This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --=_3505103c8ea3bbbb962395c0cef9993f Content-Type: text/plain; charset="iso-8859-1" I've known for several years that it's possible to hijack a domain name that only uses an email address for authentication. In fact, it's possible to change the email address used by sending a message from another email address. I've done this (twice) with my own domain name, and helped a friend with that friends domain name when the "email address of record" was no longer available to me. My domain names are now protected with passwords, although, I don't think that's much more secure. I just haven't been able to prove it yet. Russ -----Original Message----- From: Thomas Reinke [mailto:reinke@E-SOFTINC.COM] Sent: Tuesday, January 11, 2000 9:27 PM To: BUGTRAQat_private Subject: Anyone can take over virtually any domain on the net... Wired recently ran an article on the fact that someone recently hijacked a number of domains in the Network Solutions database using email spoofing. At first I thought this had to be a joke. After thinking about it, I realized that its no joke at all, and in fact quite easy to do. Step 1: Send a spoofed email to Network solutions requesting a DNS change to your own DNS server. Step 2: Wait for a short while (the amount of time it normally takes Network Solutions to send out a confirmation email request) Step 3: Send a second spoofed email confirming the request. Step 4: Have your DNS server serve the new web server address from a new webserver with your own content. Network Solutions rep quoted in the wired article: "O'Shaughnessy pointed out that Network Solutions offers more secure services. Most accounts will not need the extra security he said, but in the age of e-commerce and more vital Web services, the onus is on the registrant to see that his domain is secure." Doesn't take too much rocket science to point out that other than the obvious flaws in insecure email, the fact that confirmations to make domain changes do not carry any sort of tracking number make it possible for spoofed email to confirm illegitimate requests. I think it might be appropriate for Network Solutions to add at least THAT much reliability into their confirmation scheme so that that kind of change couldn't occur in the future... BTW, Network Solution's instructions on changing the scheme to a userid and password based system doesn't work very well. We've attempted on several occasions to do this with no luck...thereby forcing on us the guardian scheme :( Cheers, Thomas -- ------------------------------------------------------------ Thomas Reinke Tel: (905) 331-2260 Director of Technology Fax: (905) 331-2504 E-Soft Inc. http://www.e-softinc.com --=_3505103c8ea3bbbb962395c0cef9993f Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2650.12"> <TITLE>RE: Anyone can take over virtually any domain on the = net...</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>I've known for several years that it's possible to = hijack a domain name that only uses an email address for = authentication.</FONT></P> <P><FONT SIZE=3D2>In fact, it's possible to change the email address = used by sending a message from another email address. </FONT> </P> <P><FONT SIZE=3D2>I've done this (twice) with my own domain name, and = helped a friend with that friends domain name when the "email = address of record" was no longer available to me.</FONT></P> <P><FONT SIZE=3D2>My domain names are now protected with passwords, = although, I don't think that's much more secure. I just haven't been = able to prove it yet.</FONT></P> <P><FONT SIZE=3D2>Russ</FONT> </P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Thomas Reinke [<A = HREF=3D"mailto:reinke@E-SOFTINC.COM">mailto:reinke@E-SOFTINC.COM</A>]</F= ONT> <BR><FONT SIZE=3D2>Sent: Tuesday, January 11, 2000 9:27 PM</FONT> <BR><FONT SIZE=3D2>To: BUGTRAQat_private</FONT> <BR><FONT SIZE=3D2>Subject: Anyone can take over virtually any domain = on the net...</FONT> </P> <BR> <P><FONT SIZE=3D2>Wired recently ran an article on the fact that = someone</FONT> <BR><FONT SIZE=3D2>recently hijacked a number of domains in the = Network</FONT> <BR><FONT SIZE=3D2>Solutions database using email spoofing.</FONT> </P> <P><FONT SIZE=3D2>At first I thought this had to be a joke. After = thinking</FONT> <BR><FONT SIZE=3D2>about it, I realized that its no joke at all, and = in</FONT> <BR><FONT SIZE=3D2>fact quite easy to do.</FONT> </P> <P><FONT SIZE=3D2>Step 1: Send a spoofed email to Network solutions = requesting</FONT> <BR><FONT SIZE=3D2> a DNS = change to your own DNS server.</FONT> </P> <P><FONT SIZE=3D2>Step 2: Wait for a short while (the amount of time it = normally</FONT> <BR><FONT SIZE=3D2> takes = Network Solutions to send out a confirmation</FONT> <BR><FONT SIZE=3D2> email = request)</FONT> </P> <P><FONT SIZE=3D2>Step 3: Send a second spoofed email confirming the = request.</FONT> </P> <P><FONT SIZE=3D2>Step 4: Have your DNS server serve the new web server = address</FONT> <BR><FONT SIZE=3D2> from a = new webserver with your own content.</FONT> </P> <P><FONT SIZE=3D2>Network Solutions rep quoted in the wired = article:</FONT> </P> <P><FONT SIZE=3D2> "O'Shaughnessy pointed = out that Network</FONT> <BR><FONT SIZE=3D2> Solutions offers more = secure services.</FONT> <BR><FONT SIZE=3D2> Most accounts will = not need the extra</FONT> <BR><FONT SIZE=3D2> security he said, but = in the age of</FONT> <BR><FONT SIZE=3D2> e-commerce and more = vital Web services,</FONT> <BR><FONT SIZE=3D2> the onus is on the = registrant to see that</FONT> <BR><FONT SIZE=3D2> his domain is = secure."</FONT> </P> <P><FONT SIZE=3D2>Doesn't take too much rocket science to point out = that other</FONT> <BR><FONT SIZE=3D2>than the obvious flaws in insecure email, the fact = that</FONT> <BR><FONT SIZE=3D2>confirmations to make domain changes do not carry = any</FONT> <BR><FONT SIZE=3D2>sort of tracking number make it possible for spoofed = email</FONT> <BR><FONT SIZE=3D2>to confirm illegitimate requests. I think it = might be</FONT> <BR><FONT SIZE=3D2>appropriate for Network Solutions to add at least = THAT</FONT> <BR><FONT SIZE=3D2>much reliability into their confirmation scheme so = that</FONT> <BR><FONT SIZE=3D2>that kind of change couldn't occur in the = future...</FONT> </P> <P><FONT SIZE=3D2>BTW, Network Solution's instructions on changing = the</FONT> <BR><FONT SIZE=3D2>scheme to a userid and password based system = doesn't</FONT> <BR><FONT SIZE=3D2>work very well. We've attempted on several = occasions</FONT> <BR><FONT SIZE=3D2>to do this with no luck...thereby forcing on us the = guardian</FONT> <BR><FONT SIZE=3D2>scheme :(</FONT> </P> <P><FONT SIZE=3D2>Cheers, Thomas</FONT> <BR><FONT SIZE=3D2>--</FONT> <BR><FONT = SIZE=3D2>------------------------------------------------------------</F= ONT> <BR><FONT SIZE=3D2>Thomas = Reinke = = Tel: (905) 331-2260</FONT> <BR><FONT SIZE=3D2>Director of = Technology &n= bsp; Fax: (905) = 331-2504</FONT> <BR><FONT SIZE=3D2>E-Soft = Inc. &n= bsp; &n= bsp; <A HREF=3D"http://www.e-softinc.com" = TARGET=3D"_blank">http://www.e-softinc.com></FONT> </P> </BODY> </HTML> --=_3505103c8ea3bbbb962395c0cef9993f--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:28:21 PDT