Twitter Hacked, Defaced by "Iranian Cyber Army"

R_L

Well-known member
  • Jan 21, 2007
    3,064
    46
    48
    Colombo
    29777t.jpg


    The popular microblogging site Twitter was briefly shut down after a group apparently calling themselves the Iranian Cyber Army launched attack on the site.

    The message read:

    Iranian Cyber Army THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY
    [email protected]
    U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don’t, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To….
    NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA?
    WE PUSH THEM IN EMBARGO LIST ;)
    Take Care.
    A google search on the site brought up this:

    10d5y7q.jpg


    The translation from Farsi/Persian reads:
    “In the name of God, As an Iranian this is a reaction to Twitter’s interference sly which was U.S. authorities ordered in the internal affairs of my country…”


    Technology blogs including TechCrunch said Twitter went down around 06:00 GMT for about an hour.

    Biz Stone blogged :
    As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully.
    Background Articles:



    How It Happened??? What Happened???

    Rod Rasmussen, president and CTO of cyber-safety firm Internet Identity and a recognized authority on DNS abuse gave his views. His company happened to be monitoring Twitter (among many other sites) last night, and has a complete record of what transpired.

    DNS stands for Domain Name Service, which essentially connects the IP addresses of Web sites (which are numerical) to the names seen in URLS (such as www.twitter.com). It wasn't Twitter's infrastructure that was hacked, it was its DNS -- which ceased pointing those who typed in Twitter addresses (including help.twitter.com, blog.twitter.com, postmaster.twitter.com and many others) to the site they intended to reach, and instead sent them to one of four servers hosting the propaganda page in question.

    "There are a couple reasons (for hackers to use) multiple IP addresses in a case like this," said Rasmussen. "First, you can change IP addresses very quickly to avoid detection, which makes it harder to shut things down. Also, because they knew they'd hit so much traffic from Twitter, it kept them from getting overloaded."

    The ISPs -- all four of which are located in the United States -- "look like they're all large, virtual hosting servers that have lots of Web sites on them," said Rasmussen. "There's some speculation that somebody's site got hacked into, but I'm guessing they used stolen credentials to set up an account that would service Twitter. Either way they were fairly large boxes that support many sites, and so have good bandwidth and strength to be able to handle a big hit."

    Rasmussen points out that no matter how much security a Web site has, DNS vulnerabilities are far easier to exploit. He points to a situation last year in which CheckFree's customers were redirected to a faux site in the Ukraine that spread malware.

    "It is," he said, "a soft underbelly for pretty much everybody on the Web."
    Internet Identity's records of what happened via which ISP are as follows:
    2009-12-17 22:01 (PST) 2009-12-18 06:01 UTC www.twitter.com, twitter.com A Records pointed to 74.217.128.160 (presumably all subdomains as well given the other DNS hits) 2009-12-17 22:14 (PST) 2009-12-18 06:14:20 UTC
    twitter.com A Records pointed to 69.59.28.85
    2009-12-17 22:24 (PST) 2009-12-17 06:24 UTC
    twitter.com A Records pointed to 66.147.242.88
    2009-12-17 23:11 (PST) 2009-12-18 07:11 UTC
    A Records corrected and pointing back to allowed range for resolution (they round robin to several IPs it appears)
    The nameserver entries for twitter.com remained correct throughout the event (thus no evidence of take-over at the registrar).
    How the Iranian group got Twitter's DNS password is another matter.
    "I'm assuming they got hold of a username and password," he said. "Twitter didn't get hacked, so there's no official data breach. . . . In a company like that, there are probably dozens of people who use dozens of passwords. Whether it was social engineered or whether it was malware taken from people's laptops is unclear. It could have been somebody's Gmail account that got compromised for all I know. But the information was still lost."

    Source: MediaBistro.com



    Anatomy of Attack

    The incident last night was perpetrated by a group called the Iranian Cyber Army – and we have been told that this group is working with the Iranian government. The attack occurred at the same time as a number of other diplomatic incidents, including the escalation of diplomatic hostilities between Iran and the US/EU as well as an incursion by Iranian troops into a disputed border area containing an oil field. The defacement was carried out by hijacking the servers hosting the DNS records for the twitter.com domain (this is the server that maps the domain name to an IP address). The attackers modified the DNS records to point to an IP address with a web server hosting the defacement page. The twitter.com domain (registered with NetworkSolutions) was not hijacked, nor were its records altered.

    The DNS records for Twitter are hosted at Dyn. A company that provides DNS hosting for over 100,000 domain names and provides other services for companies. We have been told, but have yet to confirm, that the account password recovery feature was used to reset the password for the Twitter account at Dyn. When we checked the password recovery page, it contains a request to contact Dyn directly – there is no form of any type. We have not been able to confirm is there was an automated process at this page which has since been taken down.

    To reset the password to gain access to the account hosting DNS records, the attacker had access to the email address associated with the account. Twitter hosts all email on Google Apps for Domain, which played a central role in the previous attack on Twitter not because of any vulnerability within the application itself, but because of a lapse in password policies which lead to a minor account being compromised, which lead to other accounts being compromised.

