Twitter's inability to control its Domain Name System (DNS) is a common problem among enterprises, according to...
experts, who said last week's incident highlights the need for better DNS security and tougher authentication processes with DNS registrars.
Attackers have focused on authoritative name servers – those that are configured to return answers to queries about specific domain names. Microsoft's domains have come under fire and several hackers were charged in May for hijacking Comcast.net in 2008 by contacting Network Solutions, the company's domain registrar and using credentials from a hacked Comcast email account.
DNS security risks were again highlighted last week when a hacking group, claiming to be the Iranian Cyber Army, used a stolen password to log into Twitter's DNS settings. The group changed the DNS records, redirecting the traffic to a web page for about an hour on Friday. Visitors to Twitter were redirected to a page displaying an image of a green flag and Arabic writing that announced that Twitter had "been hacked by the Iranian Cyber Army."
Twitter said its servers were never compromised. Company DNS records are typically maintained by a DNS service provider, but a simple password cracker could enable anyone to break into the email account of a Twitter employee and steal other sensitive account credentials to make the DNS changes. Twitter's DNS provider, Dynamic Network Services Inc., said the attackers used valid Twitter credentials to change the DNS settings.
How to protect DNS servers: The DNS database is the world's largest distributed database, but unfortunately, DNS was not designed with security in mind.
While the DNS security issue appears to be simply an example of poor password management, experts say the incident raises the need for additional verification methods to address DNS hijacking. A sever level verification step such as a credential exchange between the DNS provider and the company servers may have avoided the problem said Chenxi Wang, a principal analyst at Cambridge, Mass.-based Forrester Research Inc.
"If you can easily change a company's DNS record without much verification then there's a really big step missing in the process," Wang said. "This really underscores how vulnerable the DNS infrastructure is. It's not very robust and there are many weak points of attack."
Network security expert Dan Kaminsky, director of penetration testing at IOActive Inc., is well known for his discovery of the DNS cache-poisoning bug in 2008. The announcement, coupled with an industry-wide coordinated patch release, shed light on the need for better security and renewed interest in DNSSEC, a set of protocols that introduce encryption into DNS.
Kaminsky, once an opponent of DNSSEC as a result of the costs and effort to deploy it, said he came full circle to support it when he was convinced that the technology makes it easy for people and enterprises to more efficiently and affordably authenticate.
"For authentication, all we had was a dull blade and finally someone got sick of it and handed us a screw driver," Kaminsky said. "It's going to take time to get used to the fact that we have a screw driver, so let's start migrating to the right tool."
But Kaminsky also points out that the authentication and security technologies are available to customers who buy them from their registrar. Neustar Inc.'s UltraDNS provides DNS management services with enhanced security as well as MarkMonitor Inc. and CNCDomain.
"With DNS you have options," Kaminsky said. "You have the ability to change where your DNS records are hosted and change who controls those records."
Once DNSSEC is more broadly deployed, Kaminsky predicts a new group of small start-ups using DNSSEC authentication technology behind their products. He said products will be either newly produced or reconfigured to fix scalability problems.
Cricket Liu, a DNS expert and vice president of architecture at Santa Clara, Calif.-based network service appliance vendor Infoblox Inc., said the top-level domains are starting with deployments followed by enterprises and ISPs. As for Twitter, securing account credentials to the company DNS records should be an imperative.
"You need to use the same care with the authentication information as you would with any of your account credentials," Liu said. "You could use more airtight forms of authentication, but then accessing that data becomes more of a hassle."
Companies do not make DNS changes regularly, however sometimes capacity issues drives the need for additional Web servers to handle increased traffic. The person adding the new servers would need to login to the DNS provider to add the new server IP addresses to the listed DNS settings. Other firms may need to switch to backup servers, temporarily disabling primary IP addresses.
The incident cannot be classified as a website defacement, a common problem that happens to thousands of sites daily, Liu said. Defacements usually mean a Web server has been compromised giving hackers access to underlying website files and the ability to upload malicious photos and other content. DNS redirects pointing a popular site to an alternative location are also very common. In May Google search sites in Uganda, Morocco and Kenya went down as a result of a hacker redirecting Google's Internet Protocol to other sites.
"In retrospect maybe the company should have a workflow so that one person could request a DNS change but someone else would have to approve the change," Liu said. "But that takes overhead and could hamper Twitter's ability to manage its network settings."