Slashdot Mirror
Network Solutions E-Mail Security Alert
Ralph writes: Network Solutions has starting spamming some of its customers with notices that include, among other things, the news that they've set up a free e-mail account for you, without bothering to ask first, at their new dot com now mail Hotmail clone. They've even taken the liberty of assigning you a password:
3. Lastly, we are pleased to offer you a FREE e-mail account using our new dot com now mail service. Because it's Web-based, you can use it in the office, at home or on the road. You'll need the following information to set up your account:
>>>>>>>>>>>>Login name: domainid >>>>>>>>>>>>Password: domainidnsi
Note that nifty password? It's the same pattern for every domain they've registered an e-mail address for.
Big security [bleep]up. If someone beats you to your account and "guesses" your password, now they can masquerade as you, and if they change the password, you can't even get into the account.
I've already gone into my "accounts", verified that they exist, and changed the passwords. I know that they exist because when I entered other domain IDs I control that I wasn't spammed at, I was returned to the login screen rather than being brought to a presumably newly-created mail page.
I called Network Solutions tech support to demand that they remove the accounts, but the moron on the line didn't understand that they were doing something incredibly boneheaded and wouldn't listen to my explanation. The person on the line insisted that they wouldn't create an account without me signing up for it, but I didn't have to sign up; it was already in place.
The mail I received started out "As a customer of Network Solutions or one of our Premier Program members", so I'm not sure if they're doing this for everyone or just for people who bought their domains through some of the big providers like Pair who are part of the "Premier Program". If you get the e-mail from them, I suggest logging on immediately and changing your password, whether you wanted the account or not. Maybe with a little prodding, Network Solutions will realize they screwed up and delete the accounts and change their procedure.
Update posted 2:10 p.m. EDT by RM - doulos writes "If your tired of getting a busy signal at the 703-... phone number, I found that they have a nice staff of people waiting to answer your questions and complaints at the following TOLL FREE phone number: 1-888-642-9675
They did refer me to the toll-line, but I (politely) insisted that because this was a matter of security that they had initiated, that I should be able to at least speak with a supervisor. They nice person on the phone _politely_ complied, and I was able to put in my request to have those e-mail accounts removed with my appropriate domains.
I just thought I would submit this as an article update because I felt maybe if the phone # was posted as an update it might help alieve some of the offense of having to call, by at least removing the toll from being on your nickel..."
OK,
However much you may hate XXXX corp DO NOT try and masquerade as them!
It's not big, clever or AFAIK legal.
What may seem as a good idea right now may land you/us/everyone in the world in a whole heap of trouble.
----- Documentation is worth it just to be able to answer all your mail with 'RTFM' - Alan Cox.
What kind of programmer can create an entire web based email system, write the code, and bring the whole system to working order, and then ignore one of the basic principles of password choice that has been a major no-no in the un*x (and other) operating system for decades.
Mind you I guess it's not surprising when we consider the other screw ups we've seen lately - even in other web based email systems like the recent hotmail scare.
All we can do is hope that they will be a learning experience for us all, and that screw ups in the "early" days of the internet for the masses will prevent (or at least lessen the effect of) major security holes in future systems..
First they produce copyright restrictions in whois queries that people cannot opt out of. Then they fight tooth and nail with government regulators over divvying up their monopoly. Now this?
What's next, my bank creating an email account for me and assigning it the password 123456, like everyone else's?
Just imagine the possibilities of such a monumental foul-up:
-) Email Masquerading:
"Hi InterNic Tech Support, this is so-and-so, I'd like my contact information changed to... No, I'm really so-and-so. You can tell because I'm emailing you from so-and-so's account..."
-) Spam, Spam, Spam, Spamitty-Spam:
"You've got mail! Oh joy, so-and-so@internic is spamming me. Lets get them blacklisted and ban their server."
-) Misrepresentation via Email:
With this, and some of the information available from a standard whois query, you easily order products and have them shipped to someone COD. And of course, it's authentic because it was shipped from your internic account....
Someone stop the madness before it continues to spread!
I just got the spam from NS, and it was a bit different than described. The account name was the administrator's last name with a random number added; not the domain name as described. The password was as described; the account name with "nsi" added to the end.
A bit better; anyone trying to screw up somebody's account would have to know how to use WHOIS and guess a short number.
Clueless. Utterly clueless. And these are the guys who claim to be running the Net??
My password is now a random string that I've already forgotten. Why would I need another e-mail account anyway? Don't you have to have an e-mail address (contact point) to set up a domain name?
Am I the only one that thinks emailing out unsolicited passwords in plain text is a bad idea in the first place? Unencrypted email's not exactly the most secure way of transferring information. There may be times when I *request* a password via email, but I do so knowing and accepting the risks, and I wouldn't do it with something I couldn't afford to be compromised. Of course, the choice of password was dumb beyond belief as well, but that's a separate issue...
