The popular microblogging site Twitter was briefly shut down after a group apparently calling themselves the Iranian Cyber Army launched attack on the site.
The message read:
A google search on the site brought up this:Iranian Cyber Army THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY
[email protected]
U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don’t, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To….
NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA?
WE PUSH THEM IN EMBARGO LIST
Take Care.
The translation from Farsi/Persian reads:
“In the name of God, As an Iranian this is a reaction to Twitter’s interference sly which was U.S. authorities ordered in the internal affairs of my country…”
Technology blogs including TechCrunch said Twitter went down around 06:00 GMT for about an hour.
Biz Stone blogged
:As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully.
Background Articles:
How It Happened??? What Happened???
Rod Rasmussen, president and CTO of cyber-safety firm Internet Identity and a recognized authority on DNS abuse gave his views. His company happened to be monitoring Twitter (among many other sites) last night, and has a complete record of what transpired.
DNS stands for Domain Name Service, which essentially connects the IP addresses of Web sites (which are numerical) to the names seen in URLS (such as www.twitter.com). It wasn't Twitter's infrastructure that was hacked, it was its DNS -- which ceased pointing those who typed in Twitter addresses (including help.twitter.com, blog.twitter.com, postmaster.twitter.com and many others) to the site they intended to reach, and instead sent them to one of four servers hosting the propaganda page in question.
"There are a couple reasons (for hackers to use) multiple IP addresses in a case like this," said Rasmussen. "First, you can change IP addresses very quickly to avoid detection, which makes it harder to shut things down. Also, because they knew they'd hit so much traffic from Twitter, it kept them from getting overloaded."
The ISPs -- all four of which are located in the United States -- "look like they're all large, virtual hosting servers that have lots of Web sites on them," said Rasmussen. "There's some speculation that somebody's site got hacked into, but I'm guessing they used stolen credentials to set up an account that would service Twitter. Either way they were fairly large boxes that support many sites, and so have good bandwidth and strength to be able to handle a big hit."
Rasmussen points out that no matter how much security a Web site has, DNS vulnerabilities are far easier to exploit. He points to a situation last year in which CheckFree's customers were redirected to a faux site in the Ukraine that spread malware.
"It is," he said, "a soft underbelly for pretty much everybody on the Web."
Internet Identity's records of what happened via which ISP are as follows:
2009-12-17 22:01 (PST) 2009-12-18 06:01 UTC www.twitter.com, twitter.com A Records pointed to 74.217.128.160 (presumably all subdomains as well given the other DNS hits) 2009-12-17 22:14 (PST) 2009-12-18 06:14:20 UTC
twitter.com A Records pointed to 69.59.28.85
2009-12-17 22:24 (PST) 2009-12-17 06:24 UTC
twitter.com A Records pointed to 66.147.242.88
2009-12-17 23:11 (PST) 2009-12-18 07:11 UTC
A Records corrected and pointing back to allowed range for resolution (they round robin to several IPs it appears)
The nameserver entries for twitter.com remained correct throughout the event (thus no evidence of take-over at the registrar).
How the Iranian group got Twitter's DNS password is another matter. twitter.com A Records pointed to 69.59.28.85
2009-12-17 22:24 (PST) 2009-12-17 06:24 UTC
twitter.com A Records pointed to 66.147.242.88
2009-12-17 23:11 (PST) 2009-12-18 07:11 UTC
A Records corrected and pointing back to allowed range for resolution (they round robin to several IPs it appears)
The nameserver entries for twitter.com remained correct throughout the event (thus no evidence of take-over at the registrar).
"I'm assuming they got hold of a username and password," he said. "Twitter didn't get hacked, so there's no official data breach. . . . In a company like that, there are probably dozens of people who use dozens of passwords. Whether it was social engineered or whether it was malware taken from people's laptops is unclear. It could have been somebody's Gmail account that got compromised for all I know. But the information was still lost."
