Companies rush to lock Web domains after 'NYT' hack

Byron Acohido | USA TODAY

Scores of major companies dodged a huge bullet. They could have suffered the same fate as the New York Times, Twitter and Huffington Post, whose website domains were disrupted by the Syrian Electronic Army t this week.

Many of those those companies took steps within 16 hours of news breaking about the SEA's latest caper to lock down their website domains, which get routed through website registrar Melbourne IT, says HD Moore, chief research officer at vulnerability management firm Rapid7.

Context: Why the Domain Name System chain of trust is so easy to break

Q&A: HD Moore drills down on aftermath of SEA's latest caper

The list of companies scrambling to lock down their domains includes Adobe Systems, Barnes & Noble, Cosmopolitan, Cisco Systems, Engadget, Hyatt, IBM, Ikea, Lufthansa, McAfee, Neiman Marcus, Starbucks, Toshiba, TechCrunch, Victoria's Secret and VMware.

The SEA used simple e-mail phishing trickery to steal the user name and password to an account used by one of Melbourne IT's distributors, says Bruce Tonkin, chief technology officer of Melbourne IT.

Using that distributor's account, the hackers were able to access and alter the Domain Name System records for The New York Times, Huffington Post and Twitter, disrupting the website of the daily newspaper off line for about 20 hours.

Moore told CyberTruth that at the time of the attack numerous other domains hosted by Melbourne IT and were not locked and therefore, left vulnerable.

"As details start to emerge about how the Twitter and New York Times domains were modified, the practice of applying a registry lock is being touted as a defense," says Moore. "At the time of the attack, many large-brand domains were hosted with Melbourne IT and were not locked. There is no evidence that the attackers made changes to these domains, but these were potentially vulnerable at the time the attack took place. In other words, things could have been much worse."

As of Wednesday morning, the owners of more than 40 domains had taken steps to install registry locks, Moore says. Here is a list Moore provided to CyberTruth of recently locked domains:

mapquest.com; patch.com; starbucks.com; techcrunch.com; tweetdeck.com; twimg.com; vine.co; a8.net; aa.com; acrobat.com; adobe.com; adultadworld.com; angelfire.com; antena3.com; anz.com; aol.co.uk; aol.com; autoblog.com; bancomer.com.mx; barnesandnoble.com; bbandt.com; bigresource.com; billdesk.com; brainyquote.com; canon.com; cdiscount.com; chron.com; cibc.com; cisco.com; cosmopolitan.com; crunchbase.com; dailyfinance.com; directv.com; discover.com; discovercard.com; discovery.com; earthlink.net; engadget.com; euronews.com; funshion.com; gettyimages.com; givemesport.com; hightail.com; hinet.net; hm.com; howstuffworks.com; hsn.com; huffingtonpost.ca; huffingtonpost.co.uk; huffingtonpost.com; hyatt.com; ibm.com; icq.com; ikea.com; inmotionhosting.com; istockphoto.com; jalan.net; jetstar.com; joystiq.com; lego.com; lufthansa.com; lycos.com; mail.com; mapquest.com; mcafee.com; mediatakeout.com; moneysavingexpert.com; monster.com; monsterindia.com; moviefone.com; neimanmarcus.com; norton.com; patch.com; prnewswire.com; redbubble.com; rikunabi.com; royalmail.com; sfgate.com; siteadvisor.com; sonymobile.com; standardchartered.com; starbucks.com; symantec.com; t.co; techcrunch.com; tom.com; toshiba.com; tradedoubler.com; tripod.com; tweetdeck.com; twimg.com; univision.com; victoriassecret.com; vine.co

vmware.com; watchtower.com; whois.net; xero.com.

"It is not clear how many domains are unlocked total — of the ones I checked, there were still 82 big name sites without a registry lock in place, 16 hours after the attack," Moore says. "Since then, I imagine quite a few more domains will have switched to locked status, but it still is not the industry norm."