"The invisible and the non-existent look very much alike." -- Delos B. McKown
Network Solutions...we're the "duh" in dot com!
If someone beats you to your account and "guesses" your password, now they can masquerade as you, and if they change the password, you can't even get into the account
I'm probably just extremely dense, but isn't dotcommail just yet another free mail service?
do you really think people are stupid enough to think that a mail from 'slashdot@dotcomnow.com' (or 'slashdot@hotmail.com' which I just grabbed) must necessarily come from someone working for slashdot?
if that's the case, we're in deep trouble. there are hundreds of free mail services out there...
I took a look at this story and hurried over to the NSI website and the account I use to register some domains to check this out. Nothing.
I am glad there was nothing, no dotcomnow account that I can think of and no email with my nice little present from Netsol. If there was, I guess I might have joined in the frenzy here.
This got me thinking about what the "security hole" is.
a) That account cannot be used to change my domain parameters, since it does not match the e-mail address I registered from.
b) Anyone can really set up an account on one of thousands of webmail providers and pretend to be me. Heck, this has happened to me before on some discussion groups, and there is simply nothing I can do to prevent someone from misrepresenting me to lusers. People who know me know where my e-mail comes from, and know I use digital signatures.
c) How is this different from your friendly bank sending you a credit card without your approval? Infact that is something which I consider more dangerous than this act of stupidity by Netsol.
Having said this, I seriously think we're over reacting.
Shri -- returning to the scheduled Typhoon York.
We probably are reacting a bit over the top, but the scary part is that at least three of the 'lastname' and 'lastnamensi' get me into someone elses e-mail account.
You're right about there not being a real security at the moment. Only people who used their Dot Com Mail address as their contact's e-mail address will be at risk of losing control of their domain, since most of them use 'MAIL-FROM' as their authentication method for authorizing changes to their domain registration.
It does make me think about advertising ourselves as a 'Network Solutions Partner' though. But then again, I doubt that you'd be really better off with any of the other TLD registrars.
Cya
barbaBob
--
*sig*
OK, gotta get the music to that strangely addictive game out of my head now.
Check out this piece of wholesome goodness, delivered in the same message as my (cleartext) domain hijacking password:
If you do not wish to receive e-mail from Network Solutions, click on this
+e-mail address and type "remove" in the
+subject line.
PLEASE NOTE: by opting to be removed from this list we will not be able to
+communicate to you, in real-time, on issues regarding your account.
The mind boggles. One of the primary aspects of the net's formative power is its ability to quickly report the consensus of a company's customer base. Emails such as the one recently sent to all domain owners--containing both an unprecedented security breach and a jaw-dropping amount of arrogance(read our spam or we lose your bill)--only serve to increase internal communication within NSI's customer base, and to erode and eliminate the trust that the company has built up over the years.
I am positive there are alot of others out there like myself who hold a great deal of technical respect for their extremely high-uptime management of the closest thing we have to a single point of failure. They've done much right, and honestly, they've scaled better than one might have expected considering their ever increasing workload and the sheer number of years they've been doing their job.
I almost see a parallel to Microsoft here. People complain that the Windows 9x kernel is buggy, but considering that it runs everything from ancient DOS games to 32 bit applications, it's a miracle it runs at all. There's some truly respectable hackery involved in that! However, nobody, not even Microsoft's staunchest allies will say that their businesspeople are the most ethical in the industry, and most of the industry will claim that the Microsoft businessdroids have even less faith in their coders than the Linux bigots.
Why else fudge the numbers and force the shipments? Nobody's going to run Internet Explorer unless they're forced to...so lets force 'em. That seems to be the mindset.
Similarly, the Network Solutions folks have pulled off some significant technical miracles, but their business side is obsessed with the concept that nobody cares about anything technical. Since nobody would use NSI if they had an alternative registrar, the quality and quantity of alternatives must be fought tooth and nail. Since NSI is nothing but its collection of names and addresses retrieved under contract from the federal government, they'll claim de facto ownership of the WHOIS database until the Commerce Department's gun is pointed at their head with the hammer cocked.
Nobody cares about name resolution, you see. The real fad is WEB BASED EMAIL; create accounts for people without even following basic security procedures!
Nobody would actually want any of the services offered by NSI through email, so issue a vague threat to cut off all email--even that which is critical to the operation of one's domain--unless the domain owner agrees to sift through the latest thing being hawked by NSI.
The more NSI does in this style, the more they disenchant, disenfranchise, and disconnect themselves from their customer base.
There's no logical reason for this to occur.
I call all of this the PARC Lemming Syndrome. Every hi-tech businessperson secretly(or not-so-secretly) laments that he or she wasn't there at Xerox PARC to bring all of those amazingly profitable inventions to market. The agony of imagining so many lost dollars causes them to try to milk whatever or wherever they're at without due concern for what this will actually do to the businesses Core Competency.
