Yahoo!, Moniker: why is Mowjcamp.com still offline 6 weeks after hack attack?

UPDATE. Mowjcamp.com is back up! Friends at EFF were able to broker a conversation between Yahoo, Moniker, Melbourne IT and Access Now. The situation is complicated, and I’m still trying to understand the details of the resolution, but it’s fantastic news that the site is back up. Special thanks to friends at Yahoo! who ended up taking the brunt of the criticism for the downtime. That wasn’t fair, and was in part my fault for not understanding everyone’s role in the situation. Yahoo! worked extremely hard to resolve the situation after being called out and deserve special thanks for their hard work, as does everyone who took action to get this important site back online.

Twitter users may remember recent downtime for the microblogging site that didn’t involve the familiar fail whale. For a couple of hours on December 17th, 2009, Twitter’s home page was replaced with a picture of a green flag and the message “This site has been hacked by the Iranian Cyber Army”. Twitter’s administrators explained that their domain name records had been “temporarily compromised”, pointing the twitter.com domain to a rogue site rather than to Twitter’s servers. Chinese search engine Baidu was hit with a similar attack on January 12th, also by the Iranian Cyber Army, and regained control of their site within four hours.

Screenshot of hacked mowjcamp.com site by Josh Self, cc.

It’s one thing to recover from this sort of political cyberattack when you’re a well-financed company and something entirely different when you’re a volunteer-run alternative news site. Mowjcamp.com, a popular citizen media site associated with Iran’s green movement, was hijacked the same day as Twitter, by the same attackers, using similar techniques. (A blog post from activist Austin Heap explains that the techniques were probably not identical, which may explain why it’s been harder to restore Mowjcamp.) It’s still down six weeks later. The story behind their struggle to get back online shows how vulnerable the internet is to this new form of attack and how disruptive it can be for a small, grassroots organization.

Mowjcamp has been a major channel for disseminating news and video from the Iranian green movement. Their YouTube channel, filled with videos from university protests, gives a sense for their content, and their English-language site has become a critical resource for journalists covering Iran’s protests. While Mowjcamp is now accessible online in Farsi at mowjcamp.ws, mowjcamp.com, .org and .net remain in limbo, resolving to a NameDrive.com domain parking page.

I’ve been in regular contact with the administrators of Mowjcamp as they’ve tried to regain control of their site. For six weeks, they’ve been getting the runaround from Yahoo! (where they’d originally registered the domain names) and Moniker (where the hackers moved control of the domain name). Yahoo has been informed that the site was illegally moved by hackers who managed to access a Yahoo Mail account and authorize a transfer to Moniker – they’ve told the site administrators that there’s nothing they can do, and the problem’s in Moniker’s hands. Moniker, in turn, tells the administrators that they’ve responded to Yahoo, which will resolve their problem. In the meantime, the site continues to be inaccessible from the URLs by which it is most widely known. (Yes, I’ve contacted friends within Yahoo! So have many other well-connected friends, who’ve put pressure on Moniker as well. That I’m complaining in this blogpost shows just how successful we’ve been so far going directly to the companies involved.)

AccessNow, an online free speech organization born in the aftermath of the 2009 Iranian election, has been working on behalf of Mowjcamp admins to regain control of their domain. (Some of the Mowjcamp administrators are in Iran – some are not. Those in Iran are at constant risk of arrest, which explains their need to remain anonymous and seek help from groups like AccessNow.) I traded email this weekend with Brett Solomon, Executive Director of AccessNow, who explains his frustration with the situation: “The system is clearly broken when multi-million dollar enterprises like Twitter and Baidu can retrieve their sites in a matter of hours, and yet we have been trying to get mowjcamp.org back for more 6 weeks now. We keep getting stonewalled despite the vital role the site plays for the Green Movement in Iran.”

When the “Iranian Cyber Army” attacked Twitter, they embarrassed a prominent technology company and made a striking political statement about the company’s apparent support for the Iranian opposition. (You may remember that the US State Department asked Twitter to delay maintenance to keep the service accessible in Iran during post-election protests.) But ICA’s attack on Mowjcamp is different – it’s a denial of service attack by bureaucracy.

I spoke last week with a Mowjcamp admin who explained that their site has been under near-constant attack for months. They’ve moved the site to Amazon Web Services machines so they can better fend off distributed denial of service attacks. The irony is that the attack that crippled Mowjcamp is far less technical than a DDOS – attackers compromised a webmail account which allowed them to intercept DNS control panel login information and issue an authorization code to move the site. The admin I spoke with tells me that attackers evidently attempted a move half a dozen times before they were successful in hijacking the Mowjcamp domains.

When Twitter was hijacked using similar means, it was easy for Twitter to prove to registrars that they were the legitimate owners of the domain names. That the Mowjcamp administrators are still struggling to regain their domain is evidence that the system doesn’t work for ordinary users, though it clearly accommodates prominent corporations. The hijackers may not have expected their hack to work for more than a few hours. That it remains unresolved six weeks later shows that the system isn’t prepared to handle the phenomenon of political domain name hijacking. Perhaps the dispute resolution process that Mowjcamp, Yahoo! and Moniker is going through will eventually give Mowjcamp control of their site. But the time the process has taken is crippling for a site releasing timely political information. Given the success of this attack, it’s a template for this same sort of harassment against political campaign sites, protest movements and citizen newsrooms – any site that needs to release information in a timely fashion.

At Berkman, we’ve been studying internet censorship for several years, focusing primarily on state-level internet filtering. We’re now seeing a rise in other forms of censorship, attacks that attempt to make websites inaccessible everywhere, not just from within a repressive state. These attacks use DDOS to make sites inaccessible, social engineering attacks to spearfish for critical information, and legal threats to encourage hosting providers to exile targeted websites. It’s been difficult to determine if these new attacks are sponsored by government entities or carried out by nationalist hackers acting independently of the government. In either case, these attacks appear to be on the rise, and Mowjcamp’s experience suggests that they can be devastatingly successful.

What could we do to fend off these sorts of attacks? Everyone running a human rights site needs to double check their security precautions. Ensure your domain is locked at your registrar. Make absolutely sure that no one else is accessing your webmail (check login records to see that no unfamiliar IPs have accessed your account.) Avoid cascading failures by removing login information for other sites from your webmail mailbox. Use strong passwords, and different passwords for different online services.

But there are steps the web community could take as well. If domain name hijacking becomes a common form of attack, groups like Mowjcamp will need help navigating bureaucracy and undoing the damage. The State Department has had a great deal to say about Internet Freedom in the past weeks – perhaps someone at State should be available to groups like Mowjcamp to help them work through bureaucratic red tape when they experience situations like this one. Companies like Yahoo! have made commitments to freedom of expression through their participation in efforts like the Global Network Initiative – perhaps they could back up their commitment to free speech principles by providing a prominent human rights group with some actual customer service? Maybe Yahoo! and other providers need a team that can respond to complex situations like this one and treat them as something other than routine customer service matters?

Mowjcamp’s situation is aggravated by US Treasury regulations that make it extremely difficult for Iranians (and citizens of a handful of other nations) to do business with US companies online. While Mowjcamp wanted to use US servers to host their politically sensitive content, the administrators living in Iran couldn’t directly register their site due to these Treasury restrictions. As a result, the Mowjcamp team is working through intermediaries rather that interacting directly to solve this problem. If Secretary Clinton wants to “to put these tools in the hands of people who will use them to advance democracy and human rights”, perhaps she could start by making it legal for Iranian dissidents to register and host sites in the United States. And if she were looking for a tangible way to make good on her rhetoric, perhaps her team at State could lend a hand to the people at Mowjcamp.