>Step 1: Send a spoofed email to Network solutions requesting
> a DNS change to your own DNS server.
>
>Step 2: Wait for a short while (the amount of time it normally
> takes Network Solutions to send out a confirmation
> email request)
>
>Step 3: Send a second spoofed email confirming the request.
>
><snip>
>
>Doesn't take too much rocket science to point out that other
>than the obvious flaws in insecure email, the fact that
>confirmations to make domain changes do not carry any
>sort of tracking number make it possible for spoofed email
>to confirm illegitimate requests. I think it might be
>appropriate for Network Solutions to add at least THAT
>much reliability into their confirmation scheme so that
>that kind of change couldn't occur in the future...
Every time I've requested a change, the confirmation comes
back with a bracketed request number in the header, which
consists of a date and a number. For example, last time I changed
sybase.com, this was the title:
[NIC-990901.4013] Modify Registration SYBASE.COM
I've always assumed that this number was required, and
constitutes the "tracking number" you mention. Admittedly,
I haven't tried otherwise.
I will say that I have noticed that these numbers used to be
fairly sequential... I've done several changes in a row before.
This is the same problem as TCP sequence prediction, only
easier.
So, if you've found some new wrinkle, I'm not seeing it in
your e-mail... has something changed at NSI?
Also, of course, if you mail can be stolen or sniffed, this
is trivial.
On the same topic... many other NICs are not quite as careful..
I've taken over various sybase.xx domains that my employees
had registered, using dumb e-mail addresses that don't exist
anymore. Often, this only took one e-mail, and I think many
registrars took my request on faith because it came from
a sybase.com address, and because I'm the contact on the
main sybase.com domain.
Ryan
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:28:22 PDT