(USA TODAY) - The extended online outage of the New York Times highlghts a profound, long-standing security weakness in digital commerce: the pervasive use of a simple username and passwords to access online accounts.
We use single-factor authentication -- a simple username and password -- to gain access to everything from e-mail to financial accounts to network controls. Here's how the Syrian Electronic Army (SEA) took advantage:
The SEA did its homework. They established that the New York Times purchased its domain name, www.nytimes.com, from Verisign, and that Verisign subsequently delegated control of Internet traffic going to the Times' website to a registrar, Melbourne IT. Melbourne IT then delegated that same control to numerous Internet Service Providers, including an ISP in India. This chain of trust on which the Domain Name System, or DNS, stands is completely routine.
The SEA focused on the weakeast link, executing a spear phishing attack that successfully obtained the user name and password of at least one administrator at the Indian ISP, says Bill Conner CEO of identity management firm Entrust.
With that foothold in the ISP, the hackers moved up the DNS trust chain. They were next able to manipulate www.nytimes.com, redirecting traffic at Melbourne IT, so that anyone trying to reach the legit website got directed to a bogus site.
"Imagine an attack where I walk in to the office where the telephone records are kept, and I fraudulently rewrite all the numbers associated with the New York Times. In the physical world, this attack wouldn't be practical," says Mike Lloyd chief technical officer at security firm Red Seal Networks. "In the online world, this same attack is much more practical, and quite hard to prevent."
Entrust CEO Conner says it's clear to the cybersecurity community that a spear phishing attack was used to obtain the username and password to the account of an administrator at the Indian ISP. What's not clear at the moment is if that same username and password enabled the SEA hackers deep access into Melbourne IT.
"It's very possible that username and password goes all the way up through the registrar, and that's what people are sorting through right now," says Conner.
Wade Williamson, senior security analyst, firewall company Palo Alto Networks, says that what's happening is that the SEA is going further down the trust chain.
"Instead of hitting NYT directly, they are hitting them at the DNS level. These types of attacks have been seen in the past, where instead of defacing a website, the attackers route the victim's traffic to the attacker's site," says Williamson.
What the SEA is doing is not high-level hacking. The attackers simply took as much advantage as they could from the fact that obtaining a username and password can be done by simple trickery. And figuring out how far that can take you is merely a matter of diligence.
"In this scenario, it was apparently a partner for Melbourne IT that was compromised," says Williamson. "Low-tech in concept, but obviously effective."