
Twitter, NYT Whois and DNS altered, Syrian Electronic Army takes responsibility - jpadilla_
http://thenextweb.com/twitter/2013/08/27/twitters-whois-records-altered-syrian-electronic-army-takes-responsibility/
======
dobbsbob
US is about to bomb Syrian military assets so this is Iran's response. The SEA
is clearly Iranian. Email them something in Farsi or PM one of their
propaganda accounts on youtube they usually answer.

last time I checked ns1.syrianelectronicarmy.com was hosted out of Russia and
includes " qatar-leaks.com" which seems to have disappeared

~~~
15charusername
Why Iran? Surely Russia is a bigger suspect, but right now, my biggest suspect
would be the NSA/CIA, the timing of the Syrian escalation is just too perfect.

~~~
pseudometa
Dusting off my tin foil hat, I would go with Israel in collusion with the
NSA/CIA. They have the most to gain by turning the media against Syria and the
technical capabilities as proven with their involvement in stuxnet.
[http://en.wikipedia.org/wiki/Stuxnet](http://en.wikipedia.org/wiki/Stuxnet)

~~~
wavesounds
You think that Israel wants a war with Syria? Syria could easily turn those
chemical weapons across its border. I think Isreal is probably one of the big
factors causing US restraint right now.

But my tin-foil hat hasn't been working very well lately so the government
radio signals may be blocking me from seeing something.

~~~
shard972
> I think Isreal is probably one of the big factors causing US restraint right
> now.

Doesn't sound like restraint coming out of isreal..

[https://www.youtube.com/watch?v=lIxIzIF-
Xig](https://www.youtube.com/watch?v=lIxIzIF-Xig)

------
cpursley
"We are protecting you from the hacker-terrorists"

Is this not obvious to everyone else as it is to me? People, think about what
is happening here and the timing of it all.

This is a false flag operation to turn the public opinion against "hackers" so
these crazy internet regulations bills can start passing and so that they can
get away with spying scandal.

If these "hackers" taking down social media sites and NYT times were actually
the Syrian government, they'd be going after US government targets in an
effort to undermine the bombing that's about to begin.

Their regime is about to get bombed. Taking down twitter is low on their
priority list. But it's quite good timing for a propaganda campaign against
"hackers" and now allows the US government to label hackers as terrorists.
Scary stuff.

~~~
anigbrowl
_Is this not obvious to everyone else as it is to me?_

Another possibility is that your opinion is wrong.

 _If these "hackers" taking down social media sites and NYT times were
actually the Syrian government_

The thing is, nobody thinks the SEA is part of the Syrian government, any more
than the Irish Republican Army was part of the Irish government. It's just a
name the group have adopted to show their affiliation and make themselves feel
badass.

~~~
ryalfalpha
I don't get your comment?... prominent members from various versions of the
IRA _are_ and _have been_ members of Irish governments, see Gerry Adams/Martin
McGuinness (Or even Michael Collins if you're talking way back).

~~~
mackal
Just because an organization has members/affiliates in a government does not
make that organization part of the government.

Its like saying what ever the presidents frat was, is part of the government.

~~~
ryalfalpha
Whenever said members/affiliates are former leaders we're really just
splitting hairs. I get your point though, I mistook what he had said as there
is no link _at all_ between them. Instead he is saying 'The Irish government
never commanded the IRA' which I'd largely agree with.

------
bluetidepro
As someone asked in the comments of the article asked (no response yet), I'm
curious myself...

> " _twimg.com is a domain used by Twitter which is an widget company that is
> part of a network of sites, cookies, and other technologies used to track
> you, what you do and what you click on, as you go from site to site, surfing
> the Web. Does that not mean that SEA will be intercepting this data?_ "

~~~
emil10001
Couldn't they do this with any of the sites that they modify? That's what I am
sort of wondering about, sure you could redirect the homepage to something
dumb, and make it really obvious that the site has been attacked. But, it
seems like they could have similarly done a man-in-the-middle and sucked up
tons of data silently, without throwing up any big red flags.

------
jval
Ok, firstly whois Microsoft.com just returns all URLs with Microsoft.com in
them, even as a subdomain, so they haven't been hacked and that result has
been there for ages. Same goes for Verisign etc.

TechCrunch is reporting that registrar MelbourneIT has been hacked.. This
wouldn't surprise me but I'm puzzled as to why either site would register with
such a bad registrar.

~~~
joshfraser
What do you mean? MelbourneIT are huge and generally have a pretty decent
reputation.

~~~
jbarham
> MelbourneIT are huge and generally have a pretty decent reputation.

Clearly you have never used their ticketing system.

~~~
jussij
I can vouch for that. From my experience this is how it their tech support
works.

You raise and issue and they give you a ticket to track the issue.

They then send you an e-mail asking for more details.

You reply with the details and then they send you another e-mail saying the
issue has been escalated.

A little while later you get another e-mail asking for the exact same details
as the first e-mail, so you send them the same details.

