Slashdot Mirror
How Secure is Your Domain Registration?
Matthew Enger writes "A article on dnspolicy.net has underlined some important concerns with domain registrations through Network Solutions. It discusses concerns with the standard security method used (MAIL-FORM) as well as how easy it is for people to hijack your domain.
" It's 11 o'clock - do you know where your domain name is?
I've been using PGP authentication for all of the domains I am the technical contact for.
One day I sent in a request which I forgot to sign (I mailed the plaintext, rather than the signed copy).
The changes went through anyway.
Forget about MAIL-FROM. I have a letter with confirmation from Netsol, that has another letter, from another person (with CRYPT-PW scheme), chained to my letter by Netsol. They just sent me a confirmation "this is the letter you've sent us" and got another person's letter in along with mine. With password, name, ID, everything. If I wanted, I just could go and take over this innocent person's handle and wreak havoc. I wonder how many letters of others *my* information got chained to...
And you have nothing to do - Netsol still controls the process, and the cost of moving is too high. And nobody there seems to care.
-- Si hoc legere scis nimium eruditionis habes.
For those of you who might be interested.
There has been a discussion about this issue on Bugtraq in January 2000. Read it from www2.merton.ox.ac.uk/~ security/bugtraq-200001/0148.html
Trifthen dun said:
I don't find it hard to believe at all. Hell, there are parts of the United States that don't have grits (like, oh, rural Ohio until fairly recently). I figured that grits were a Southern thing, kinda like being served cornmeal with breakfast, or biscuits (note to UK readers-- not biscuits like you have with tea--American biscuits are closer to a cross between scones and dinner rolls, basically like a flaky wheat-cake; UK biscuits are what we call cookies :)
Odd bit of trivia, though--there is a sort of "grits/biscuits" line. Above this line, you're going to probably get toast with breakfast and, if you get anything cereal-like at all, it'll be oatmeal or "cream-of-wheat"; below this line, you are liable to get biscuits and grits with breakfast whether you wanted them or not. :) (Kentucky is around the start of the "grits zone", and the "okra zone" too [you CANNOT find okra up north to save your life--I know, I've tried :P]. Needless to say, I've some experience with this.)
I have to say that I've NEVER heard of ham in grits, though. I'm more used to the ham being a fried country-ham steak. :) The stuff isn't too bad with sugar or butter, though, not to mention egg yolks (for that matter, (American) biscuits are good for sopping up egg yolks too :). Poached eggs aren't real common here, either (I've heard they are up north)--here, you will get them scrambled or fried. (Yes, it is true what you've heard about American breakfasts, especially the traditional Southern breakfast, causing instant heart attacks in people who aren't used to them. :)
-Windigo The Feral (NYAR!)
Gil Bates dun said:
Actualy, this varies from state to state. In some states, notary republics have to undergo special certification (usually because, in those states, notaries can have powers up and beyond just certification of signatures--in some states, for instance, notaries can legally perform weddings).
Also, notarisation being free ALSO varies between states; in Kentucky, for instance, getting a notary to certify something is most certainly not free (it usually costs around $50, in fact; I happen to know a notary, which is how I know this). Also, banks may or may not have notaries for this reason (again, in Kentucky a lot of people actually make a business out of being a notary and advertise their services as a notary).
Depending on the laws in your state, you might also have to get witnesses (I know you do in Kentucky for some certification stuff).
-Windigo The Feral (NYAR!)
Anyone take a look at the slashdot.org whois lately? Sure looks hijacked to me...
Registrant:
Andover.net (SLASHDOT5-DOM)
50 Nagog Park
Acton, MA 01720
Domain Name: SLASHDOT.ORG
Administrative Contact:
Malda, Rob (RM7054) slashdot121@HOTMAIL.COM
616-994-0441
Technical Contact, Zone Contact:
DNS Administrator - HyperMart (DA3706-ORG) dns-admin@HYPERMART.NET
206.447.1595
Fax- - 206.447.1625
Billing Contact:
Malda, Rob (RM7054) slashdot121@HOTMAIL.COM
616-994-0441
Record last updated on 07-Feb-2000.
Record created on 01-Feb-2000.
Database last updated on 8-Feb-2000 14:38:52 EST.
