Understanding the New York Times hack

The New York Times | Los Angeles Times |CloudFlare | The Washington Post

Hackers — most likely the Syrian Electronic Army — attacked The New York Times’ website Tuesday, complicating access for many users. In an email to Poynter, Times spokesperson Eileen Murphy writes the “situation is close to being fully resolved.” Anyone still having issues getting to the site may want to try clearing their DNS cache.

The hackers attacked the company that registered the URL “nytimes.com,” which under normal circumstances would point readers to the company’s actual Web server. During the attack, the Times published stories on that server — you had to type 170.149.168.130 in your browser’s address bar to get there — and on its corporate site.

“We decided to publish yesterday on nytco.com because it was available to us and not impacted by the attack and had the benefit of being an already established and clearly recognizable domain associated with The Times,” Murphy writes. “It offered a good alternate publishing platform.”

So what actually happened? The hackers got access via the login information of a sales partner of Melbourne IT, the Australian company through which the Times registered its domain name. “Using those reseller’s credentials, hackers changed the records that tell computers around the world from where to download web pages when someone types NYTimes.com into an Internet browser,” Paresh Dave reports in the Los Angeles Times.

Matthew Prince has written a very clear explanation of how Web addresses, and by extension the hack, worked. “This was a very spooky attack,” Prince writes. “MelbourneIT is known for having higher security than most registrars.”

It’s important to remember that the hackers didn’t get into the Times’ Web server itself — they interrupted many users’ path to it by changing details of its Domain Name Service, or DNS. They also apparently changed details for Twitter and at least some of The Huffington Post’s sites but didn’t manage to create as much of a nuisance of themselves on those sites.

The Washington Post’s Timothy B. Lee writes that “compromising a domain name can still cause serious problems.” David Ulevitch of the company OpenDNS tells Lee “When you hijack peoples’ DNS, it’s a total transfer of much of the authority that’s been allocated in the identity of that organization.”

For example, the New York Times is “no doubt emailing confidential sources all the time. Someone could intercept that email” by changing the DNS record telling where to deliver it.

Compromising Twitter’s domain could create even more serious security problems, Ulevitch says, because Twitter has “lots of Javascript embedded all over the Internet. Once you can execute javascript on other Web sites, you can deface Web sites all over the Internet,” Ulevitch says.

In their account of the hack, Christine Haughney and Nicole Perlroth say the attack “also forced employees of The Times to take care in sending e-mails.”

The New York Times’ site was down earlier this month. The Wall Street Journal dropped its paywall in response, and did so again this week.

We have made it easy to comment on posts, however we require civility and encourage full names to that end (first initial, last name is OK). Please read our guidelines here before commenting.

  • http://www.robbmontgomery.com/ Robb Montgomery

    Is there a truly secure registrar that can be trusted by news orgs? Poynter should gather that list. And after you do that we need to develop tools specifically for journalists. A secure web browser, Secure e-mail, Secure cloud storage and the list goes on. The vulnerabilities need to addressed systematically.