Is Your Web Site as Critical to Your Business as Your Bank Account? Ask the New York Times or Google What They Think.
The news is out that Google's site in Malaysia was hacked by an activist group. The hack seems to be of the same variety as that which redirected the NY Times site just about a month ago. The hackers accessed the DNS registry and changed the IP addresses to point at pages they controlled. I wonder how often this happens and no one reports the incident?
This DNS address change reminds me of the first wave of financial account takeover and credit card fraud of about a decade ago. Fraudsters would surface mail or phone a financial institution with a request to change the address to which a statement was being mailed. Such a request used to be handled without much thought to validating the request with the account owner. Once the fraudster received a hardcopy of a statement, it was not too difficult to order checks, apply for credit cards, and otherwise abuse the account and credit of the legitimate owner.
Syrian Electronic Army hack and re-assignment of NY Times DNS Registry suggests a new "best practice" should be required of DNS service providers.
Ever want to scream, "What's the matter with you?" I know I do! The Syrian Electronic Army (SEA) DNS registry hack of the NY Times is a good reason. The attack redirected the traffic from the New York Times Web site to a site under the control of the SEA. It was easily preventable. Doesn't anyone verify anything anymore? Pests are skilled at squeezing through the smallest cracks. Time to evaluate best practices – even for the seemingly beign.
When a substantive change for Web site's DNS address is made, a representative of the Web site's legitimate owner should be asked to verify the change. That should be a no-brainer. Especially after learning that a spear phish was the root cause of the hack and "just" usernames and passwords sat in front of being able to re-assign a property like the NY times. Using two-factor authentication for the login, or a two-factor verification of the change could have easily prevented the unauthorized changes.