Computerworld – One way that owners of major websites can mitigate the risk of their domains being hijacked like The New York Times’ site
was on Tuesday is to apply what is known as a registry lock on the domain, security researchers say.
A registry lock is basically a mechanism under which any requests for changes to a domain name server have to be manually
verified and authenticated by a top-level domain owner like Verisign and NeuStar, which operate the dotcom and dotbiz domains
respectively.
A registry lock provides an additional layer of protection against DNS tampering and is particularly useful in situations
where a domain name registrar might be compromised, the security researchers said.
On Tuesday, The Times blamed a prolonged website outage on a hacking attack at the company’s Australia-based domain name registrar, Melbourne IT.
The Times said hackers belonging to the Syrian Electronic Army (SEA) gained access to the company’s DNS records by compromising
its domain name registrar. The attackers then used that access to change the paper’s DNS record so it was pointing to systems
in Syria and Moscow.
Melbourne IT, in turn, blamed the outage on one of its resellers, whose account was apparently compromised and used to change several domain names, including
that of The Times, Twitter and others.
H.D. Moore, chief research officer at security vendor Rapid7, said registry locks make it much more difficult to make such
DNS changes.
Typically, changes to name servers are handled directly by domain registrars such as Melbourne IT and not by the top-level
domain owners. A registry lock prevents the registrar from making any changes on its own and instead allows changes to be
made only with the approval of the top-level owner.
“Instead of updating a record through your registrar’s website, you have to contact the [Top Level Domain] owner instead and
go through a secondary form of authentication,” Moore said. “It makes sense for big brands, but does impose a maintenance
penalty on organizations who change DNS providers frequently.”p>
At the time of the attack, many of the major websites hosted by Melbourne IT did not have a registry lock in place, Moore
said. Among the companies using Melbourne IT are Yahoo, Google, Microsoft, Ikea, AOL and dozens of other major site owners.
While there is no evidence that the attackers made changes to any of these domains, they were potentially vulnerable, Moore
said. “In other words, things could have been much worse.”
Since the attacks on The Times, several of the websites using Melbourne IT as a registrar have applied registry locks, Moore
said. Among the websites that appear to have put a lock in place are the Huffington Post, Mapquest, Starbucks and Twitter’s
TweetDeck. However, many other major websites using Melbourne IT have not done so yet, and remain vulnerable.
Matthew Prince, co-founder of CloudFlare, saiddomain registrars generally do not make it easy for website owners to request
registry locks, however. “[Locks] make processes like automatic renewals more difficult,” Prince said in a blog post. “However, if you have a domain that may be at risk, you should insist that your registrar put a registry lock in place.”
