Melbourne IT Security Was Weak Link In NY Times Attack

Just hours after Melbourne IT took responsibility for allowing hackers to attack The New York Times on Tuesday, a message appeared on the Australian firm's blog:

"Hacked By SEA," it read. "Your servers [sic] security is very weak."

The Syrian Electronic Army, a notorious hacker group, appeared to have struck again. And the message pointed to a troubling fact: A company with a vital role in the functioning of the Internet had left its computer system seemingly wide open to hackers.

As a registrar of domain names, Melbourne IT is a critical player in making the Internet work. The company helps translate the long string of digits that make up a website's IP address, into a domain name that is easy for people to remember. Melbourne IT, which has more than 350,000 customers, is essentially one of the largest keepers of the Internet's phone book.

On Tuesday, hackers made changes to that phone book, impacting The New York Times and possibly other websites, according to reports. The New York Times reported that the attack against Melbourne IT left its website unavailable to many visitors for several hours, though the paper continued publishing stories through another site -

The attack against Melbourne IT -- and the collateral damage it caused some the world's most popular news and social media outlets -- highlights a central problem companies face as they try to secure their networks in a complex Web ecosystem. Although businesses invest millions of dollars to fight off hackers, they must still rely on the security measures of various third parties like Melbourne IT to run their businesses online.

"In security, you try to rely on as few third parties as possible, but you have to place your trust with the company you register with," said David Ulevitch, CEO of OpenDNS, which provides security for the Domain Name System.

"The Internet is fragile. It’s only as strong as its weakest link. When somebody finds a way to break a small link it can create a massive ripple effect."

Ulevitch said the Domain Name System has been around for the last 20 years and there are ways to prevent attacks against it, though it is unclear whether Melbourne IT had implemented them.

In July, an anonymous post on the file-sharing site detailed what appeared to be usernames and passwords of Melbourne IT's servers. The data has not been verified and Melbourne IT could not immediately be reached for comment.

The company issued a statement about Tuesday's incident late in the day that said the credentials of one of its resellers were used to access its systems and change the records for several websites.

[UPDATE, Aug. 28 3:10pm: Melbourne IT's chief technology officer, Bruce Tonkin, told the L.A. Times the hackers obtained the credentials after a "targeted phishing attack" -- a malicious email that appears to come from a trusted source -- against the company's U.S.-based sales partner.]

Twitter said Tuesday that an attack against the company's DNS provider left people temporarily unable to view images and photos on the social networking site, but did not directly blame Melbourne IT. The Huffington Post's United Kingdom website also appeared to be compromised Tuesday, and a spokesperson said the site experienced "minimal disruption of service," the Wall Street Journal reported, but did not name Melbourne directly.

The attack was the latest attributed to the S.E.A., which has been called "a collective of pro-[Syrian President Bashar al-] Assad hackers and online activists" working with support of the Syrian regime. The hacker group has taken credit for hacking the Twitter accounts of several other news agencies in recent months, including NPR, the Associated Press, Reuters, BBC and Al Jazeera.

But the hackers' method of attack on Tuesday represented a different strategy, one that may have prolonged victims' recovery time. By attacking the company that registered domain names -- and not the sites themselves -- the hackers appeared to make changes to a system that can take several hours to reverse because of how the Domain Name System works, Ulevitch said.

A 2011 article in Smashing Magazine, a website for developers and web designers, notes that it can take more than 24 hours to recover from changes to the Domain Name System. "This is quite an anomaly in a world of ultra-convenience and super-fast everything," the article noted.

Such an attack happens often and is not very sophisticated, experts say. "What they did was pretty simplistic," said Aleksandr Yampolskiy, a security expert and chief technology officer at Cinchcast, a webcasting provider. "But what’s scary is if they were smarter they could have done more damage."

For example, the hackers could have redirected visitors to The New York Times to another website that installed malicious software on users' computers, Yampolskiy said.

"The challenge with security is that when you're a good guy you have to know every single way to protect your infrastructure," Ulevitch said. "But the bad guys only have to find one way to break in."

This story has been updated to reflect Melbourne IT's statement about the hackers' method of attack.