MIT hacked again, URLs redirected
MIT was hacked on Tuesday around noon, with MIT URLs redirecting to a webpage claiming credit for the attack in remembrance of Aaron Swartz.
As a result of the hack, people who visited tried to reach MIT over the Internet were redirected to the hacked Web page pictured here: http://goo.gl/kxdm1. The hack affected all names under mit.edu, including web.mit.edu, tech.mit.edu, etc.
The hack and subsequent outages were due to a compromise at EDUCAUSE, the registrar that provides information on all .EDU names. A registrar, which allows users to purchase domain names, also specifies the domain name system (DNS) servers for a domain, which convert domain names to IP addresses — needed to actually load the page.
Anyone trying to use DNS in other ways — for example, to send email to people at MIT — would also have been affected. The rogue servers did not accept email for MIT.EDU, but merely refused connections, so it is expected that mail sent during the outage will eventually be delivered, rather than being lost forever.
For approximately one hour, MIT’s DNS was redirected from internal servers to the company CloudFlare, where the hacker had configured the site to point to a page claiming credit for the attack.
People within the MIT network were not affected because they automatically use MIT’s own DNS servers, but outside MIT, viewers saw “R.I.P. Aaron Swartz, Hacked by grand wizard of Lulzsec, Sabu, God bless America, Down with Anonymous.” A chiptunes version of the National Anthem also played in the background.
This is not the first time MIT has been hacked since Swartz’ death. On Sunday, Jan. 13, MIT experienced a network outage due to a DoS attack. And on Saturday, Jan. 19, MIT’s email went down for 10 hours due to a “mail loop caused by a series of malformed email messages,” according to the MIT News Office.
During the attack, the EDUCAUSE registry servers provided the following: http://goo.gl/2LPW4. The name of the administrative contact for the domain was changed from MIT Network Operations to “I got owned,” and the name servers were changed to CloudFare servers.
Although the root cause — the .edu information at the EDUCAUSE registrar — has now been corrected, there will still be residual problems for up to two days because information for .edu namespaces are cached for 48 hours.
Unlike previous attacks, which temporarily disabled some services, this attack had the potential to be much more severe. A more calculated hacker could have intercepted email messages intended for anyone at the MIT.edu domain, including all alumni who use alum.mit.edu email addresses.
MIT spokeswoman Kimberly C. Allen said that Information Services & Technology became aware of an issue affecting mit.edu domain registration at 11:58 a.m. this morning. “IS&T was made aware of the problem via automated email from the domain registrar to MIT indicating that MIT’s Domain Name Servers (DNS) had been changed. MIT’s domain rights and the mit.edu domain were returned to MIT’s control at 1:05 p.m.”
Around 4:20 p.m., CloudFlare updated their DNS records to mirror MIT.
John A. Hawkinson provided reporting.