Hacker News new | comments | show | ask | jobs | submit login
Twitter, NYT Whois and DNS altered, Syrian Electronic Army takes responsibility (thenextweb.com)
163 points by jpadilla_ 1512 days ago | hide | past | web | 99 comments | favorite

US is about to bomb Syrian military assets so this is Iran's response. The SEA is clearly Iranian. Email them something in Farsi or PM one of their propaganda accounts on youtube they usually answer.

last time I checked ns1.syrianelectronicarmy.com was hosted out of Russia and includes " qatar-leaks.com" which seems to have disappeared

Why Iran? Surely Russia is a bigger suspect, but right now, my biggest suspect would be the NSA/CIA, the timing of the Syrian escalation is just too perfect.

In the middle east Iran* probably has the greatest geopolitical reach of any country within the region. Through Hezbollah they have an enormous impact on Syria, Lebanon, the Palestinian territories and even Israel. If the al-Assad regime falls Iran has the most to lose as suddenly it would become far more difficult, logistically and otherwise, to provide support to its groups in the Levant.

This explains why Iran is threatening action if the US bombs Syria, for example.

The Putin regime has certainly shown itself capable of significant international "hijinx" (such as assassination, vote rigging, etc.) but overall this doesn't fit their MO.

(*: note that when I say "Iran" here I am talking about the current Iranian regime, very much not the Iranian people.)

Dusting off my tin foil hat, I would go with Israel in collusion with the NSA/CIA. They have the most to gain by turning the media against Syria and the technical capabilities as proven with their involvement in stuxnet. http://en.wikipedia.org/wiki/Stuxnet

You think that Israel wants a war with Syria? Syria could easily turn those chemical weapons across its border. I think Isreal is probably one of the big factors causing US restraint right now.

But my tin-foil hat hasn't been working very well lately so the government radio signals may be blocking me from seeing something.

> I think Isreal is probably one of the big factors causing US restraint right now.

Doesn't sound like restraint coming out of isreal..


Do you not recall those recent strikes?

> I think Israel is probably one of the big factors causing US restraint right now.

The other way around. Israel wants more U.S. involvement. And did you notice that Israel recently bombed Lebanon in retaliation? http://www.bbc.co.uk/news/world-middle-east-23806767

Things are enough of a powder-key economically this sort of thing to get out-of-hand in a big way.

China and America are co-dependent but at cyber-cold-war. Russia just recently gave the middle-finger to the U.S. with Snowden and we refused to meet with each other. The two primary powers that emerged after the last world war are no longer at the top so there is an open gap for who's next: the U.S. who no one wanted to mess with is overstretched, underfunded, and there is no better president to have at the helm if you want a war with the U.S. than one who has not achieved much militarily other than social reform and withdrawal, is on the edge of economic shambles due to decades of overspending much more than the stock market and media would lead you to believe, and whose party's voting constituents aren't in favor of a war, and Russia, who turned into a mafia-run state with former KGB at the helm that are unable to elicit much nationalism- much less a military power it used to be, doing the equivalent of selling its military assets on ebay for years.

Mass executions from chemical attack or otherwise are not the reason we are getting involved. This is a power struggle. Some big players (Clinton comes to mind) in U.S. Democratic party are set on cleaning up the Iran/Syria/Lebanon area, and Republicans are always up for a war. But, I'm afraid they will get more than they bargained for.

Why is Russia a bigger suspect? A study of foreign policy and defence would appear to suggest that Iran perceives that it is under threat of invasion from America.

If I seriously believed I was under actual threat of invasion from the US, I am not sure I would piss away my resources getting monkeys to deface a brochure.

Why do you suspect this is sanctioned by Russia? What would they have to gain from pestering a couple media companies, especially at the risk of losing their business? What is your logic here?

"We are protecting you from the hacker-terrorists"

Is this not obvious to everyone else as it is to me? People, think about what is happening here and the timing of it all.

This is a false flag operation to turn the public opinion against "hackers" so these crazy internet regulations bills can start passing and so that they can get away with spying scandal.

If these "hackers" taking down social media sites and NYT times were actually the Syrian government, they'd be going after US government targets in an effort to undermine the bombing that's about to begin.

Their regime is about to get bombed. Taking down twitter is low on their priority list. But it's quite good timing for a propaganda campaign against "hackers" and now allows the US government to label hackers as terrorists. Scary stuff.

Is this not obvious to everyone else as it is to me?

Another possibility is that your opinion is wrong.

