> <i>Technical teams from CloudFlare, OpenDNS and Google jumped on a conference call and discovered what appeared to be malware on the site to which the NYTimes.com site was redirected.</i><p>On the HN post <i>"Google.ps domain was hacked (google.ps)"</i> [1], HN user <i>biot</i> predicted this exact scenario, although not a zero day most likely. He talked about submitting hacked sites to HN <i>"... and thousands of HN readers get infected by a zero-day exploit. Maybe. If you're thinking of submitting a known compromised site to HN, consider instead submitting a third-party site which explains/documents the compromise. Ideally from a respected security research company".</i> [2]<p>[1] <a href="https://news.ycombinator.com/item?id=6278737" rel="nofollow">https://news.ycombinator.com/item?id=6278737</a><p>[2] <a href="https://news.ycombinator.com/item?id=6279253" rel="nofollow">https://news.ycombinator.com/item?id=6279253</a>
Basically zero information. They keep telling us how MelbourneIT is usually more secure but doesn't do on to tell us how it is any more secure than other registrars. More importantly, even with admin access to to their control panel how can it be so easy to change registry information of such high profile sites with a click of a button?
> At 1:19pm (PDT) today, a researcher noticed that the New York Times' website wasn't loading.<p>So if the content on the redirected page had been more subtle - for example, mirroring NYTimes but editing stories etc - then things would have taken a lot longer to have been noticed?
So, if my DNS is hacked, I can call Google and OpenDNS and have them correct my records upstream? And then contact Verisign for a registry lock? And expect a personal response from MelbourneIT (even though it's likely their reseller's fault)? This is great news!
I'm amazed that Melbourne IT seem to be held in high regard these days. Going back to the 1990s, they had a monopoly on Australian domain registration, they charged the earth, and had really crap customer service.
> The correct name servers should have been DNS.EWR1.NYTIMES.COM and DNS.SEA1.NYTIMES.COM.<p>How does this work? How would you get to DNS.EWR1.NYTIMES.COM without first knowing where nytimes.com is?
How would setting the registrar lock have helped in this case? The registrar lock can be unlocked by the current registrar... which was the target in this case.<p>It's good advice, but seems kind of irrelevant.<p>> It's worth noting that while some of Twitter's utility domains were redirected, Twitter.com was not -- and Twitter.com has a registry lock in place.
I'll bet five dollars the credentials were stolen by a botnet the SEA runs or has access to. You wouldn't believe the shit that pops up sometimes. (It's also incredibly trivial to take over botnets run by jackasses who took a tutorial in setting up Zeus) Less likely but still highly possible would be spear phishing of registrar resellers.<p>Edit: I don't know why, but the nameservers I use don't resolve any address for nytimes.com now. If I query 8.8.8.8 directly I get a response. So, could be they're still suffering from this attack, which sucks.
> MelbourneIT has traditionally been known as one of the more secure registrars<p>They were one of the registrars compromised back in May as part of Hack the Planet[1]. If I recall correctly, they were the only registrar where the attackers actually got shell access on a server. That's when they lost any reputation for security in my eyes.<p>[1] <a href="http://www.theregister.co.uk/2013/05/09/melbourne_it_hacking/" rel="nofollow">http://www.theregister.co.uk/2013/05/09/melbourne_it_hacking...</a>