    The attackers gained access to the Twitter account at Dyn, and changed the DNS records for Twitter.com to point to an IP address that was on the anonymous Tor network. The attackers seemed to have changed all the records at Twitter.com, including sub-domains used for the API, the status page, etc. but because of varying caching levels and the fact that some clients were using a direct IP address not all services were affected immediately.

    For most users the main Twitter web application was displaying the defacement page for just under an hour.

    This type of attack is not very sophisticated, but it is extremely effective. It was not a direct vulnerability with the DNS server but rather with the accounts system and email addresses. While the Twitter application was not compromised, desktop applications and websites that directly send a users username and password back to Twitter over plain HTTP would have sent this information to the attackers IP address, from where it could easily have been harvested.

    The solution to similar problems revolves around the management of account passwords, especially with critical services such as DNS hosting. Further, since the status page for Twitter was hosted on the same domain as the main site, it was also inactive during the period of time that the defacement was up on the site and for a short time afterwards while Twitter responded to the attack.

    Source: TechCrunch.com




    Important Part from CNN Report:

    "The group claiming responsibility for the Twitter hacking is previously unknown, but its symbols would be familiar to anyone looking at radical (Web) sites," said Octavia Nasr, CNN's senior editor for Middle East affairs.
    "The hackers are definitely Shiites, as indicated by the 'Ya Hussein' chant printed on their banner," she said.

    "The group also uses Arabic in their text, a clear indication of collaboration with Arabic groups. Hezbollah is a Lebanese Shiite militia with ideological, political and military ties to Iran. The same name is also used by a group inside Iran."

    She added, "This week's (revelation of) successful hacking of U.S. predator drone feeds by Iranian-backed Shiite militants adds another level of sophistication toward the hacking effort."

    Twitter became unwittingly involved in Iranian politics last summer.
    When Iran's disputed presidential election spiraled into bloody protests, the opposition used Twitter and other social networking sites to inform the world.

    Protesters beamed images from the violent demonstrations at a time when mainstream media were given almost no access to the demonstrations.
    Twitter became so fundamental in spreading news of the protests that the U.S. State Department asked the company to delay a planned shutdown for maintenance.

    Source: Cnn.com (Tech News)



    Another Site Hacked by Iranian Cyber Army

    They seemed to have hacked another site just the same way.
    http://www.mowjcamp.com/

    According to reports, this is an opposition site which opposes the Iranian President.

    They have set up at a temporary site at http://www.mowjcamp.ws/ and have apparently informed they cannot continue their work because of the hack attack.


    ------------------

    If Twitter which is one of the most visited websites in the world can get its DNS rerouted so badly... Thawa wena mona kathada.. :shocked:
     
    Last edited:

    blacknwhite

    Active member
  • Jun 17, 2009
    520
    26
    28
    yah it was hackd yesterday... now working... but imagine this being done to twitter.... :shocked:

    :no::no::no::no::no::no:
    Twitter is very popular for getting hacked,Security Breeches etc. among social networking sites. Google and look at the past events, youl find many. ;)

    At One time some guy even posted the Administrators Password on the net.
     

    R_L

    Well-known member
  • Jan 21, 2007
    3,064
    46
    48
    Colombo
    :no::no::no::no::no::no:
    Twitter is very popular for getting hacked,Security Breeches etc. among social networking sites. Google and look at the past events, youl find many. ;)

    At One time some guy even posted the Administrators Password on the net.

    yah tht was in july... after that they had major issues where many of the leading companies drewback... its no secret... almost all US and international companies are using twitter as a source of their promotions and stuff... as far as i knw in SL dialog is using twitter updates frequently as well.. so in such a background, even while twitter was focusin so much on security for their DNS to be rerouted and site to be defaced this bad is just nonddiiiiii.. haha... :lol:
     

    blacknwhite

    Active member
  • Jun 17, 2009
    520
    26
    28
    yah tht was in july... after that they had major issues where many of the leading companies drewback... its no secret... almost all US and international companies are using twitter as a source of their promotions and stuff... as far as i knw in SL dialog is using twitter updates frequently as well.. so in such a background, even while twitter was focusin so much on security for their DNS to be rerouted and site to be defaced this bad is just nonddiiiiii.. haha... :lol:

    :P:yes:
    yeah, Some Security features are like for n00bs. I dunno why they are not implementing a good Security System after all these incidents. But in the sense of the contents, they have done a good job for removing bots. Specially the Britney Bot ;).
     

    R_L

    Well-known member
  • Jan 21, 2007
    3,064
    46
    48
    Colombo
    :P:yes:
    yeah, Some Security features are like for n00bs. I dunno why they are not implementing a good Security System after all these incidents. But in the sense of the contents, they have done a good job for removing bots. Specially the Britney Bot ;).

    bots galawala wedak nehe neh... they are having glaring security issues... cha scene... for a dns to be rerouted like this... and for the attack to last for one whole hour with such a big site.. rofl...