SAN FRANCISCO (07/21/2000) - It's getting to the point where you don't need any computer skills to effectively take down an Internet site. Why bother, when domain name registrars make it so easy?
As the original domain name registrar, you would think Network Solutions Inc.
(NSI) would have a clue. The company's own bio states:
Founded in 1979 and headquartered in the technology corridor of Northern Virginia, Network Solutions has fueled the growth of the Internet by pioneering the registration of Web addresses ending in .com, .net, .org and .edu.
OK, I'll admit I have something of a bias with regard to NSI. Several years ago, I had a hell of a time getting my domain back after an employee of my company left. We offered to fax a letter with the company seal highlighted (not merely on letterhead, you'll note), but that wasn't good enough.
No, the folks at NSI wanted an email from the departed employee address authorizing the change.
They weren't kidding.
Like many other administrators, I set up a temporary ID and sent the mail. The domain was duly transferred.
I've had to do this countless times since then and each time I could not believe how naive the NSI registration procedure was. At one point, I discovered that a client was about to be disconnected because all correspondence from NSI was being sent to the email address of a departed administrator. It seems rather stupid to get disconnected from the Net for want of a $35 fee, but it has happened to other prominent companies as well, such as Microsoft and, recently, JP Morgan.
When I paid the fee (out of pocket), I asked the NSI representative what a company was supposed to do if the person who had registered the domain were hit by a bus. (Hey, it happens in New York City.) I was told to just have the CEO of the company send NSI a letter on company letterhead. At the time, the company I was working for managed about US$400 billion in assets -- not exactly the type of company where I could stroll into the CEO's office and ask him to write me a note.
Surprise, surprise -- some people took advantage of the NSI registration process to create a little havoc.
Ann Harrison of Computerworld reports that the hijacking of Nike's domain was possible because "NSI used a spoofed piece of email from the S-11 group as authorization to change Nike's registry information without requiring a password."
An article from SecurityFocus had this to say about the hijacking of the GTE.net ISP: "Sources said that GTE.net was hijacked with a forged email message addressed to NSI's Internic registry."
So, after 20 years, NSI still hasn't figured out that email can be spoofed?
In a classic case of blaming the victim, NSI spokesperson Brian O'Shaughnessy says that this problem is a company's own fault if it chooses the most insecure method of authentication offered by NSI. Well, if it's such an insecure method, why is it offered in the first place?
Finally, NSI has added a simple step to improve the process. Now the company requires a confirmation before implementing a change -- still exploitable, but it's a start.
Perhaps the recent buyout of Network Solutions by VeriSign prompted some of the change in attitude. I could just see the VeriSign execs saying, "You authenticate how?"
About the author
Carole Fennelly is a partner in Wizard's Keys Corp., a company specializing in computer security consulting. She has been a Unix system administrator for almost 20 years on various platforms, and provides security consultation to several financial institutions in the New York City area.