Domain servers in listed order:
NS1.HYPERMART.NET 206.253.222.65
NS2.HYPERMART.NET 206.253.222.66
NSI/internic's stock is through the roof- $258 per share and the company is worth nearly 9 billion dollars.
This is going to change eventually when investors realize any company with a brain is transfering their domains away from Internic. Want to assist in this process?
A proposal:
register NSIsucks.com; write HOWTO instructions for switching to any of the other registrars; put up a signup page for people who have transferred their domains; put up a press area for when the business press comes to visit.
Publicize nsisucks.com in tech and ISP media (letters to the editor, press releases). When we get enough buzz there (because they already know the truth about NSI) notify the business press that we have 100,000 former NSI customers who have switched to other registrars.
Watch NSI's stock tank.
--
HOWTO get better dates on slashdot
If anyone wants to steal my domain.... FOR THE LOVE OF GOD, PLEASE TAKE IT! I NEED SLEEP! I NEED TO DO HOMEWORK! COLLEGE SUCKS!
PLEASE, RELIEVE ME FROM MY DUTIES AND STEAL MY DOMAIN!
This problem has been discussed a fair bit in bugtraq. The consensus was that DNS wasn't really secure using the crypt and signed message may help to prevent this but in general were not that great since netsol sometimes ignore crypt-pw and their pgp signed mail thing is often broken. Essentially if someone can forge their header so that it looks like its coming from the technical contact, it probably go through.
"When you sit with a nice girl for two hours, it seems like two minutes. When you sit on a hot stove for two minutes, it
I'm sorry in advance if your the guy who posted this to bugtraq. But the exact same message appeared with the domain names changed about 3 weeks ago in bugtraq. Next time be a little more creative.
"When you sit with a nice girl for two hours, it seems like two minutes. When you sit on a hot stove for two minutes, it
To make a change as the registrant, you'll need to fax them a letter on company letterhead, signed by someone with authority for the company (e.g. "President"). If the registrant name is the domain name itself, make up a letterhead on your word processor for it and sign yourself with the title "Owner." If the domain is registered to your personal name, you need to fax them your driver's license along with the letter as proof of your ID and signature (make an enlarged photocopy)
Two very important points:
- First phone NSI and have the customer service (?) rep tell you exactly what the letter needs to contain and follow this to a T.
- On that same phone call, you need to insist that this is an emergency until the rep gives you a fax number that you can use to send it personally to that rep.
Using NSI's regular fax number will take up to a week for work to be started. By faxing it to the rep's attention, it should be done on the next business day. BUT when I had to do this, I set my fax to retry indefinately and it took five hours to get through to this fax number. You should also allow an hour or two for the phone call to NSI========
<sig>Guvf vf abg n frperg zrffntr
I recently had my domain yanked due to
the old server he was on the hacker
was able to fake a registration request
and I didn't catch it until after the
weekend..
So I call up NSI (after hunting down their
phone number which they absolutely HATE
to give you and explained the situation.
After sitting on hold long enough to save up
enough money to put the children I don't even
have yet through college, they answer with
their "1st Level" support which is no support
what-so-ever. They can't make changes, they
can't look up have the info you need, it's
sad.. So I got transfered to their "2nd Level"
support where they said that I would have to
send on company letterhead (like that
couldn't be forged easily enough) stating the
change was wrong. They didn't mention that I
should tell them what it should be changed TO
I put that in the letter just to make sure,
but ofcourse I didn't stick the name servers
in, so that didn't get changed until day 4 of
this nonsense.. (Yah, 4 days to fix this)
After that monday, I waiting until the 5pm
update, where it ofcourse... Didn't go through.
I called the next day and asked why
they ofcourse couldn't tell me, but I
figured it out on my own.
It seems that all the
second level support can do is put in
a request for a change, just like you the
domain owner... However the hackers over the
past few days changed the request to different
nameservers every night.. The second level
support put in the request first, then the
hackers did.. And the hacker request overwrote
the original request. I had to explain this
to NSI about 3 times before the understood
the concept, and said they would put through
the request shortly before 5 to try and beat
the hackers to the punch.
So the change goes through however,
because I didn't stick our nameservers through
on the company letterhead, they simply changed
the NIC handles. So the domain was once again
owned by us, however, the nameservice was still
wrong. This is day three now.