If these "hackers" taking down social media sites and NYT times were actually the Syrian government

The thing is, nobody thinks the SEA is part of the Syrian government, any more than the Irish Republican Army was part of the Irish government. It's just a name the group have adopted to show their affiliation and make themselves feel badass.

I don't get your comment?... prominent members from various versions of the IRA are and have been members of Irish governments, see Gerry Adams/Martin McGuinness (Or even Michael Collins if you're talking way back).

Just because an organization has members/affiliates in a government does not make that organization part of the government.

Its like saying what ever the presidents frat was, is part of the government.

Whenever said members/affiliates are former leaders we're really just splitting hairs. I get your point though, I mistook what he had said as there is no link at all between them. Instead he is saying 'The Irish government never commanded the IRA' which I'd largely agree with.

> Another possibility is that your opinion is wrong.

Another possibility is that your opinion is wrong.

> Another possibility is that your opinion is wrong.

And yet another possibility is that your opinion is wrong!

I like this "adding nothing to the discussion" game!

> Their regime is about to get bombed. Taking down twitter is low on their priority list. But it's quite good timing for a propaganda campaign against "hackers" and now allows the US government to label hackers as terrorists. Scary stuff.

Yes, because the bombing of the regime means that every single person supporting the Syrians is automatically going to focus all their efforts on one single task. It is not like there can be people with different perspectives on how to solve a "problem" with the same common goal. /s

This is especially true when you look at how fractured and ill-defined "person supporting the Syrians" is.

Have we heard any government officials calling for any drastic attack on your civil liberties yet?

If you think people can't make the difference between the SEA and people who browse reddit and privacy activists, then you're setting the bar pretty low for the intelligence of the population. Especially considering people are getting more and more informed

Your need for a conspiracy seems pretty great

I disagree with the conspiracy idea, but from what I've seen the bar should be pretty low for the intelligence of the population (at least in this area). Most of the people I know ignore pretty much everything that has been going on with snowden and as for the SEA, they would probably thing it was part of the Syrian government.

> This is a false flag operation to turn the public opinion against "hackers" so these crazy internet regulations bills can start passing and so that they can get away with spying scandal.

You can't know for sure it is a false flag operation, but you can't easily rule it out either.

It sounds like a religion to me, then.

Except unlike gods, we are quite sure that false flag incidents can happen. Nobody doubts that. The very concept isn't what is questioned, only particular incidents.

I wasn't questioning the concept though, especially as the Nazis used it to kick off WWII in Europe.

But on the other hand, we at least had proof of the false flag attack by Germany. In this case we have, to this point, faith and educated guesses, but it's faith nonetheless.

Putting it on the same level as religion is questioning/ridiculing the entire premise, though I understand that you did not intend it that way.

If you think they are so sophisticated to create this false flag operation why are the targets and magnitude of this so lame?

NYTimes and Twitter are lame targets? In the US, at least, you don't get a much higher profile non-government target than the NY Times. I mean, if this were a false flag operation -- and I'm not convinced it is -- then the three-letter guys wouldn't very likely chose to target themselves, or other government, would they? They would portray them as being inept at defending themselves.

The target was one registrar and the disruption wasn't anything that's going to be talked bout tomorrow morning. Fairly lame for a sophisticated false flag operation.

No, the attack target was almost certainly sites like the NY Times and Twitter. The attack vector was the domain registrar you refer to. It seems very unlikely that the target was Melbourne IT per se. You see how many of us hadn't even heard of them -- hardly a high-impact target.

Another way of looking at it: target one decently sized registrar and you'll get a handful of important sites. This isn't big news.

>NYTimes and Twitter are lame targets?

Yes. A declining media/entertainment company and an advertising firm?

>In the US, at least, you don't get a much higher profile non-government target than the NY Times.

Google, Academi/Blackwater, any number of our oil companies?

Attacking the NYT tells me you just want attention. There are many much higher-value non-government targets who hacking would seriously worry me.

See this is why it's a great conspiracy theory. Parts of the attack that are well executed are used as proof that the powerful US Gov't is behind it. Parts that are poorly executed are obviously put there on purpose and thus also proof that the powerful US Gov't is behind it.

Is the redirect loop affecting your personal website the government's fault too?

It just means we need our own hackers.

As someone asked in the comments of the article asked (no response yet), I'm curious myself...