To the businessperson...maybe he's breaking loose, pulling ahead of the pack, about to lift off, ascend to new hights...or maybe she's in the middle of a herd, trailblazing, secure in the knowledge that together new possibilities are being forged.
The the customers, and the rest of us...just looks like a bunch of lemmings racing headlong towards a cliff.
I implore you, Network Solutions. Buy a clue. Get a twelve pack if needed. Your customers trust you because your uptime is unbeatable, your security is generally reasonably tight, and because you've been doing it right longer than anyone else in the business. I'm one of your customers. Before you tell me anything, offer me anything, or do anything, think of why I do business with you, and about what could make me stop.
Don't be a lemming!
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Once you pull the pin, Mr. Grenade is no longer your friend.
What has happened to the IT industry? Quite simply too many clueless people are being employed, usually hired by equally if not more clueless management.
I've seen networks brought to their knees entiely due to management making decisions on the network topology. I have seen distributed networks fail due to a management descision to consolidate all logins to one single server! (Doh!) I have spent hours trying to bring dead systems back to life because no one bothered to maintain or monitor the system for 7 years, hoping the system would look after itself, and once I got it working the machine suffered a catastrophic hardware failure, and no more spares were avaialble world wide. And it goes on...
The most ironic thing is that earlier this year I spent 4 months out of work. For every single interview, the decision rested on someone with no technical experience. I've found a position now, but it is 200 miles from home, and half the team I have to work don't deserve their position.
There are too many fools in this industry making decisions. No wonder NT is so bloody popular.
The moron who thought of this, and the bozo who hired him should never be allowed to touch a keyboard again.
NSI has subscribed to the bes possible security flaw of all - The Slashdot effect. Now that they are hosed, noone can get to their accounts! (At least I cannot seem to get in - timeouts on the site galore)
This is absolutely crazy, and I want it to be the last straw. I have been screwed over by NSI both personally and professionally now:
All in all, NSI has screwed me over again and again, and their callous disregard for professionals that need to get their jobs done by not even allowing me access to engineers (after repeated requests) to repair the aforementioned host handle problem is a load of bullshit.
Now, to the thrust of this posting -- where can I find these so-called alternative registrars? Are they yet capable of freeing me from the shackles of NSI -- to the point of never having to email anyone at networksolutions.com again -- and still keep my .com, .org, and .net's?
I sincerely hope that if they are not here now, that they arrive very soon. I have a lot of new business for them.
Note, for last names that are consecutively numbering them. So the first the accounts are set up like this:
user: smithpass: smithnsi
user: smith1
pass: smith1nsi
user: smith2
pass: smith2nsi
user: smith3
pass: smith3nsi
user: smith4
pass: smith4nsi
Needless to say I don't consider that a good security measure either. And no, I'm not telling you what mine is numbered...
--
NSI is screwed up big time with this deal, and the Internet community, especially those who deal with net-abuse of this type and magnitude, does not like such a bad neighbor. Forward with full headers and apropriate password removed to MAPS RBL (http://www.mail-abuse.org) and post it to news:news.admin.net-abuse.email with the subject of NSI SPAM. Also document every phone call you've made to remove the free e-mail account and pass that along too. It's time we nip NSI in the bud about this.
---
Spammed? Click here for free slack on how to fight it!
--
# Canmephians for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.net";
Err...not true. The main reason no new gTLDs have been rolled out is that the Intellectual Property (IP) and Trademark (TM) interests are scared of cybersquatting, and refuse to pay what it would cost to police these new gTLDs for possible infringement. This is troublesome, because IP and TM law require the famous mark holder to bear the cost of protecting their marks. They want to shift that cost to the registry and/or registrar, who will of course pass it on to the domain name owner.
They keep asking for things like unilateral, full, standardized, searchable access to all registrant data, enforced verifiable contact info, heavily restrictive and punitive Dispute Resolution Policies, etc.
NetSol may suck, but in this instance, it's not NetSol that's creating the vacuum. It's the people who own famous names and marks, who keep pushing for more than anyone is willing to give. Net result: No new gTLDs.
If you're concerned, stop whining and get involved. The ICANN Domain Name Service Organization is acting on these very issues right now.
The Individual Domain Name Owners' Association is fighting to ensure things like equity in dispute resolution and protection of your personal information are present in the future worldwide DNS system.
.@.
am i the only person here who does not necessarily believe this really is from internic? I mean, none of the email addresses are even internic hostnames, none of the recieved headers look like they're from internic. Since this is such publically available information, anyone could really pose as internic and mail you. Maybe I'm being naive but I don't think internic is this stupid. It's hard to believe that someone would be that stupid to try to pose as internic to get users for their free email, but I think it makes more sense that way. Here's the headers from my mail: Received: from maild.inte-net.com ([63.71.102.109]) by bilbo.w-link.net (8.9.0/8.8.5) with ESMTP id CAA05359 for ; Thu, 16 Sep 1999 02:04:59 -0700 (PDT)