Source: MediaBistro.com
Anatomy of Attack
The incident last night was perpetrated by a group called the Iranian Cyber Army – and we have been told that this group is working with the Iranian government. The attack occurred at the same time as a number of other diplomatic incidents, including the escalation of diplomatic hostilities between Iran and the US/EU as well as an incursion by Iranian troops into a disputed border area containing an oil field. The defacement was carried out by hijacking the servers hosting the DNS records for the twitter.com domain (this is the server that maps the domain name to an IP address). The attackers modified the DNS records to point to an IP address with a web server hosting the defacement page. The twitter.com domain (registered with NetworkSolutions) was not hijacked, nor were its records altered.
The DNS records for Twitter are hosted at Dyn. A company that provides DNS hosting for over 100,000 domain names and provides other services for companies. We have been told, but have yet to confirm, that the account password recovery feature was used to reset the password for the Twitter account at Dyn. When we checked the password recovery page, it contains a request to contact Dyn directly – there is no form of any type. We have not been able to confirm is there was an automated process at this page which has since been taken down.
To reset the password to gain access to the account hosting DNS records, the attacker had access to the email address associated with the account. Twitter hosts all email on Google Apps for Domain, which played a central role in the previous attack on Twitter not because of any vulnerability within the application itself, but because of a lapse in password policies which lead to a minor account being compromised, which lead to other accounts being compromised.
The attackers gained access to the Twitter account at Dyn, and changed the DNS records for Twitter.com to point to an IP address that was on the anonymous Tor network. The attackers seemed to have changed all the records at Twitter.com, including sub-domains used for the API, the status page, etc. but because of varying caching levels and the fact that some clients were using a direct IP address not all services were affected immediately.
For most users the main Twitter web application was displaying the defacement page for just under an hour.
This type of attack is not very sophisticated, but it is extremely effective. It was not a direct vulnerability with the DNS server but rather with the accounts system and email addresses. While the Twitter application was not compromised, desktop applications and websites that directly send a users username and password back to Twitter over plain HTTP would have sent this information to the attackers IP address, from where it could easily have been harvested.
The solution to similar problems revolves around the management of account passwords, especially with critical services such as DNS hosting. Further, since the status page for Twitter was hosted on the same domain as the main site, it was also inactive during the period of time that the defacement was up on the site and for a short time afterwards while Twitter responded to the attack.
Source: TechCrunch.com
Important Part from CNN Report:
"The group claiming responsibility for the Twitter hacking is previously unknown, but its symbols would be familiar to anyone looking at radical (Web) sites," said Octavia Nasr, CNN's senior editor for Middle East affairs.
"The hackers are definitely Shiites, as indicated by the 'Ya Hussein' chant printed on their banner," she said.
"The group also uses Arabic in their text, a clear indication of collaboration with Arabic groups. Hezbollah is a Lebanese Shiite militia with ideological, political and military ties to Iran. The same name is also used by a group inside Iran."
She added, "This week's (revelation of) successful hacking of U.S. predator drone feeds by Iranian-backed Shiite militants adds another level of sophistication toward the hacking effort."
Twitter became unwittingly involved in Iranian politics last summer.
When Iran's disputed presidential election spiraled into bloody protests, the opposition used Twitter and other social networking sites to inform the world.
Protesters beamed images from the violent demonstrations at a time when mainstream media were given almost no access to the demonstrations.
Twitter became so fundamental in spreading news of the protests that the U.S. State Department asked the company to delay a planned shutdown for maintenance.
Source: Cnn.com (Tech News)
Another Site Hacked by Iranian Cyber Army
They seemed to have hacked another site just the same way.
http://www.mowjcamp.com/
According to reports, this is an opposition site which opposes the Iranian President.
They have set up at a temporary site at http://www.mowjcamp.ws/ and have apparently informed they cannot continue their work because of the hack attack.
------------------
If Twitter which is one of the most visited websites in the world can get its DNS rerouted so badly... Thawa wena mona kathada..

Last edited:








