

NYTimes.com down for some users; paper suspects “external attack” - Aaronn
http://gigaom.com/2013/08/27/nytimes-com-is-down-again-at-least-for-some-users/

======
semenko
Perhaps more critically, twimg.com (and now Twitter, it seems) has also been
compromised. Both share the MelbourneIT registrar.

$ whois -h whois.melbourneit.com twitter.com -> now owned by sea@sea.sy
(Syrian Electronic Army)

The name servers for the Times have been switching back-and-forth for a while.
I've chronicled most of it at
[https://twitter.com/semenko](https://twitter.com/semenko)

~~~
grey-area
Ouch.

If twitter is compromised, sites serving twitter js (which is a lot of sites)
are potentially compromised too. I've just checked and at least some widgets
from twitter are down at present (all?), twimg.com is not responding.

DNS and registrars is a bit of a weak point at present in site security, as
once they have that, they can serve users whatever they like. It would be even
more damaging and hard to detect if they just tweaked content slightly for a
few hours by adjusting some words in stories for some countries rather than
hijacking sites.

~~~
semenko
Well, luckily, Twitter's domains & cert are added to the Chrome HSTS pins
list, so Chrome should just serve a scary security error.

Looks like their WHOIS data has reverted to normal. Not sure the NS records
ever changed (though the contact data did).

------
jacquesm
In everything associated with the situation in Syria beware of the possibility
of false-flag operations.

~~~
AsymetricCom
This hack appears to be genuine.

[http://edition.cnn.com/2013/04/24/tech/syrian-electronic-
arm...](http://edition.cnn.com/2013/04/24/tech/syrian-electronic-
army/index.html)

~~~
jacquesm
I'm not claiming the hack isn't genuine.

------
tysone
We are now publishing at a backup site:
[http://news.nytco.com](http://news.nytco.com)

------
kalleboo
Why the heck are both Twitter and the New York Times using a in the context
small Australian registrar? (MelbourneIT)

edit: looks like MelbourneIT do DNS for a ton of big names. really really
weird.

~~~
ejdyksen
I'm wondering this, too. Does MelbourneIT have some sort of service or
reputation that makes it attractive to large companies like Twitter or
NYTimes?

------
donohoe
"Syrian Electronic Army claims to have taken control of Twitter.com domain
registration"

[http://www.cnbc.com/id/100988772](http://www.cnbc.com/id/100988772)

Tweet with some info regarding Twitter & NYT:

[https://twitter.com/jaesonschultz/status/372456943312330753](https://twitter.com/jaesonschultz/status/372456943312330753)

------
philip1209
OpenDNS blocked the Syrian domains and updated its DNS resolvers to omit them:

[https://twitter.com/davidu/status/372482424313110529](https://twitter.com/davidu/status/372482424313110529)

Verify at:

[http://www.opendns.com/support/cache/](http://www.opendns.com/support/cache/)

------
mmmooo
nameservers changed at registrar, gltd reports accordingly.

nytimes.com. 172800 IN NS ns27.boxsecured.com. nytimes.com. 172800 IN NS
ns28.boxsecured.com. ;; Received 114 bytes from
192.41.162.30#53(192.41.162.30) in 17 ms

~~~
paul_f
OK, then, the key question is: which registrar are they using and how do that
registrar's security get compromised?

------
hughesey
NS records pointing to Syrian Electronic Army -
[http://viewdns.info/dnsrecord/?domain=nytimes.com](http://viewdns.info/dnsrecord/?domain=nytimes.com)

------
nrmilstein
You can still get to the New York Times by going to their IP address:
[http://170.149.168.130/](http://170.149.168.130/)

------
j2d3
Hacked by the SEA

~~~
j2d3
I alternately get the message "Hacked by the SEA" (to my dismay I've been
informed this is the Syrian Electronic Army, not the Symbionese Electronic
Army...), or a redirect to
[http://www.boxsecured.com/high_cpu.html](http://www.boxsecured.com/high_cpu.html)
\- a 404 error saying hi_cpu.html is not found.

------
AsymetricCom
NYTimes DNS has been hyjacked to redirect to SEA Blog (Syrian Electronic
Army). Here I mirror the front page and some of the linked content from the
English version of the page. You can see the page yourself by using FireFox or
another browser besides Chrome that allows you to accept non-standard and
mismatched certs. The JavaScript doesn't appear to be malicious, but I'm not
an expert.

_ * Latest News *

Syrian Electronic Army Facebook Page | Number : 220 After the Facebook
management shut down the page number 219 The new page link :
[https://www.facebook.com/SEA.Official.220](https://www.facebook.com/SEA.Official.220)
.. Read More...

Syria Tube is a page on the social network Facebook

it was created in 4/4/2011 in order to publish all the videos of what
happening

in Syria and the right news about Syria

The new page link after the Facebook management closed the main page:

[https://www.facebook.com/Syria.Tube.Official](https://www.facebook.com/Syria.Tube.Official)

[https://www.facebook.com/SEA.Official.220](https://www.facebook.com/SEA.Official.220)

_ * Latest Hacks *

Time, CNN and WashingtonPost Websites Hacked

The Syrian Electronic Army hacked today into Outbrain service and take control
of admin panel. The security breach affects CNN, Washington Post, Time and
more high profile websites. Outbrain is a content recommendation service whose
widget offers to help internet publishers incre.. Read More...

Time, CNN and WashingtonPost Websites Hacked Publish date: 2013-08-15 17:10:34
| Views number: 1559

The Syrian Electronic Army hacked today into Outbrain service and take control
of admin panel. The security breach affects CNN, Washington Post, Time and
more high profile websites.

Outbrain is a content recommendation service whose widget offers to help
internet publishers increase web traffic at their websites. It does so by
presenting them with links to articles and other content.

The admin panel of Outbrain is hosted in the local server. However, the SEA
hackers managed to login into the panel with the help of VPN and access panel.

Zone-H Mirrors :
[http://www.zone-h.org/mirror/id/20533795](http://www.zone-h.org/mirror/id/20533795)

[http://www.zone-h.org/mirror/id/20533808](http://www.zone-h.org/mirror/id/20533808)

ScreenShots of the Outbrain Administration Pa

_ * Media *

Syrian state television claims that a pro-government group has hacked into two
social messaging networks and seized records of local users.

Such a hack could expose Syrian rebels and other activists who depend on the
networks to publicize army crackdowns on their hometowns and communicate with
each other. Landlines and cell phones are believed to be tapped in Syria.

State TV says the social networking site Tango was hacked on Sunday by the
Syrian Electronic Army.

The Syrian Electronic Army is a shadowy group that supports President Bashar
Assad's regime.

There was no immediate comment from Tango.

Syrian media says another network -- Truecaller -- also was hacked last week.

Truecaller said in a statement posted on their website that it had been the
target of a cyber-attack.

Source: Fox News

Some website's talked too about the attack:

[http://www.foxnews.com/world/2013/07/21/pro-assad-group-
hack...](http://www.foxnews.com/world/2013/07/21/pro-assad-group-hacks-
messaging-networks-syrian-state-television-says/?test=latestnews)

[http://news.softpedia.com/news/Syrian-Electronic-Army-
Hacks-...](http://news.softpedia.com/news/Syrian-Electronic-Army-Hacks-Mobile-
Messaging-Service-Tango-369644.shtml)

[http://www.idigitaltimes.co.uk/articles/492642/20130720/syri...](http://www.idigitaltimes.co.uk/articles/492642/20130720/syrian-
electronic-army-hacks-tango-messaging-application.htm)

[http://hackread.com/mobile-messaging-service-tango-hacked-
by...](http://hackread.com/mobile-messaging-service-tango-hacked-by-syrian-
electronic-army/)

[http://thehackernews.com/2013/07/Tango-messenger-hacked-
Syri...](http://thehackernews.com/2013/07/Tango-messenger-hacked-Syrian-
Electronic-Army.html)

[http://threatpost.com/sea-hacks-messaging-app-tango-
steals-u...](http://threatpost.com/sea-hacks-messaging-app-tango-steals-user-
information)

_ * Leaks *

Office of Qatar Emir's mother forces ISP to block SEALeaks website from Google
searches/Qatari DNS

Office of Emir's mother forces ISP to block SEA | Leakks website from Google
searches/Qatari DNS And here is the reply of the ISP: The Syrian Electronic
Army obtained the emails after it hacked into Moza mail system .. Read More...
SEA Publishes Turkish Ministry of Interior Emails and Passwords

Latest Hacks | Media | Leaks | Mobile Version

From The Pictures Library ::

From The Videos Library :: SEA gave a visit to Social Flow Website/Accounts

Office of Qatar Emir's mother forces ISP to block SEALeaks website from Google
searches/Qatari DNS

[image of email]
[http://i.imgur.com/gFJQX4W.png](http://i.imgur.com/gFJQX4W.png)

Publish date: 2013-06-29 16:00:20 | Views number: 4862

Office of Emir's mother forces ISP to block SEA | Leakks website from Google
searches/Qatari DNS

And here is the reply of the ISP: [image content broken]

_ * Battalions *

Vict0r Battalion | The Shadow Battalion | Th3Pr0 Battalion

[http://blog.thepro.sy/](http://blog.thepro.sy/) |
[https://www.facebook.com/SEA.Vict0r.2?_fb_noscript=1](https://www.facebook.com/SEA.Vict0r.2?_fb_noscript=1)

_ * Martyrs *

Martyr Mohammed Qabbani

Martyr Mohammed Qabbani

Martyr Lorans Barakat

_ * About SEA *

The Spark of the Launch

The SEA created in 2011 when the Arab media and Western started bias in favor
of terrorist groups that have killed civilians, the Syrian Arab Army and the
destruction of private and public property, was the Arab media and western
form a cover for the continuation of these groups, their actions through the
blackout on terrorism in Syria and paste all charges Army Syrian and charged
with murder and sabotage... Read More

The Mechanism | The Funding | The Vision