I call them up and scream, and they say we should
just put through another request.
Which I did, which ofcourse didn't take place
until that evening, giving a number of caching
nameserver the time to take the new domain
info with the wrong nameservers.. Thus
losing our domain on their nameservers
completely..
My quick guide to dealing with NSI:
1- Don't.. Find the alternative registars..
For example, OPENSRS through Tucows is an
excellent service, however a wee-bit new.. But
just find one of their domain resellers,
you can get domains for $10 a year.
2- Accountability - GET NAMES.. The more names
you have after dealing with them, the more
people you can point out as being retards to the
management, however, seeing as this is a
company wide problem that doesn't do much good,
head to step 1 to fix it.
3 - Use Encryption on your domains. Either with
the encrypt password on your contact
info (which is retroactive through all other
domains you control with that NIC then)
or the PGP method. Crypt password beats the
MAIL-FROM which is just pathetic hands down.
4 - Don't bother with anything other then 2nd
level help
2ND LEVEL HELP AT NSI: 1-703-925-6950 (Notice
the awesome NON-use of an 800 number)
I hope this helps ease the plight of NSI victims.
If there is a higher power they will be
forced out of the market by the other registars.
You discribe something thats called "A stupid trol1mastah".
It can actually be done much simpler.
Create a phony "contact form"
telnet rs.internic.net 25
HELO something
MAIL FROM: trollmastah@trollmastah.com (the contacts emailaddress)
RCPT TO: hostmaster@internic.net
DATA
Copy-paste the phony contact form (or pipe or something)
.
QUIT
You now have mailed the phony contact form, from the right email.
No need to wait for hotmailaccount expiration. One advange in using your method is that the real owner of the domain never sees an ack of the contact form change.
Sendy
-- You probably find my HTML-formatting and language usage ridiculous.
GNU guru and mainframe hacker
Comment removed based on user account deletion
I registered my domain with TotalNIC and it was fast and easy, $35. Of course, I haven't had to change any info with them yet.
Unfortunately, since my DSL provider charges $30 extra for hosting the name, I'm going to have to take the route followed by an earlier poster and figure out my own DNS. Fortunately, I have an old IIci I can use as a firewall/DNS box while the SE/30 serves the site. (Yes, I am insane.)
I use Macs for work, Linux for education, and Windows for cardplaying.
They're, well, interesting. We talked about the INS being pathetic, but these people take the cake. If they replaced the INS, you can be sure you'd get a "confirmation of request to enter the country and become a citizen" mail 4 weeks after you received your green card and moved to California.
/dev/dsp);
---
NSI domain managment psuedo code:
if(new_email)
{
grab(new_email);
grab(mail_from_queue[random()]);
send(letter(confirmation));
if(email_changing_options)
{
send(letter(confirmation);
if(mail_security)
{
if(crypt)
crypt(password, password);
else if(mail_from)
for(i = 0; i (255 * random()); i++)
send(letter(confirmation));
else if(pgp)
{
send(pgp_pubkey(random_recipients));
send(pgp_privkey(random_recipients));
}
}
}
if(cranky_servers)
{
transfer_domain(randomly);
send(letter(info_about_transfer));
}
play("/usr/share/sounds/maniacal_laughter.wav",
---
NSI -- the dot incompetent people.
---
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
The bugtraq list talked about this about a month back. the original comment is here and most of the discussion on it is here
BofA just bought loans.com for $3,000,000. Wouldn't it suck if that got stolen :)
:)
Maybe I don't see something here but if the actual registration is held at Network Solutions then all that would have to be done is to have to owner to contract the company and have it returned. Just hope they kept the recipt.
Slashdot social engineering at it's finest
how secure is the slashdot domain name. If it isn't, I'd do something. There are a lot of trolls and worse things out there.
I think that it's fine. You see even if someone tried to steal it it would be found out quickly and all you would have to do is just call them up and say:
Hello this is Rob Malda from that little ol' slashdot.org site I would really appreciate it if you would fix the problem with our domain name. Seems like a group of Lebaneese terrorists have taken it and are using it for their new web site.
Slashdot social engineering at it's finest
Domain registration should not take 14 days, it should take about 14 minutes at most....
