Twitter hack by 'Iranian Cyber Army'

The "Twitter hack" by the "Iranian Cyber Army" turns out not to have been a hack of Twitter itself: instead they took aim at the DNS records for the site itself (though Twitter itself says in a blog post that API services - which contact the servers directly - were unaffected.)

The hackers also appear to have hacked mowjcamp.org, an advocacy site for Iranian protesters against the re-elected President Mahmoud Ahmadinejad.

I tried to contact the "Iranian Cyber Army" at the given (Gmail) address on the website: it bounced as undeliverable.

Rik Ferguson, a security analyst at Trend Micro, said: "This kind of DNS hijacking usually involves compromising the registrar responsible for the DNS records of the victim company. The attackers then make unauthorised changes to the DNS records. These changes mean that when you or I type a web site address into our browsers, we are directed not to the real web site but to a second site, set up by the hackers, in this case the 'Iranian Cyber Army'. This has the net effect of making it look like, in this example, servers belonging to Twitter were compromised when in reality that was not the case."

Similar misdirections have happened in the past by accident when "root servers" which route queries for domain lookups have been misprogrammed. Pakistan was blamed for making YouTube inaccessible to the world in February 2008. The government ordered ISPs to set up their DNS servers to reroute any queries inside the country for the site to an "inaccessible" message - but that block was then passed on to DNS servers around the world. (Update: altered to try to clarify that the Pakistan/YouTube incident was about routing tables, not DNS.)

However security experts know that DNS servers are a major source of weakness in the internet: because they determined how traffic is routed, control of them gives hackers the ability to send people where they like. In July 2008 researchers had to race to fix a flaw discovered in the DNS setup before hackers could exploit it.

Ferguson added: "These sorts of attacks are usually limited to hacktivism activities like this one today, but imagine the potential to criminals if they could pull this off against any site requiring log in credentials, such as PayPal, eBay, MSN, Facebook. One has to wonder how quickly the attack would be noted if the dummy site was an exact replica of the victim and was simply there to harvest credentials and redirect the user then into the real site." read full news