How The New York Times Got Hacked
Business + Economy

How The New York Times Got Hacked

iStockphoto

If you’re tired of trying to keep an expression of intelligent comprehension on your face during conversations with the techies in your workplace, family, or social circle, relax.

It is reliably estimated (by me) that 90 percent of the population of the modern world is valiantly trying to maintain the same pretense, while the remaining 10 percent are using a private language intended to obfuscate rather than enlighten.

This fact of 21st century life is extremely inconvenient when trying to identify who to blame for a massive business failure, which may be the point. However, it also makes it difficult to prevent the next massive business failure.

Somewhere in the miles of coverage of The New York Times website service outage that stretched to 20 hours in the middle of this week, sending readers to Facebook (NASDAQ:FB) for all the news that's fit to print, there must be an explanation in plain English of what happened.

That is, how did a bunch of hackers called the Syrian Electronic Army manage to bring down the New York Times? The question is particularly important because this is by no means the group’s first success, and is unlikely to be its last.

One key part of the plain-English explanation may be in the statement posted Thursday on the corporate website of Melbourne IT, the Australian company that provides domain name registry services to the Times and about 10 other companies that were targeted less successfully this week by the Syrian group.

Toward the end of the statement, the company recommends that owners of website domain names “take advantage of additional registry lock features available from domain name registries….”

According to the company, the Syrian group’s attacks failed to bring down targeted sites that had these additional lock features active.

So, if Melbourne IT is correct, the Syrian hackers obtained the log-in credentials that the Times uses to access its own domain registry information at Melbourne IT, and altered the Internet address associated with www.nytimes.com.

The Times apparently could have, but didn’t, use additional levels of security—a second level of password, or the IT guy’s mother’s maiden name, or whatever. The Huffington Post UK apparently had that second level in place, and didn’t suffer a service outage.

The attack on the Times wasn’t a particularly sophisticated job, some Web security specialists say. It didn’t even achieve its primary goal, which was to post an anti-war message on one or more of the news sites that were attacked. At least, that’s what these unusually chatty hackers said in a post to their Twitter account.

Melbourne IT has been nailed as the “weak link” that was used by the Syrian Electronic Army, although it appears that an employee at an unnamed third-party company in the US actually made the fatal mistake.

The hackers sent out a “spear phishing” attack to email addresses belonging to the American company, which provides domain support services to the New York Times and other major companies that do business with Melbourne IT.

An email recipient fell for the lure, giving the hackers access to the third party’s emails. In the emails, they found log-in credentials that led straight into the domain registry pages (a.k.a. the DNS configuration pages) of 10 major news sites.

Yes, this sounds fishy. Was that log-in information flying around in emails, or documents attached to emails? Just how accessible is the  information, and to whom?

Melbourne IT, which is one of the world’s largest domain registries, says it is working with its clients to make sure that they have all available levels of security in place. Good thing Australia doesn’t celebrate Labor Day on Monday, because they’re going to be busy.

But a group of techies in New York City are going to be plenty busy, too. It looks like a level of security that should have been in place was never put in place, or was disabled at the moment that a bunch of Syrian hackers went phishing.

Moreover, Twitter got caught in the same phishing attack, but managed to restore service quickly. Twitter apparently monitors its DNS settings. But so does The New York Times.

In an email to subscribers Thursday afternoon, the New York Times acknowledged the attack, and said it had been fixed for most users by late Tuesday. But the Times said there had been “some lingering problems” for some users, apparently because not all Internet service providers had updated their systems to reflect the company’s fix. It said access should be fully restored by “the end of the day” Thursday.

So, it looks like a whole series of human errors is to blame: An email user fell for a phishing attack. Somebody at the Times left off a level of security for its registry pages. A monitoring system that was supposed to send an alert of a DNS change failed, or was ignored. At a higher level, somebody may have permitted lax protection of user names and passwords.

It’s just too bad that behind every great domain name stands a bunch of fallible human beings.

This article by Carol Kopp originally appeared at Minyanville. Read more from Minyanville:

Decoding Nintendo's 2DS and Cheaper Wii U: Is the Video Game Giant Struggling?

Who Should Lead Microsoft Now? 5 Answers From Investing Experts

Tech News: Fresh iPhone Rumors, New Rules Proposed at Facebook, and Gossip From Google

TOP READS FROM THE FISCAL TIMES