News

MIT hacked again, URLs redirected

By Joanna Kao Jan. 23, 2013

5519 hack 2
A screenshot of MIT’s EDUCAUSE Whois database record from Tuesday, January 22. The name of the administrative contact for the domain was changed from MIT Network Operations to “I got owned,” and the name servers were changed to CloudFare servers.
5522 hack
A screenshot of mit.edu from Tuesday, January 22, after hackers re-directed MIT’s home page in the name of Aaron Swartz.

MIT was hacked on Tuesday around noon, with MIT URLs redirecting to a webpage claiming credit for the attack in remembrance of Aaron Swartz.

As a result of the hack, people who visited tried to reach MIT over the Internet were redirected to the hacked Web page pictured here: http://goo.gl/kxdm1. The hack affected all names under mit.edu, including web.mit.edu, tech.mit.edu, etc.

The hack and subsequent outages were due to a compromise at EDUCAUSE, the registrar that provides information on all .EDU names. A registrar, which allows users to purchase domain names, also specifies the domain name system (DNS) servers for a domain, which convert domain names to IP addresses — needed to actually load the page.

Anyone trying to use DNS in other ways — for example, to send email to people at MIT — would also have been affected. The rogue servers did not accept email for MIT.EDU, but merely refused connections, so it is expected that mail sent during the outage will eventually be delivered, rather than being lost forever.

For approximately one hour, MIT’s DNS was redirected from internal servers to the company CloudFlare, where the hacker had configured the site to point to a page claiming credit for the attack.

People within the MIT network were not affected because they automatically use MIT’s own DNS servers, but outside MIT, viewers saw “R.I.P. Aaron Swartz, Hacked by grand wizard of Lulzsec, Sabu, God bless America, Down with Anonymous.” A chiptunes version of the National Anthem also played in the background.

This is not the first time MIT has been hacked since Swartz’ death. On Sunday, Jan. 13, MIT experienced a network outage due to a DoS attack. And on Saturday, Jan. 19, MIT’s email went down for 10 hours due to a “mail loop caused by a series of malformed email messages,” according to the MIT News Office.

During the attack, the EDUCAUSE registry servers provided the following: http://goo.gl/2LPW4. The name of the administrative contact for the domain was changed from MIT Network Operations to “I got owned,” and the name servers were changed to CloudFare servers.

Although the root cause — the .edu information at the EDUCAUSE registrar — has now been corrected, there will still be residual problems for up to two days because information for .edu namespaces are cached for 48 hours.

Unlike previous attacks, which temporarily disabled some services, this attack had the potential to be much more severe. A more calculated hacker could have intercepted email messages intended for anyone at the MIT.edu domain, including all alumni who use alum.mit.edu email addresses.

MIT spokeswoman Kimberly C. Allen said that Information Services & Technology became aware of an issue affecting mit.edu domain registration at 11:58 a.m. this morning. “IS&T was made aware of the problem via automated email from the domain registrar to MIT indicating that MIT’s Domain Name Servers (DNS) had been changed. MIT’s domain rights and the mit.edu domain were returned to MIT’s control at 1:05 p.m.”

Around 4:20 p.m., CloudFlare updated their DNS records to mirror MIT.

John A. Hawkinson provided reporting.



5 Comments
1
Anonymous about 11 years ago

Now the question is was EDUCAUSE compromised/pwned or was the (one of) MIT domain admin's account's compromised. Either way looks pretty shoddy. I hope it was an EDUCASE issue rather than a weak password or more seriously hack of a MIT domain admin.

2
Benjamin O\'Connor about 11 years ago

I think it's very disingenuous to call any of this "hacking." MIT's DNS registrar (educause) was somehow fooled into changing MIT's DNS records to point elsewhere.

In my experience investigating and preventing these occurrences this is always because of a weak administrator's or engineer's password, lack of two-factor authentication, and a lack of protection of the domain with the registrar itself.

This isn't being "hacked" so much of it just being a case of doing a poor job of running a network and systems infrastructure.

3
Anonymous about 11 years ago

Of course, the change back at 4:20pm won't matter much since all those bad values propagated with a 1 day TTL. People (and mail) could be being directed (bounced) until 4 tomorrow potentially. There wasn't much mention beyond the http URL redirection, but it should also be brought up that MX records were also changed to point to 'mail.mit.edu'. At this time, mail.mit.edu does not exist, so mail to mit.edu addresses on any server that has a name server caching the bad value is going to bounce.

(Maybe someone in the MIT noc should consider setting up a cname for mail.mit.edu to point to the DMZ-MAILSEC-SCANNER-#.mit.edu systems...)

4
TibitXimer about 11 years ago

Maybe if you guys didn't hate on everyone that tries to tell you about a vulnerability, you'd get more help. Anyway, glad I could be of assistance.

http://www.zdnet.com/mit-website-hacked-over-aaron-swartz-a-second-time-7000010148/

5
David about 11 years ago

Anyone know where I can find a mirror?

I want to hear the chiptunes star spangled banner :(