According to a series of news accounts today, it looks like twitter was either hacked or not hacked, depending on who you listen to. The bottom line seems to be that Twitter’s DNS servers were hijacked. How this was done has not been revealed. Twitter seems to be dodging the brunt of the blame because their provider runs their DNS servers. (Confirmed by a quick nslookup below). While this may be true, that only reflects how twitter should react internally. The risk to twitter’s users is still the same. If the hackers had wanted to do damage instead of showing off by putting up a “look at me I’m so cool” type of page, then they would have forwarded users to a phishing page that intercepted authentication credentials. (While this has fairly trivial implications for twitter, imagine if they did this for a bank).

C:\>nslookup

> set type=ns
> twitter.com
Server:  UnKnown
Address:  x.x.x.x

(root)
primary name server = trafficdns1.ddc.com
responsible mail addr = hostmaster.jettissystems.com
serial  = 2009072301
refresh = 43200 (12 hours)
retry   = 3600 (1 hour)
expire  = 1209600 (14 days)
default TTL = 3600 (1 hour)

Update: more details on the DNS records can be found at SANS’ incident handler diary.

Apparently the drones that the US has been using in Iraq and Afghanistan have no encrypted their video feeds, and pentagon officials have revealed that insurgents have been eavesdropping on the video transmissions. According to the WSJ:

Senior defense and intelligence officials said Iranian-backed insurgents intercepted the video feeds by taking advantage of an unprotected communications link in some of the remotely flown planes’ systems. Shiite fighters in Iraq used software programs such as SkyGrabber — available for as little as $25.95 on the Internet — to regularly capture drone video feeds, according to a person familiar with reports on the matter.

U.S. military personnel in Iraq discovered the problem late last year when they apprehended a Shiite militant whose laptop contained files of intercepted drone video feeds. In July, the U.S. military found pirated drone video feeds on other militant laptops, leading some officials to conclude that militant groups trained and funded by Iran were regularly intercepting feeds.

Think that’s astounding? Wait till you see this:

The potential drone vulnerability lies in an unencrypted downlink between the unmanned craft and ground control. The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn’t know how to exploit it, the officials said.

They’ve known about this for nearly two decades and haven’t done anything? C’mon guys – encryption isn’t exactly a new technology. As for assuming that insurgents wouldn’t know how to take advantage of the flaw, don’t even get me started. You should never underestimate your adversary, especially in war. In the modern information age knowledge is easy to come by, so assuming any large group of people will not have certain knowledge is a perilous assumption.

It should never surprise anyone that a government wants to occasionally watch it’s citizens for law enforcement purposes. The methods of surveillance change with time and technology of course, and it appears that the United Arab Emirates has just crossed a new threshold – using spyware to spy on people’s blackberries. Etisalat, one of the regions’ major telecom providers, provided a new patch claiming it was to improve performance. It turns out the patch included spyware, which, once activated, would report all activities performed on the BB back to a central server. Due to a programming glitch, the “patch” also ran down the blackberry’s battery at an alarming rate, which bothered many users. After a few days of silence, Etisalat issued a statement which must set records for government non-denial denials claiming only that “a conflict in the settings in some BlackBerry devices has led to a slight technical fault while upgrading the software of these devices.” The users and the loca media of course know better.

This is the best news I’ve heard this week. L0phtcrack, the original Windows password cracker is back. L0phtcrack was original developed by an independent group of hackers known as l0pht. Through a series of mergers and buyouts, it was owned by Symantec, which decided to unceremoniously drop the product as it didn’t fit into Symantec’s line of offerings. Although old versions and cracks could be found on the internet, it’s good to see that the tool is back with new features. You can get it from http://www.l0phtcrack.com.

ISC is reporting that they’re seeing exploits of MS09-002 in the wild. MS09-002 is an exploit which allows for remote code execution on IE7. The vulnerability was first reported to MS in October of 2007 by the Zero Day Initiative. Microsoft issued the patch a week ago. Given this, ISC is also claiming that it is likely that the patch was reverse engineered to find the vulnerability, and I would have to agree. I’m sure the anti-disclosure crowd will be using this one as proof positive for their position in the future.

The Conficker worm author is the latest to latest to have a bounty placed on his/her head. While I’m not inherently opposed to rewarding people who turn in criminals (it certainly has been standard practice in the non-cyber world for centuries). However, I think that in this case the organization offering the bounty is simply trying to look “tough on crime” after suffering for decades due to their lax security posture.

update On a related topic, when doing some background research on conficker, I stumbled across the following headline:

Regarding my previous post on how Palin’s email was broken into, it turns out I was dead on. Security questions are just a bad idea.

Alaska Governor and VP nominee Sara Palin’s yahoo account has been compromised, evidently by the group “anonymous“. (Is her fantasy football team okay?) I’m going to go out on a limb now and make en educated guess on how this happened. Chances are they won’t reveal how it actually occurred, but given the situation and given what I know about Yahoo email accounts, I’m fairly certain I know how it happened. Yahoo employs “security questions” if you forget your password. In the past you had to know a person’s zip code, birth date, and the answer to one “security” question to reset an account password. As of when I checked just now the procedure has changed to be just a security question. The problem for someone like Palin is that in the last month or so, every fact about her life has become public. It would be trivial to find out her zip code, birth date, and just about everything else about her that could be used as a security question. This makes it easy for a hacker to use this “security feature” to gain access to the account.

The truth is, all of those “forgot my password”links are usually great ways for hackers to break into accounts.

It looks like the first computer virus to cross into outer space is the W32.Gammima.AG worm.

As a followup to my previous post about cyber-war, it looks like the cyber-attacks against Georgia started before the Russian invasion. Although interesting, it doesn’t change the basic concept of cyber-war very much. The initial attacks garnered little attention until they were combined with conventional kinetic warfare. The reason is simple – cyber-war, on it’s own, doesn’t do a whole lot.