Websites are only as secure as their weakest components
The Syrian Electronic Army is claiming to have hacked a number of sites, but evidence points to an advertising network at the heart of the attacks. This attack combines two weak points in the Internet's infrastructure, ad networks and DNS – and highlights how both were not built with security in mind.
A website is only as secure as the weakest component on that website. If you display adverts from a third party advertising network, your visitors are vulnerable to any security holes on that advertising network. We saw how problematic this can be recently when visitors to AOL, Match.com and Yahoo! clicked on a malicious advert and were then infected with the Cryptowall ransomware. The DNS system, one of the fundamental building blocks of the Internet, dates back to the days when everyone on the network trusted everyone else. Security in the DNS system has come as an afterthought and therefore, taking control of someone else's DNS account does not require any great technical expertise. It can be as simple as tricking the registrar into assigning the account to someone else.
The Syrian Electronic Army are experts at social engineering and spear phishing. Most registrars would think twice before changing ownership of the domain name of a major newspaper to another owner - though it did happen to Craigslist recently - but they probably won't pay the same attention to the domain name of a startup ad network.
Securing the internet’s infrastructure has been a continuous discussion within the technology industry, and threats like this bring the conversation back into the spotlight. Large parts of the Internet's infrastructure need to rebuilt from the ground up to be more secure. DNS is one of those parts. The controls on transfer of domain ownership need to be tighter, requiring at minimum dual factor authentication, with the option of certificate or key based authentication for mission critical domain names. However, the DNS protocol itself is also subject to abuse. It can easily be used for DDoS amplification attacks such as the one on Spamhaus, and also lends itself to other abuses such as data exfiltration and botnet C&C. It can represent a single point of failure for critical systems, and as such, must be considered a key security concern for any enterprise.