Hello Loren,
Tuesday, April 24, 2001, 8:51:05 PM, Loren Stocker wrote:
> Does anyone know how domains get Hijacked? How do bad guys defeat the
> safegurads?.. How best to prevent this?
> This could happen to anyone of us.
Without commenting on this specific case, because I do not know the
actual truths (which are hard to get from the victims who try and
paint themselves in the best possible light, understandably), I can
tell you how most of them happen these days.
The domain was previously registered with Network Solutions, most
likely. And Network Solutions has a history going back MANY years of
being one of the most insecure companies on the Internet. A company
who has been responsible for the virtual identities of millions of
companies and others around the world should be expected to hold
itself to the highest standards of security.
But NSI has never been one do to that.
Previously for 98% of domain registrants, it was possible to send an
email template to NSI and just change the "From" address in that email
to any one of the contacts' email addresses, and that easily, the
domain could be hijacked. If the contact used a "non-regular" email
address, chances are they would never have received the notification
that a change had been processed until AFTER their website had been
redirected somewhere else, and then having to prove they own the
domain and were victimized.
NSI was made aware of this hole in their security many many years ago.
I previously wrote an article on it a couple years ago myself. Yet
NSI did nothing to fix it, and when questioned by the media, they
blamed the customers for not reading the obscure help screens on the
website describing how to protect your contact handles so that
Mail-From security was not used.
Last year, NSI DID finally close this whole, by adding a step
requiring the contact to verify the change a second time in an email
containing a special code that was emailed to them in response to the
change request. This closed effectively closed that security hole.
But it didn't stop the hijackings.
Now inventive criminals will use NSI's Fax Authorization system and
forge a fax on "company letterhead" which is not verified in any way
by NSI. This process takes a little longer to work, but these
criminals are patient critters. And instead of changing the
Nameservers, they simply change the Admin contact.
Then they transfer the domain to another registrar, and after the
transfer, they change all the contact and registrant info and the
nameservers. By the time the company's website stops working, the
domain was hijacked and transferred.
The best defense?
Transfer EVERY single domain you or your customers have registered at
NSI to your OpenSRS account (or the MSP of your choice if you do not
have your own account) as quickly as possible.
Anyone who leaves their domains at NSI, for any reason, is leaving
their internet identity at risk.
--
Best regards,
William mailto:[EMAIL PROTECTED]