> "twimg.com is a domain used by Twitter which is an widget company that is part of a network of sites, cookies, and other technologies used to track you, what you do and what you click on, as you go from site to site, surfing the Web. Does that not mean that SEA will be intercepting this data?"

Couldn't they do this with any of the sites that they modify? That's what I am sort of wondering about, sure you could redirect the homepage to something dumb, and make it really obvious that the site has been attacked. But, it seems like they could have similarly done a man-in-the-middle and sucked up tons of data silently, without throwing up any big red flags.

The tweet button/widget is served by http://platform.twitter.com so this shouldn't be a problem as long as the twitter.com nameservers are unchanged.

Ok, firstly whois Microsoft.com just returns all URLs with Microsoft.com in them, even as a subdomain, so they haven't been hacked and that result has been there for ages. Same goes for Verisign etc.

TechCrunch is reporting that registrar MelbourneIT has been hacked.. This wouldn't surprise me but I'm puzzled as to why either site would register with such a bad registrar.


They aren't URLs, they are domain names.

The ones that aren't the domain name you are looking for are glue records.

There's no way to globally search "show me every corp.*.com domain in existence."

I think the important question here is "Why on earth did they choose that registrar, for something so crucial?"

I bet they'll put in for a transfer ASAFP now!

>but I'm puzzled as to why either site would register with such a bad registrar.

Melbourne IT acquired part of Verisign a few years ago, their Enterprise "Digital Brand Management Services". I assume these big companies are either existing customers, or just new customers using that particular part of the service.

What do you mean? MelbourneIT are huge and generally have a pretty decent reputation.

Yeah, you're right that was probably a bit harsh given that I'm just running from what I've heard from others, and the fact that last year they were still charging $150 for registration. But who am I to know - I don't want to be one of those token HN trolls who pays out on people for the sake of it so I retract my initial comment.

> MelbourneIT are huge and generally have a pretty decent reputation.

Clearly you have never used their ticketing system.

I can vouch for that. From my experience this is how it their tech support works.

You raise and issue and they give you a ticket to track the issue.

They then send you an e-mail asking for more details.

You reply with the details and then they send you another e-mail saying the issue has been escalated.

A little while later you get another e-mail asking for the exact same details as the first e-mail, so you send them the same details.

You then get another e-mail saying this issue has been escalated.

Guess what happens next.

You guessed it, they send yet another e-mail asking for the exact same details you have now provided on two occasions.

They bounce you around in an infinite loop with a continual stream of spam e-mails until you finally get fed up and close the ticket.

MelbourneIT have incumbency and good marketing. I've never been all that impressed with their prices or service.

When we used to have MelbourneIT they sent us an email with our login password in it in a promotional email. When I inquired how they could possibly be properly securing my account when if they where storing my password in some recoverable fashion I got a form letter back stating they followed all the industry security practices. Needless to say I started the transfer of all our domains that same day.

Their exact response: "Our systems follow strict security measures and only enables us to send the password out to the main email contact in case of password recovery being requested. So rest assured your account password is safely stored with us. "

Had. Until now.

How hard is this to do...

I ask because I find it harder to believe that they are responsible for this. Just like I don't trust the YouTube videos either. I would find it more likely that three letter agencies are involved as PR.

I don't buy it either. Seems fishy.

Fishy enough that the SEA's own Twitter account is gloating about it?

Fortunately it's really hard to make a Twitter account, what with all the passport checks and ID verification that goes on there. Only real, verified SEA members would be able to create such an account. And only when directly logging in from a verified Syrian government IP.

Go check the account [1] for yourself, if it's fake it's a long-planted fake strung along with other tweets dating back to August 15th and earlier and describing other known SEA hacks.

If it's not legit it would have to be because they let their own Twitter account get hacked at the same time Twitter was being hacked... which seems very noncompliant with Occam.

[1] https://twitter.com/Official_SEA16

a month old? dude, Im not standing on either side of this particular fence, it seems perfectly sensible to me to think that either side might be doing it.

Having said that, what on earth is it about that account that makes you think it has any kind of authority?

To be frank, I just couldn't care less who it was. This action is utterly irrelevant to anything that is happening in the real world.

The account was opened less than a month ago. That's not a long-planted fake.

The word "credulous" comes to mind.

Who is that account registered to?

Don't trust anything you read here, folks...... too many that don't know anything about WHOIS or DNS.....

Now the truly paranoid are caught in the paradox of trusting you!

While they may have fixed twimg.com on the DNS level, changes are still taking forver to propogate back out. Right now I'm still getting no data from it.

