Yesterday, New York Times and Twitter DNS records got hacked by Syrian hackers loyal to President Assad's regime. A phishing attack against Melbourne IT DNS register was used, where an unwitting employee downloaded an email with a Trojan which stole his credentials.
What's interesting is that Melbourne registry has been fairly careless about its security (it appears) - in XSSed database, there are several cross-site scripting vulnerabilities reported about them which haven't been fixed for two years.
This is yet another proof that security product industry is fundamentally flawed - it's focusing on the wrong things. Security awareness should be at the top of the agenda for all the companies instead of investing millions of dollars into useless vulnerability scanners. Secondly, the companies focus on protecting themselves but they don't enforce any security standards on 3rd parties that they deal with.
More information in an article in Huffington Post where I got quoted:
Such an attack happens often and is not very sophisticated, experts say. "What they did was pretty simplistic," said Aleksandr Yampolskiy, a security expert and chief technology officer at Cinchcast, a webcasting provider. "But what’s scary is if they were smarter they could have done more damage."
For example, the hackers could have redirected visitors to The New York Times to another website that installed malicious software on users' computers, Yampolskiy said.
Dr. Aleksandr Yampolskiy is CEO of SecurityScorecard, a stealth information security startup. Before this, he was a CTO of BlogTalkRadio/Cinchcast - largest online radio network in the world, and prior to that he was Head of Security and Compliance at Gilt Groupe companies, responsible for all aspects of IT infrastructure security, secure application development, and PCI compliance. He has also worked at Goldman Sachs, Oracle, and Microsoft, where he was a lead technologist building large-scale, performant enterprise software focused on IDM, SSO, authentication and authorization. He’s been cited in New York Times, ComputerWorld, Observer, and other media. He’s a published author and speaks regularly on security and software development processes.