You then get another e-mail saying this issue has been escalated.

Guess what happens next.

You guessed it, they send yet another e-mail asking for the exact same details
you have now provided on two occasions.

They bounce you around in an infinite loop with a continual stream of spam
e-mails until you finally get fed up and close the ticket.

------
grumps
How hard is this to do...

I ask because I find it harder to believe that they are responsible for this.
Just like I don't trust the YouTube videos either. I would find it more likely
that three letter agencies are involved as PR.

~~~
pseudometa
I don't buy it either. Seems fishy.

~~~
mpyne
Fishy enough that the SEA's own Twitter account is gloating about it?

~~~
jacquesm
Fortunately it's really hard to make a Twitter account, what with all the
passport checks and ID verification that goes on there. Only real, verified
SEA members would be able to create such an account. And only when directly
logging in from a verified Syrian government IP.

~~~
mpyne
Go check the account [1] for yourself, if it's fake it's a long-planted fake
strung along with other tweets dating back to August 15th and earlier and
describing other known SEA hacks.

If it's not legit it would have to be because they let their own Twitter
account get hacked at the same time Twitter was being hacked... which seems
very noncompliant with Occam.

[1] [https://twitter.com/Official_SEA16](https://twitter.com/Official_SEA16)

~~~
bandushrew
a month old? dude, Im not standing on either side of this particular fence, it
seems perfectly sensible to me to think that either side might be doing it.

Having said that, what on earth is it about that account that makes you think
it has any kind of authority?

To be frank, I just couldn't care less who it was. This action is utterly
irrelevant to anything that is happening in the real world.

------
nfoz
Don't trust anything you read here, folks...... too many that don't know
anything about WHOIS or DNS.....

~~~
Helianthus
Now the truly paranoid are caught in the paradox of trusting you!

------
Shank
While they may have fixed twimg.com on the DNS level, changes are still taking
forver to propogate back out. Right now I'm still getting no data from it.

To add to the matter, SEA is certainly aware of this:

"So, do we host [http://twimg.com](http://twimg.com) with Javascript code so
all Twitter users will be redirect to our website? #SEA"

[https://twitter.com/Official_SEA16/status/372496956020379648](https://twitter.com/Official_SEA16/status/372496956020379648)

------
fotcorn
The twitter frontpage is completly broken for me. Static assets like css and
javascript are served by twimg.com, which are now missing. If SEA has access
to a server which can take the load of twimg.com, they can inject their
Javascript and possible exploits to ALL twitter users...

~~~
bpicolo
Seems fine now

------
signed0
Woah! Has Verisign been hacked?

$ whois twitter.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered with many
different competing registrars. Go to
[http://www.internic.net](http://www.internic.net) for detailed information.

TWITTER.COM.GET.ONE.MILLION.DOLLARS.AT.WWW.UNIMUNDI.COM

TWITTER.COM

And then:

$ whois verisign.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered with many
different competing registrars. Go to
[http://www.internic.net](http://www.internic.net) for detailed information.

VERISIGN.COM.MIGHT.SUCK.FYRAE.COM

VERISIGN.COM

I get really crazy responses like this for almost every major site I try
(cnn.com, yahoo.com, google.com).

~~~
arn
no.

VERISIGN.COM.MIGHT.SUCK.FYRAE.COM is a subdomain of FYRAE.com

See this:
[https://news.ycombinator.com/item?id=6204867](https://news.ycombinator.com/item?id=6204867)

------
pain_perdu
DNS Records have been hijacked and point to Syrian Electronic Army

[http://i.imgur.com/RwH0mpI.png](http://i.imgur.com/RwH0mpI.png)

------
mpchlets
So not sure what to say, but this is the email I received from DynEct the
other day: subject: Webinar Wednesday: Are You Prepared For DNS Disaster?
sender: Dyn hello@dyn.com via dynect-mailer.net

and some info from my old whois: $ whois twitter.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered with many
different competing registrars. Go to
[http://www.internic.net](http://www.internic.net) for detailed information.

    
    
       Server Name: TWITTER.COM.GET.ONE.MILLION.DOLLARS.AT.WWW.UNIMUNDI.COM
       IP Address: 209.126.190.71
       Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
       Whois Server: whois.PublicDomainRegistry.com
       Referral URL: http://www.PublicDomainRegistry.com
    
       Domain Name: TWITTER.COM
       Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
       Whois Server: whois.melbourneit.com
       Referral URL: http://www.melbourneit.com
       Name Server: NS1.P34.DYNECT.NET
       Name Server: NS2.P34.DYNECT.NET
       Name Server: NS3.P34.DYNECT.NET
       Name Server: NS4.P34.DYNECT.NET

------
InclinedPlane
Last update on status.twitter.com was August 6th.

Get your shit together guys, this is serious business.

