Twitter Hacked - could it happen to you?

On 12/17/2008 around 7:00 PM EST (according to some reports) , Twitter.com was hacked by a group claiming to be the Iranian Cyber Army. The actual attack was a DNS Hijacking (or DNS Poisoning) that resulted in Twitter Users being directed to a page of their choosing.

This old school defacement actually was conducted by 'hijacking' the sites DNS - how they accomplished this is still unknown, the fact is they did. What exactly is a DNS Poisoning or Hijacking?

Quite simply, when your desktop or any other Internet enabled device wants to talk to another computer or device, you would typically put in the domain name, domain.com for instance. If you had 'recently' visited this site, then the cache (arp cache) on your machine or server would likely have it's IP address. If not then it will ask it's DNS or Domain Name Server for help. The DNS server will follow the trail to find the target, domain.com's DNS server - theoretically it will return to you the IP address of domain.com.

In Twitter's case, the iRANiAN.CYBER.ARMY@... penetrated twitter and replaced their DNS Servers with a choosing of their own. This is done many times in Phishing scams to redirect you to a 'fake' but very real looking page. The unsuspecting person browsing would carry on their work (say banking) all the while they are giving the bad guys their real details. A super clever hacker would quietly record this - then log you into the bank - you would never know. They have your passwords, you are happy. A bad situation all the way around.

What is interesting is that it appears that the only redirect was to their stupid page, -- complete with their email address (attention google are you looking?) they could have directed the twittersphere to a malware site (this may have been one), or put up a fake Twitter Login page - to scam user/passwords or more.

I would immediately change my Twitter Password(s) if I were you...

That brings me to this - Have you tested the integrity of your DNS on your servers? Cricket Liu - a recognized authority on DNS has a set of tools and services available to help you check your site - you can give your DNS infrastructure a good look - and if you think that you aren't vulnerable - Twitter was - maybe you should look again.

You can reach Cricket Liu's site here: http://www.infoblox.com.

Tom is a security expert, and he has authored the book Joomla Web Security (Packt) as well as Dodging the Bullets - A Disaster Preparation Guide for Joomla! Based Websites (http://tinyurl.com/jsecbook). He offers his services to websites that have been attacked and compromised at http://www.JoomlaRescue.com. Tom has begun work on his next book due out in 2010. He maintains a pure security news blog at http://securitynewsblog.wordpress.com