The Anatomy of The Twitter Attack: Part IIDec 18, 2009
During and after Twittergate, when a hacker broke into a few hosted email accounts and obtained a number of internal documents, I had an opportunity to spend hours speaking to the actual attacker and document how he carried out the attack. The article was called The Anatomy of The Twitter Attack, and today we unfortunately find ourselves with a sequel to that post as the Twitter DNS servers were compromised last night and the site was redirected to a defacement page.
Unlike last time, on this occasion I have not had the benefit of speaking directly to the attackers, but have spoken to a number of people within the underground security scene familiar with matters and have constructed other parts of the story from public sources. The incident last night was perpetrated by a group called the Iranian Cyber Army – and we have been told that this group is working with the Iranian government. The attack occurred at the same time as a number of other diplomatic incidents, including the escalation of diplomatic hostilities between Iran and the US/EU as well as an incursion by Iranian troops into a disputed border area containing an oil field.
The defacement was carried out by hijacking the servers hosting the DNS records for the twitter.com domain (this is the server that maps the domain name to an IP address). The attackers modified the DNS records to point to an IP address with a web server hosting the defacement page. The twitter.com domain (registered with NetworkSolutions) was not hijacked, nor were its records altered.
The DNS records for Twitter are hosted at Dyn. A company that provides DNS hosting for over 100,000 domain names and provides other services for companies. We have been told, but have yet to confirm, that the account password recovery feature was used to reset the password for the Twitter account at Dyn. When we checked th
Unlike last time, on this occasion I have not had the benefit of speaking directly to the attackers, but have spoken to a number of people within the underground security scene familiar with matters and have constructed other parts of the story from public sources. The incident last night was perpetrated by a group called the Iranian Cyber Army – and we have been told that this group is working with the Iranian government. The attack occurred at the same time as a number of other diplomatic incidents, including the escalation of diplomatic hostilities between Iran and the US/EU as well as an incursion by Iranian troops into a disputed border area containing an oil field.
The defacement was carried out by hijacking the servers hosting the DNS records for the twitter.com domain (this is the server that maps the domain name to an IP address). The attackers modified the DNS records to point to an IP address with a web server hosting the defacement page. The twitter.com domain (registered with NetworkSolutions) was not hijacked, nor were its records altered.
The DNS records for Twitter are hosted at Dyn. A company that provides DNS hosting for over 100,000 domain names and provides other services for companies. We have been told, but have yet to confirm, that the account password recovery feature was used to reset the password for the Twitter account at Dyn. When we checked th
0 comments:
Post a Comment