The takedown of the New York Times website for nearly two days this week exposed how easily computer hackers can exploit the internet’s Achilles’ heel.
As the website was being restored Wednesday, the tech industry scurried to assess the high-profile cyberattack and weigh what measures could be taken to prevent a similar breach.
In the past two years, a growing number of companies with a significant presence on the web have had to bolster their defenses to make up for security gaps that were not considered a problem when the internet was created.
But as online attacks escalate in severity and visibility, high-profile targets, whose digital presences often span the globe, have struggled to spot and repair every vulnerability.
The latest cyberattack on the nation’s second-largest newspaper highlighted two well-known problems: a reliance on usernames and passwords that can be easily stolen; and reliance on an unsecure directory that’s crucial to delivering the right content after a user enters a web address in an internet browser.
Hackers, in the New York Times case, got their hands on a username and password that allowed them to edit the directory information for the newspaper’s web address. As a result of the edits, readers that typed in “nytimes.com” were directed to the hacker group’s website before it was shut down. Readers saw an error message.
Though the newspaper re-edited the directory late Tuesday, several hours after the hack, readers continued to see error messages.
That’s because it took just as long for the fix to start restoring the site as the amount of time it was down.
The master copy of the directory with the newspaper’s information is held by a company based in Australia. Internet service providers such as Time Warner, Comcast and AT&T use temporary copies of the directories to make websites load faster, because accessing the master copies, typically in far-flung data centers, takes time. Their copies took hours to be updated with the fix.
Computer-security experts warned that as these attacks grow more common, internet users should keep away from websites experiencing technical difficulties until an all-clear is issued. The New York Times, for example, said on Facebook and Twitter that users seeing error messages should visit http://news.nytco.com instead.
“If you see something busy or unavailable, close your browser and wait a bit,” said H.D. Moore, chief research officer for cybersecurity firm Rapid7. “Really, it should be a wake-up call that things are still fragile on the internet.”
Still, Moore said the response by the technology community to resolve Tuesday’s issues offered a bit of relief.
Computer-security analysts traced the takedown to domain name registrar Melbourne IT, the Australian company that keeps the master copy of the New York Times’ entry in the internet catalog. Historically, Melbourne IT and U.S.-based registrar MarkMonitor have been valued by large technology firms for top-notch security and reliability.
“These registrars have an impressive amount of power,” said Jaeson Schultz, a threat research engineer for Cisco Systems. “They are a central management point, and if you’re an attacker, that’s a juicy target.”
Someone affiliated with Melbourne IT was tricked by an email from a fraudster, the company said. Following instructions in the email, at least one person divulged a username or password. Hackers used that information to access a Melbourne IT website that allowed them to redirect visitors trying to see newspaper articles.
Those visitors could have ended up on a website that exposed their computers to viruses, which is why experts suggest staying away from “hacked” websites.
“Everyone’s gut reaction is, ‘Let me see if it’s broken,’ or, ‘Let me see if it’s not working on my machine,’ ” said Todd Redfoot, chief information security officer for GoDaddy, a Melbourne IT competitor.
The Syrian Electronic Army hacking group claimed responsibility for the attack. The group said on Twitter that it had wanted to deliver an “anti-war message” to visitors of NYTimes.com, and call attention to “lies” the newspaper had reported about the Syrian government.
With 30 million visitors a month, the newspaper’s website stood out as a potential global megaphone for the hackers.
They also tried to disrupt other websites. But they didn’t succeed at that, because unlike the New York Times, those websites had enabled a feature that required additional authorizations to make changes.
GoDaddy’s Redfoot said that the increasing exposure of cyberattacks is driving the development of more secure browsers, websites and internet infrastructure. Yet challenges remain.
Redfoot advised internet users to be just as aware of their surroundings online as when they are walking around outside. He said it’s never safe to trust instructions in an email or quickly click on links without double-checking their validity elsewhere online or offline.
“We’re a little too comfortable when we’re clicking shiny buttons on our computers,” he said.