300 UK domains pilfered, MASSIVE security lapse blamed

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.theregister.co.uk/2013/03/21/123_reg_nominet_security_hole_domains/

What appears to be a glaringly obvious security hole has been blamed
for the snatching of 300 domains hosted by one web-hosting firm last
year, The Reg has discovered.

A source told El Reg that anyone with a hosting package from 123-Reg,
and hence an account control panel, simply had to change the final
section of the URL manually (to, for example,
/someoneelseswebsite.co.uk) to be able to gain access to another
site's emails, name servers and billing.

With access to the admin panel, would-be domain thieves just had to
change the contact details for UK registry Nominet to a new email
address and then do a failed password request to have a new password
sent to the new email address, locking the original owner out, our
source claimed.

The .uk registry told The Reg it had "worked with registrars to help
them tighten security and prevent a repeat of this incident". Both
123-Reg and Nominet informed us that there was "a query from a
registrant" last year that led to Nominet "discovering some
irregularities in registration and renewal patterns".

"As part of Nominet's standard operating procedures they locked the
affected domains from any transfer or adjustment whilst they
investigated further, and with our full support," 123-Reg said in an
emailed statement.

Nominet said that its investigations into the issue revealed that "a
total of 300 domains had been transferred over to a new registrant in
the post-expiry period without the permission of the original
registrant".

"We [have] terminated our registrar agreement with one registrar," the
dot-UK registry said.

Neither firm would comment on how the the breach had come about or
whether the matter had been referred to Britain's Information
Commissioner.

Nominet said it couldn't elaborate any further because "we understand
there is an ongoing police investigation into this issue". ®
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.