Thursday, December 17, 2009

Twitter Hacked By The "Iranian Cyber Army"...

(This is the alledged photo message the hackers left)

UPDATED 12/18:

It wasn't Twitter's infrastructure that was hacked, it was its DNS.


Let me explain....

DNS stands for Domain Name Service, which essentially connects the IP addresses of Web sites (which are numerical) to the names seen in URLS (such as www.twitter.com). It wasn't Twitter's infrastructure that was hacked, it was its DNS -- which ceased pointing those who typed in Twitter addresses (including help.twitter.com, blog.twitter.com, postmaster.twitter.com and many others) to the site they intended to reach, and instead sent them to one of four servers hosting the propaganda page in question.



"There are a couple reasons (for hackers to use) multiple IP addresses in a case like this,"
said Rasmussen. "First, you can change IP addresses very quickly to avoid detection, which makes it harder to shut things down. Also, because they knew they'd hit so much traffic from Twitter, it kept them from getting overloaded."


The ISPs -- all four of which are located in the United States -- "look like they're all large, virtual hosting servers that have lots of Web sites on them," said Rasmussen. "There's some speculation that somebody's site got hacked into, but I'm guessing they used stolen credentials to set up an account that would service Twitter. Either way they were fairly large boxes that support many sites, and so have good bandwidth and strength to be able to handle a big hit."

Rasmussen points out that no matter how much security a Web site has, DNS vulnerabilities are far easier to exploit. He points to a situation last year in which CheckFree's customers were redirected to a faux site in the Ukraine that spread malware.

"It is," he said, "a soft underbelly for pretty much everybody on the Web."


How the Iranian group got Twitter's DNS password is another matter.


"I'm assuming they got hold of a username and password," he said.
"Twitter didn't get hacked, so there's no official data breach. . . . In a company like that, there are probably dozens of people who use dozens of passwords. Whether it was social engineered or whether it was malware taken from people's laptops is unclear. It could have been somebody's Gmail account that got compromised for all I know. But the information was still lost."


________________________________


12/ 17:

So if you tried to get on Twitter and could not and thought something was wrong with your computer it is not just you. Rumor has it this is the work of an
"Iranian Cyber Army."

The hackers supposedly left this messsage...

THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY

iRANiAN.CYBER.ARMY@GMAIL.COM

U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don't, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To....


NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA?
WE PUSH THEM IN EMBARGO LIST
Take Care.


As of right now this is not confirmed. There has been no word Twitter yet, but I knew something was up when I seen that it was a broken link! Even.. status.twitter.com and blog.twitter.com too.
This is what I found out....
There have been reports that Twitter.com was resolving to a parking page from a hosting service, but we haven't seen any screenshots of that.


Update: – We have just found out that the same defacement is appearing at at least one other site, mawjcamp.org. We are not able to see what was at this domain before, but it is now displaying the same defacement that Twitter was only a few minutes ago.

Twitter does not have the best record with security issues. We have previously covered a number of incidents, and as recently as two months ago their web servers were misconfigured to reveal detailed internal network information. We also previously wrote about their admin interface having a password of ‘password’ on one account, and the well-known Twitter doc incident. It was hoped that with the hiring of a new COO, Dick Costolo, as well as a number of other high-level engineers, including security experts, that Twitter had grown out of the phase of being vulnerable to security incidents on such a large scale.

We do not know a lot about the group claiming responsibility for the attack as we haven’t heard their name before and they do not show up in any defacement mirrors or security sites. Similar Iranian groups were active during the election campaign in that country. We have emailed the group (they were kind enough to leave an address on the defacement) for a comment (also added them on Gchat – worth a shot).

Update 2.: Twitter.com is down, status.twitter.com is down (not useful, perhaps they should host it at blogger). Some tweets are getting through at the moment because parts of the API are up. Search also seems to be working. The Firehose is up – Tweets are coming in from FriendFeed (all those tweets about ‘is twitter down’ are from third-party sites)

Update 3.: It is suggested that if you use the same password on your Twitter account with other accounts, now would be a good time to change your password on those other accounts.

Update 4.: There is a history between Iran and Twitter. It was well noted and covered in the media that Twitter was used as a tool during the Iranian election protests. The US government actually intervened to assure that Twitter was available to the protestors in Tehran and around the country. This attack may be an act of reprisal from groups who were not happy with the role that Twitter played during the protests

Update 5.: There is speculation at the moment that this may be a DNS redirect, which means that the Twitter.com domain has been redirected to the defacement page. This doesn’t explain why some sub-domains are down, while others are currently still alive (such as search)

No comments:

Post a Comment