'Cyber Army' Attacks Twitter, Iran Green Movement Site
Dec 18, 2009 12:12 PM PT
Twitter had a service outage Friday morning because its DNS servers were compromised. It was done by a hacker or group of hackers self-identified as the "Iranian Cyber Army."
The group also took over the Iranian opposition Web site mowjcamp.org, the official Web site of the Green Movement. The Green Movement's opposition to the outcome of Iran's presidential election earlier this year lead to nationwide protests that were extensively chronicled in Twitter.
Twitter is investigating the issue, said company cofounder Biz Stone. At press time, Twitter was back up and running, but the mowjcamp.org site was not.
What Happened at Twitter?
Twitter's records were compromised last night, but they had been fixed by the time Stone posted comments at 11:43 p.m. Pacific time on his blog.
"Twitter.com was redirected for a while, but API (application programming interface) and platform applications were working," Stone wrote. "We will update with more information and details once we've investigated more fully."
Twitter's page was redirected to a Web page displaying a green flag with Arabic writing and the words "This Web site has been hacked by Iranian Cyber Army" at the top. "USA think they controlling and managing internet by their access, but they don't, we control and manage internet by our power, so do not try to stimulation Iranian peoples to," a footnote at the bottom of the hacked page read. "Now which country in embargo list? Iran? USA? We push them in embargo list." The page ends with the words "Take care."
The "Cyber Army's" email address was listed on the hacked page as Iranian.email@example.com.
What's This With DNS?
DNS, the Domain Name System, is a hierarchical naming system for computers, services or any resources connected to the Internet. Each participant is given a domain name that ends in a suffix, such as .com, .net, .org, .gov, etc. These domain names, which are strings of numbers, are translated by the DNS into names people can understand -- the Web site names so familiar to us, such as Twitter.com. Consider the DNS system the phone book for the Internet.
Each domain or subdomain in the Internet has one or more DNS servers that publish information about the domain and the name servers of any domains that are subordinate to it. The right to use a domain name is allocated by domain name registrars. These registrars are accredited by the Internet Corporation for Assigned Names and Numbers (ICANN).
You can find information about the registrant of a domain name by going to the WHOIS database.
Twitter's latest outage may have come in through its domain registrar, said Beth Jones, security analyst at Sophos. "It appears that the registrar was compromised," she told TechNewsWorld. "The group gained unauthorized access to the account and changed the records to point to their server rather than Twitter's server."
Still, there's a good side to the attack -- it appears as though no information was stolen. "The good news is, the attack through the registrar means none of Twitter's servers were touched and all accounts and passwords are safe," Jones pointed out.
Stealing Mowjcamp's Mojo
The other site the hackers claimed credit for attacking is Mowjcamp, a site run by opponents of the current regime in Iran.
Now, Mowjcamp's site has apparently been rendered inaccessible. Both "mowjcamp.com" and "mowjcamp.org" display messages stating the site has been "parked courtesy of Bluehost.com" or that there is no Web site configured for the address. The site english.mowjcamp.com is currently inaccessible, though a cached version of the page is available through Google.
Et Tu, Tehran?
The attacks are likely the work of Iranian "hacktivists," Sophos' Jones said.
"It's virtually certain that this attack was politically motivated rather than a typical cybercrime, as there is no apparent financial incentive," added Randy Abrams, director of technical education at ESET.
Twitter and other online social networking technologies were prominently used by protesters during the widespread violence following the disputed reelection of Iranian President Mahmoud Ahmadinejad earlier this year, events which gave rise to the Green Movement. Could this be a case of the Iranian government taking revenge against the microblogging site? Not likely, Abrams told TechNewsWorld.
"There's no clear value to the Iranian government to dedicating resources to hacking the Twitter site at this point in time," he explained. "If they knew how to hack it, then it would make far more sense for them to attack when it may be more strategically advantageous to them. They may well appreciate the attack, though."
Learning About Security
The year began with a bang for Twitter security, when President Obama's account and the accounts of 32 other prominent users were hacked.
This was followed by a major hack in July, when a hacker going by the alias of "Hacker Croll" obtained documents from the accounts of Twitter executives, including Evan Williams, and threatened to post them on the Web.
This latest attack against Twitter points to lessons companies with their own Web sites should learn. "Monitor your DNS records and servers for unauthorized changes," Sophos' Jones said.
This latest attack once again points to the dilemma Twitter faces: If it clamps down on security, it becomes less open and less able to fulfill its goal of linking everyone everywhere in real time.
"If Twitter had a better understanding of security, its service would probably be significantly less flexible," ESET's Abrams said.
Still, the people behind the microblogging service do seem to be learning how to walk that tightrope between security and openness, Abrams pointed out. "The lessons are coming at quite a cost, though," he added.