Edit: looks like there's an update now:
[http://status.twitter.com/post/59528478030/twitter-
service-i...](http://status.twitter.com/post/59528478030/twitter-service-
issue)

------
dimitar
Why hasn't the SEA changed the nameservers?

~~~
fotcorn
Nameservers of nytimes.com and twimg.com are changed:

Name Server.......... ns27.boxsecured.com

Name Server.......... ns28.boxsecured.com

------
unreal37
Whoa. Twitter, NYTimes, HuffPo... all had their DNS records hacked? This seems
huge.

~~~
icpmacdo
How difficult of a thing is this to pull off?

~~~
cheald
If you can compromise a shared registrar, pretty trivial.

~~~
eli
Well, the "attacking multiple sites at once" is trivial. The "compromising a
major registry" is at least supposed to be kinda hard.

------
mpchlets
Seems to me that melbourneit.com was the cause of these problems - that is the
related link between all these different problems - basically poisoning the
DNS of any popular company that uses them.

------
ninjazee124
NYTimes seems to be down and Twitter is be loading all wrong because twimg.com
is down. Whoa! This is some serious stuff.

~~~
mhurron
[http://xkcd.com/932/](http://xkcd.com/932/)

Ya, not so much.

------
unhammer
Is this what DNSSEC is supposed to protect you from? (Or could they just
change your dnssec records as well?)

------
jeremycole
twimg.com seems to be hijacked

~~~
ikawe
A status update now that it's fixed.

[http://status.twitter.com/post/59528478030/twitter-
service-i...](http://status.twitter.com/post/59528478030/twitter-service-
issue).

Kind of dodgy that there was no status update until 1.5 hours after the issue
surfaced.

------
flaktrak
this is about all the Syrian govt can retaliate with. it's not like they can
physically reach and stop the USA from attacking them.

------
N0RMAN
the traceroute for twimg.com end's in russia, I'm right? (141.105.64.37)

~~~
mehmehshoe
Yup. The biggest fallout from this won't be that those big sites were down for
hours, it will be the millions of computers that redirected to that IP.

[http://blog.opendns.com/2013/08/27/high-profile-domains-
unde...](http://blog.opendns.com/2013/08/27/high-profile-domains-under-siege/)

------
Questionoor
SEA has a history of doing much more than attempting to offset perceived
propaganda[1]. With in that site is dozens of gigabytes of logs from
Bluecoat[2] proxy hardware that sat in datacenters for Syrian ISPs.

A good amount of what is contained in the logs is things like porn searches,
more porn, porn. But amongst the typical naughty bits things like religious
queries for Christians, Catholics, Jews, Muslims were being recorded.

Telecomix[3] helped to leak the log-set, and as it stands it is _the_ example
of how state entities monitor peoples of 'interest.' Much of these people are
long since dead, killed early on as they were the most public[4].

So while the SEA's most public facing events are hijacks, phising, and massive
redirects. Please do focus on the end result of pervasive surveillance[5].

[1] [http://bluesmote.com/](http://bluesmote.com/)

[2] [http://www.bluecoat.com/](http://www.bluecoat.com/)

[3]
[http://en.wikipedia.org/wiki/Telecomix](http://en.wikipedia.org/wiki/Telecomix)

[4]
[http://en.wikipedia.org/wiki/Ibrahim_Qashoush](http://en.wikipedia.org/wiki/Ibrahim_Qashoush)

[5] [http://imgur.com/gallery/qz7wm](http://imgur.com/gallery/qz7wm)

~~~
ballard
Makes you wonder whom has access to Palantir.

------
fudyy
Sorry to be cynical and bring politics into this, but I hope that U.S.
liberals respond the way they did to Bush to Obama with this strike.

Comedians, the media, etc. accused Bush of an adjust war for someone that used
a chemical attack on his own people because there were no found WMD's even
though there was evidence of a chemical attack.

Now we are going in again to try to save things. Will Obama come out as a
hero? Probably. Should he? Well if he should, Bush needs to get some slack
finally.

Don't get me wrong- I think we should do something. But when I hear we are
going to do another 3 day bombing run, it's just like Iraq all over again,
except this time it's who the Democrats want to bomb. Isn't there an answer
that doesn't involve bombing? What are we, Germany in WWII?

~~~
Niten
That comparison is quite the stretch, though.

The currently debated reaction to Syria's chemical weapons attack is a limited
response intended to punish the Assad regime, to attempt to reduce its ability
to launch more such attacks in the future and to provide it with a
disincentive to do so.

It would not be an attempt to topple the regime or to take over Syria for
American interests.

Further, the use of chemical weapons in the Iran-Iraq war as a pretext for
invading Iraq in 2004 is, as we all know, extremely disingenuous, given that
these attacks happened more than a decade prior – and with the support of the
U.S. at the time:

[http://america.aljazeera.com/articles/2013/8/26/new-
document...](http://america.aljazeera.com/articles/2013/8/26/new-documents-
proveussupportofiraqichemicalweaponsattacks.html)

[EDIT: I'm not arguing in favor of the U.S. intervening in Syria, though,
least of all without proper congressional authorization.]