I thought that for domain registration under the typical regime of the NSI that it took 24-48 hours to process your request. Yeah sure possibly if you streamline the process and have more people doing it it would take 14 minutes. However You have to consider that usually there is a line to get domains registered and that probably a human is entering in each and every one.
Take your income taxes as an example. In the US you have a tax form that could be processed by a machine in less than 10 minutes however because of the fact that a great many other people have taxes as well you have to wait and end up waiting for a long time.
Slashdot social engineering at it's finest
A request-for-proposal I noticed on eLance.com is indicative of the unsavory taste I get in my mouth whenever discussing domain registrations.
I'm not sure whether there's sufficient information on WHOIS to perform this task meaningfully. This requestor may be making a new service to "remind" people that their domain is up for renewal, perhaps to offer a lower price on the renewal than their last registrar, but I have a feeling it's more to find names to scalp.
(Opportunistic domain thieves =anagram> and this viperous competition =anagram> a victim proposition, enthused.)[
It's 11 o'clock - do you know where your domain name is?
Right now it's over in Washington on a VAX......ooops!... now it's in Texas on a UUNet server...uh oh, someone just tried to ping it, it's over at UC Berkeley now. Damn, it's all over the place. =)
Pablo Nevares, "the freshmaker".
Pablo Nevares, "the freshmaker".
Is your internet identity subject to theft by malicious individuals at Network Solutions? Your domain could be taken away from you, without any warning, hijacked. This could be because your competitor, a derogatory site with attrocious content, wants to try and make people believe you are affiliated with...anything they choose. How badly can one malicious company hurt you through one simple act?
The answer would be eToys requesting Network Solutions to take etoy.com away. Network Solution then claims they had a court order to do so, despite the fact that both etoy AND etoys claim otherwise and no such court order has been shown. The lawsuit is dropped by eToys, and Network Solutions still refuses to return the domain name. ICANN refuses to look into the matter, and a group of artists are still denied their site.
It doesn't take hackers to destroy your site where Network Solutions is involved. They'll do it themselves, just to make their larger clients happy.
This is agent JohnnyAngel at Toywar reminding you that you can no longer buy a vowel.
-----
No Zen is good zen
I didn't get one of my domains hijacked, but Network Solutions did something that would qualify as a security breach (using MAIL-FROM). When I got my DSL line, I had asked the provider to get my domain name transferred to their DNS servers. Four weeks after my DSL was installed, I called them about getting all of my domains transferred. They happened to mention that they had no record of the first one (The stupid DSL provider is another story....) They told me that they wouldn't accept several of my domain names into their DNS servers (I have a couple of domain names that end in the .cc and .cx TLD's) because they weren't registered through Network Solutions (their EXACT quote...) Anyway, I said 'Screw Them' and bought a couple of great DNS Books (DNS and Bind, & DNS on NT both from O'Reilly publishers...) and set up my own DNS servers. I'm now happily serving my own DNS. But now, my DSL provider apparently finds the original request for my .com domain because I get a form asking if I want to accept or deny the transfer. I didn't answer it, but I called the person listed as the technical contact on my domain. I told him that if he got the form to deny it. He did (he even CC'd me a copy of the form with a big old NO at the top). Guess what... Network Solutions transferred the technical contact to my DSL provider anyways...and screwed up my (and my wife's) e-mail in serious way. The worst part of the whole damn thing is the my DSL provider has ignored all of the e-mails I've sent them and Network Solutions keeps sending me a message that says I need to send them a Domain Change form... I have e-mailed Network Solutions about 6 times now complaining about this, and they keep telling me that I need to submit a form, in spite of the fact that I keep telling them that I can not submit a form because the e-mail account for admin and billing are both screwed up BECAUSE of this stupid problem and that my DSL provider is ignoring me. I think I'm going to get my best 'I'm PISSED' voice ready and actually call Network Solutions today, and I am DEFINTELY calling my DSL provider since they don't seem to answer e-mails... Codo
In making a system secure against bad guys, you also have tomake sure you don't stop the good guys getting in.
If anyone has found that they _can_ make the PGP system work, please let me know. I don't know if I have the courage to try it again though. maybe next time they won't accept my phone call as authority to change things. I wonder how they know if a phone call is from a good guy or a bad guy.....