Telecom and Logistics Associates 

Security NEWs Service: TLAnews
publication: Christian ALT  new6.gif (1031 bytes) TLAalert    Security Service 
Translate this page from:  Save Time and Money 

5.6.2000 SecurityDomain Hijacking
In spite of a recent May 5th U.S. district court decision which declared that domain names are not property, and hence, can't be "stolen," domain thieves last weekend successfully hijacked two web site/domains from their rightful owners.

En français: Enlêvement de noms de domaine
A la suite d'une décision d'une cour de justice americaine, qui a déclaré que les noms de domaine ne sont pas une propriété, et de là, ne peuvent être "volés". Des voleurs de domaines ont réussi le weekend passé à enlever deux domaines à leurs propriétaires.

 
English version
 Domain owners be carefull

The theft highlights the security issues surrounding domain names, particularly the authorization schemes that are in place to protect domain owners.

What happened is this: An individual contacted Network Solutions Inc. May 29 and told NetSol to change the contact name and the DNS/IP address (this is the "address" to which the domains are directed) of web.net and bali.com. Web Networks contends that Network Solutions made the changes without receiving their authorization, either electronically or by phone, and consequently pushed the changes through. Network Solutions counters that claim by stating that Web Networks' domain, web.net, had the lowest level of security known as "MAIL-FROM."

The MAIL-FROM authentification allows changes to be made if the changes are requested through an email from one of the contacts for the domain, listed in the whois record.

Network Solutions FAQ has the following information about the MAIL-FROM level of authentification:

Résumé en français

Propriétaires de domaines soyez attentifs

Un enlèvement de nom de domaine consiste à s'approprier les droits sur un domaine. Dans ce cas un individu a falsifié une demande de modification de l'enregistrement d'un domaine. L'organe de contrôle s'est laissé berner et n'a pas réagi. La conséquence en est un arrêt des acces au site initial, plus de mail, plus de web, plus aucune ressource ne peut être accèdée depuis Internet.

L'usurpateur peut ainsi recreer  un site comme il l'entend.

Pour la defense de l'organe de contrôle, le site n'avait pas protegé son inscription avec tous les moyens à disposition. En effet il suffisait d'un mail provenant d'une personne autoriséee ( définie dans l'enregistrement whois) du site initial pour que les modifications soient accceptées.
Attention beaucoup de sites se trouvent dans cette situation.

Guardian est une forme plus recente d'enregistrement et de modification des domaines, qui nécessite des confirmations de la part de personnes autorisées avant toutes modifications.
Guardian was created to help protect your domain name registration, contact record and host record from unauthorized changes. If we receive a Service Agreement, Contact Form or Host Form from a source other than the administrative or the technical contact/agent, we will seek confirmation of the change from both of these contacts.

We will notify the administrative and technical contacts that a request to make a change has been received. It is then the responsibility of one of these contacts to acknowledge that the request is valid by replying "ACK" or "YES" to the notification.

If we do not receive any acknowledgement, or if we are notified that the request is not valid, we will not make the change. The administrative or technical contact should reply "NAK" or "NO" to the notification if he does not want the change to be processed.
 

Web Networks contends that the e-mail requesting the changes to their domain did not originate from them, and that they did not provide the required authorization to make the changes.

Network Solutions told InternetNews.com that the e-mail requesting the changes was "spoofed" by the thief, making it appear to have originated from Web Networks, and that they were acting in good faith.

On Tuesday evening, a representative from Network Solutions confirmed to Web Networks that all of the changes to the DNS names would be changed back to the web.net settings, but as of Wednesday the 31st, the domain had not been restored.

NSI Vice President of Corporate Communications Chris Clough Friday confirmed the company made the domain transfer and later learned it was fraudulent. Clough indicated that they had contacted TUCOWS, the original registrar for the domain, about the request Tuesday, and after realizing the fraudulent nature of the change request, have continued to work with TUCOWS to find the "best method of handling the return to Web Networks."

Web Networks also spoke with Network Solutions staff, who suggested that the thief had changed the domain record to name himself as technical contact, making it "impossible" for Web Networks to correct these changes, even with the required legal documentation. Network Solutions suggested that the procedure could take some time, and that they would speak to their Investigations Unit immediately to resolve the issue.

Network Solutions told InternetNews.com that they consider this a serious offense, agreeing that "the unauthorized transfer of a domain name and the apparent fraud committed is a criminal act. Network Solutions is in the process of notifying all the appropriate authorities so that they can conduct a thorough investigation."

The whois record  showed the site with the alleged thief, going by the name of Billy Tandoko, registered as administrative contact, technical contact, zone contact and billing contact for the domain. Network Solutions is still waiting to hear back from TUCOWS about what they intend to do to correct the fraudulent domain name transfer. TUCOWS did not respond to calls from InternetNews for additional details.

Network Solutions' spokesman Brian O'Shaughnessy stated, "It happens to names of some merit rather than names of no merit," indicating that Network Solutions handles up to 30,000 database changes every day. "That's an incredible amount of volume, and in some cases the request is sent out to the rightful owner and his response may get caught up in that". Domain owners should keep this all in mind when they set up the authentification for their domains in the future.

 

Author information.
Copyright © [Telecom and Logistics Associates Sàrl]. All rights reserved.
Revised: juin 05, 2000 .

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of the particular situation.