To add to the matter, SEA is certainly aware of this:

"So, do we host http://twimg.com with Javascript code so all Twitter users will be redirect to our website? #SEA"


The twitter frontpage is completly broken for me. Static assets like css and javascript are served by twimg.com, which are now missing. If SEA has access to a server which can take the load of twimg.com, they can inject their Javascript and possible exploits to ALL twitter users...

Seems fine now

Woah! Has Verisign been hacked?

$ whois twitter.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information.



And then:

$ whois verisign.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information.



I get really crazy responses like this for almost every major site I try (cnn.com, yahoo.com, google.com).



See this: https://news.ycombinator.com/item?id=6204867

I never use CA's so didn't notice this, I only use the twitter app which Moxie Marlinspike and Charlie Miller hardened with pinned certs to avoid all authorities

Also this: http://stackoverflow.com/questions/4415269/suspicious-result...

  whois twitter.com => whois(".*twitter\.com.*")

Facebook's whois result is pretty funny.

   $ whois facebook.com

   Whois Server Version 2.0

   IP Address:
   Whois Server: whois.tucows.com
   Referral URL: http://domainhelp.opensrs.net

DNS Records have been hijacked and point to Syrian Electronic Army


So not sure what to say, but this is the email I received from DynEct the other day: subject: Webinar Wednesday: Are You Prepared For DNS Disaster? sender: Dyn hello@dyn.com via dynect-mailer.net

and some info from my old whois: $ whois twitter.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information.

   IP Address:
   Whois Server: whois.PublicDomainRegistry.com
   Referral URL: http://www.PublicDomainRegistry.com

   Domain Name: TWITTER.COM
   Whois Server: whois.melbourneit.com
   Referral URL: http://www.melbourneit.com
   Name Server: NS1.P34.DYNECT.NET
   Name Server: NS2.P34.DYNECT.NET
   Name Server: NS3.P34.DYNECT.NET
   Name Server: NS4.P34.DYNECT.NET

Last update on status.twitter.com was August 6th.

Get your shit together guys, this is serious business.

Edit: looks like there's an update now: http://status.twitter.com/post/59528478030/twitter-service-i...

Why hasn't the SEA changed the nameservers?

Nameservers of nytimes.com and twimg.com are changed:

Name Server.......... ns27.boxsecured.com

Name Server.......... ns28.boxsecured.com

DNSSEC most likely.

Whoa. Twitter, NYTimes, HuffPo... all had their DNS records hacked? This seems huge.

Twitter is up. I still can't get NYT - down for over a day? wow

How difficult of a thing is this to pull off?

If you can compromise a shared registrar, pretty trivial.

Well, the "attacking multiple sites at once" is trivial. The "compromising a major registry" is at least supposed to be kinda hard.

You'd have to have the ability to change DNS records for their domains. If you can point "whatever.com" to a NS that you control, it's game over until they take it back.

Seems to me that melbourneit.com was the cause of these problems - that is the related link between all these different problems - basically poisoning the DNS of any popular company that uses them.

NYTimes seems to be down and Twitter is be loading all wrong because twimg.com is down. Whoa! This is some serious stuff.


Ya, not so much.

Is this what DNSSEC is supposed to protect you from? (Or could they just change your dnssec records as well?)

twimg.com seems to be hijacked

A status update now that it's fixed.


Kind of dodgy that there was no status update until 1.5 hours after the issue surfaced.

this is about all the Syrian govt can retaliate with. it's not like they can physically reach and stop the USA from attacking them.

the traceroute for twimg.com end's in russia, I'm right? (

Yup. The biggest fallout from this won't be that those big sites were down for hours, it will be the millions of computers that redirected to that IP.


SEA has a history of doing much more than attempting to offset perceived propaganda[1]. With in that site is dozens of gigabytes of logs from Bluecoat[2] proxy hardware that sat in datacenters for Syrian ISPs.

A good amount of what is contained in the logs is things like porn searches, more porn, porn. But amongst the typical naughty bits things like religious queries for Christians, Catholics, Jews, Muslims were being recorded.

Telecomix[3] helped to leak the log-set, and as it stands it is _the_ example of how state entities monitor peoples of 'interest.' Much of these people are long since dead, killed early on as they were the most public[4].

So while the SEA's most public facing events are hijacks, phising, and massive redirects. Please do focus on the end result of pervasive surveillance[5].

