Re: Anyone can take over virtually any domain on the net...

[sneak () DATAVIBE NET (Jeffrey Paul)]

This isn't particularly new, as anyone who doesn't use Guardian to
protect their handle/contact information can have their data changed.
For instance, a while back my email address changed and I was able to
change the email address of my handle without being required to
receive email at the previous address.  The handle is administrative
contact for a number of domains, and once the email address is
changed there's nothing stopping anyone from starting requests to
change DNS servers for any/all of the domains then acknowledging them
from the new changed email address.  For all of their faults though,
netsol has always strongly recommended the use of one of the guardian
methods to protect against this (they offer use of a crypted
password, or PGP signed mail).

My point is, it *does* have a piece of unique data in the
confirmation request.  But changing the email at which the
confirmation request is sent is a trivial matter if the contact
doesn't protect modification some way.

Follows is a mail from netsol from a month or two ago where I
transferred a domain to my box from a hosting service.

--begin example
***************** Please DO NOT REMOVE Version Number *****************

Notify Version Number: 2.0

************** Please see attached detailed instructions **************

0a. (Y)ES (N)O......:
0b. Comments........:

Object
1a. Identifier......: <snip>
1b. Type............: D
1c. Tracking Number.: 991111.237e9
1d. Message ID......: v04220801b450f0a58565@[<snip>
1e. Notify..........: AFTER-UPDATE
1f. Comments........:
--end example

> Wired recently ran an article on the fact that someone
> recently hijacked a number of domains in the Network
> Solutions database using email spoofing.
>
> At first I thought this had to be a joke. After thinking
> about it, I realized that its no joke at all, and in
> fact quite easy to do.
>
> Step 1: Send a spoofed email to Network solutions requesting
>         a DNS change to your own DNS server.
>
> Step 2: Wait for a short while (the amount of time it normally
>         takes Network Solutions to send out a confirmation
>         email request)
>
> Step 3: Send a second spoofed email confirming the request.
>
> Step 4: Have your DNS server serve the new web server address
>         from a new webserver with your own content.
>
> Network Solutions rep quoted in the wired article:
>
>      "O'Shaughnessy pointed out that Network
>       Solutions offers more secure services.
>       Most accounts will not need the extra
>       security he said, but in the age of
>       e-commerce and more vital Web services,
>       the onus is on the registrant to see that
>       his domain is secure."
>
> Doesn't take too much rocket science to point out that other
> than the obvious flaws in insecure email, the fact that
> confirmations to make domain changes do not carry any
> sort of tracking number make it possible for spoofed email
> to confirm illegitimate requests.  I think it might be
> appropriate for Network Solutions to add at least THAT
> much reliability into their confirmation scheme so that
> that kind of change couldn't occur in the future...
>
> BTW, Network Solution's instructions on changing the
> scheme to a userid and password based system doesn't
> work very well. We've attempted on several occasions
> to do this with no luck...thereby forcing on us the guardian
> scheme:(
>
> Cheers, Thomas
> --
> ------------------------------------------------------------
> Thomas Reinke                            Tel: (905) 331-2260
> Director of Technology                   Fax: (905) 331-2504
> E-Soft Inc.                         http://www.e-softinc.com