Re: Anyone can take over virtually any domain on the net...

[shafik () ACM POLY EDU (Shafik Yaghmour)]

        You make a pretty huge assumption that the administrator of
that domain will miss the response from network solutions or will do
nothing about it, both of which are not very good assumptions. Although I
do agree it should be more secure, I don't think it is necessarily easy,
it is possible someone could be lucky and do it but they would be dumb to
place any bets on it. After one attempt you would hope if the admin was
not using CRYPT-PW they would start using it.

On Wed, 12 Jan 2000, Thomas Reinke wrote:

> Wired recently ran an article on the fact that someone
> recently hijacked a number of domains in the Network
> Solutions database using email spoofing.
>
> At first I thought this had to be a joke. After thinking
> about it, I realized that its no joke at all, and in
> fact quite easy to do.
>
> Step 1: Send a spoofed email to Network solutions requesting
>         a DNS change to your own DNS server.
>
> Step 2: Wait for a short while (the amount of time it normally
>         takes Network Solutions to send out a confirmation
>         email request)
>
> Step 3: Send a second spoofed email confirming the request.
>
> Step 4: Have your DNS server serve the new web server address
>         from a new webserver with your own content.
>
> Network Solutions rep quoted in the wired article:
>
>      "O'Shaughnessy pointed out that Network
>       Solutions offers more secure services.
>       Most accounts will not need the extra
>       security he said, but in the age of
>       e-commerce and more vital Web services,
>       the onus is on the registrant to see that
>       his domain is secure."
>
> Doesn't take too much rocket science to point out that other
> than the obvious flaws in insecure email, the fact that
> confirmations to make domain changes do not carry any
> sort of tracking number make it possible for spoofed email
> to confirm illegitimate requests.  I think it might be
> appropriate for Network Solutions to add at least THAT
> much reliability into their confirmation scheme so that
> that kind of change couldn't occur in the future...
>
> BTW, Network Solution's instructions on changing the
> scheme to a userid and password based system doesn't
> work very well. We've attempted on several occasions
> to do this with no luck...thereby forcing on us the guardian
> scheme :(
>
> Cheers, Thomas
> --
> ------------------------------------------------------------
> Thomas Reinke                            Tel: (905) 331-2260
> Director of Technology                   Fax: (905) 331-2504
> E-Soft Inc.                         http://www.e-softinc.com

==========================================================================
--"the more you know and understand the more you must know and understand
   .. knowledge is an unsatiable hunger .. which makes life easier and at
   the same time harder .... knowledge is a paradox w/ no resolution just
   a boundless function of human nature .... knowledge is a trap which we
   embrace and which we run away from .... and in the end the only escape
   is death .... or maybe not "<grin>--
==========================================================================
                     -Unite for Java! - http://www.javalobby.org-
                     -This message transmitted on 100% recycled electrons-
                     -Save the whales, Feed the hungry, Free the mallocs-

Two cats on a roof,
Which one falls off first?
The one with the smaller mew.