[1] http://bluesmote.com/

[2] http://www.bluecoat.com/

[3] http://en.wikipedia.org/wiki/Telecomix

[4] http://en.wikipedia.org/wiki/Ibrahim_Qashoush

[5] http://imgur.com/gallery/qz7wm

Makes you wonder whom has access to Palantir.

Sorry to be cynical and bring politics into this, but I hope that U.S. liberals respond the way they did to Bush to Obama with this strike.

Comedians, the media, etc. accused Bush of an adjust war for someone that used a chemical attack on his own people because there were no found WMD's even though there was evidence of a chemical attack.

Now we are going in again to try to save things. Will Obama come out as a hero? Probably. Should he? Well if he should, Bush needs to get some slack finally.

Don't get me wrong- I think we should do something. But when I hear we are going to do another 3 day bombing run, it's just like Iraq all over again, except this time it's who the Democrats want to bomb. Isn't there an answer that doesn't involve bombing? What are we, Germany in WWII?

That comparison is quite the stretch, though.

The currently debated reaction to Syria's chemical weapons attack is a limited response intended to punish the Assad regime, to attempt to reduce its ability to launch more such attacks in the future and to provide it with a disincentive to do so.

It would not be an attempt to topple the regime or to take over Syria for American interests.

Further, the use of chemical weapons in the Iran-Iraq war as a pretext for invading Iraq in 2004 is, as we all know, extremely disingenuous, given that these attacks happened more than a decade prior – and with the support of the U.S. at the time:


[EDIT: I'm not arguing in favor of the U.S. intervening in Syria, though, least of all without proper congressional authorization.]

I think the core problem is that military adventurism in this region shouldn't be predicated solely on, say, chemical weapons. Realistically chemical weapons don't tip the balance scales very much in the realm of America's narrow/selfish geopolitical interests, in the interests of humaneness, or in the more broad interests of attempting to do whatever is best for the people of the region on a long-term basis (specifically in regards to peaceful co-existence and consensual governance).

We've attempted low touch "tomahawk diplomacy" before. We bombed Saddam's Iraq for their intransigence and aggression in the late '90s, we bombed Afghanistan and the Suddan in 1998 in retaliation for the bombings of our embassies, and so on. For the most part such things are utter wastes of effort.

Retaliatory strikes are almost always bullshit. "Proportionate response" is just a fancy word for retaliation or revenge. Low touch warfare is almost always a mistake (see also: drone campaigns). We need to have clear geopolitical objectives, we need to be even clearer how we plan to achieve those objectives, and we need to follow through with as much effort (in whatever form) is required to achieve those objectives. Anything else is like some sort of macabre lottery. Attempting to see if killing a few people will magically result in a desired outcome even though the chances are low.

Granted, one should be under no illusions, there are some very serious "bad guys" in the region, and in Syria specifically. Bad guys who few people on Earth should object to being killed. However, the situation is also much more complex than that and it's never the case that military action only kills or injures the exact people you want and no one else. There is a 3 (ish) side sectarian war in progress in Syria which has now spread to Lebanon. Taking out the al-Assad regime could perhaps be a good thing but it won't bring an end to the sectarian war. Whether or not chemical weapons are used as long as that war continues tens of thousands of people are going to be killed each year it goes on, if not more. I don't think the Obama administration has a very strong understanding of the complex dynamics on the ground in Syria nor do they have a firm plan on how to end the war there. Moreover, I think the lessons the administration has taken from what happened in Libya (even taking into account the later attack on the US embassy) are likely to lead them to believe that the situation is far less complex than it actually is.


> reustle wrote:

> Here's what I get for whois google.com


> ...


> And Microsoft


> ...


Don't be silly. You're simply getting everything that starts with microsoft.com.

So for the first microsoft example that's itrebal.com, they can issue subdomains as many as they want or publish records for subdomains which in turn will cause the whois commands to cough up that information. It assumes that you are searching for some info and helpfully includes everything that it thinks might be applicable.

This trick will give you results for almost any well known domain name and is not indicative of a hack, merely of a slight shortcoming in the way whois records are displayed / queries, the default is a non-exact match.

They're not hacks, they are pranks.

Try this:

whois -h whois.tucows.com microsoft.com

If you're not convinced by the above.

I believe the trick is to also register the subdomain as an NS server. But yeah, not a hack.

I'm pretty sure that's unrelated and not a problem. Look at those domain names carefully -- they're not actually at google or microsoft. It's just people exploiting how wildcard search feature works.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact