How To Avoid Getting Your DNS Hacked Like The New York Times

When the New York Times’ website fell prey to a high profile hack Tuesday, you may have wondered how a huge, multimillion dollar corporation could get hacked in the first place. From there, it's not that far to another terrifying idea: “If the NYT didn’t stand a chance, what hope is there for my own website?”

The NYT attack actually targeted the site's records in the Internet's DNS, or Domain Name System. Since computers speak in numbers and we speak in letters, DNS is what converts any IP address to a easy-to-remember address like nytimes.com. DNS hacking is a vulnerability that every website faces. (In the NYT's case, the attackers apparently changed its DNS records so that visitors to the newspaper instead ended up on a Syrian website.)

Fortunately, if you run a small-to-medium-sized website, chances are hackers don’t consider you much of a target. According to Matthew Prince, CEO of CloudFlare and one of the key players in yesterday’s hack cleanup, you’re probably okay for now. 

“I wouldn’t run out and drop everything to secure my DNS,” he said. “But it would not surprise me if DNS becomes an additional vulnerability that criminals start to go after more often. I would definitely put it on my to-do list before the end of 2013.”

Here’s what Prince suggests you do to keep your online presence secure. 

Choose A Registrar With A Secure Reputation

If you have a domain name, you probably purchased it through a domain name registrar, like GoDaddy, Bluehost, Dreamhost, or in the NYT's case, Melbourne IT. You log into the registrar to make changes to your domain name and manage your site files. 

It goes without saying that you need to have a strong password on your registrar account to keep it safe. What happened yesterday was no ordinary password crack, but, as Prince said, something that was “as bad as DNS attacks can get.”

“What was really spooky about yesterday’s attack was that the attacker appears to have compromised Melbourne IT, the actual registrar that registered all the domains,” said Prince. “If you think of the DNS as the white pages, it’s as if the attacker had actually hacked into the publisher of the white pages themselves and was able to change to any phone number anywhere in the entire directory.”

Unfortunately, Melbourne IT did have a reputation as one of the most secure registrars in the world, which is why the Times, Twitter, the Huffington Post, and others trust it. So when this first step doesn’t work, there are other precautions you can take. 

Set Up A Registry Lock

The New York Times bore the brunt of Tuesday’s attack. Why wasn’t Twitter as much of a target? 

“We speculate Twitter wasn’t affected the way the New York Times was yesterday because it had a registry lock in place,” said Prince.

A registry lock is a restrictive measure on your registrar account that makes it far more difficult for anyone to make changes to it. There are numerous additional steps required before you can take even mundane actions on your account, like simply transferring your domain name to another registrar. 

For most people, a registry lock is too much of a hassle. But if you’ve been a hacking target in the past or feel you have an elevated risk, it may be worth it. 

Ask About Additional Security Measures

You may not realize how many security features your registrar offers. Prince suggests that if you ask directly, you may be surprised. 

“If the ability to turn on additional security isn’t obvious, sometimes you have to actually request it from your registrar,” he said. “Almost every registrar today can give you additional security measures to put in place if you ask for it.”

You might want to consider setting up two factor authentication, a process in which your login requires not only a password, but another verifying factor. For example, if your registrar is GoDaddy, it can set up a system where the site texts a code to your cell phone that you must input before you can log in. Only the person who knows your password and is in possession of your cell phone can log in, (presumably just you).

Other measures include IP address dependent login, in which a user can only access your account from a particular IP address—for example, the one at your office.

“What you sacrifice with these alternate measures is flexibility and the ability to make quick changes to your account,” said Prince. “But if you’re a fast rising start-up, a media publication, or another a target more likely to be attacked, that’s the price to pay to protect online identity.”

Photo by Danny Oosterveer on Flickr