Hi, Someone tried this on one of my domains a few weeks ago, and I wrote up a brief account of the incident, show some of the technical details of the actual attack, and describe how admin should upgrade their Guardian authentication settings with Internic if they haven't already done so. Internic Domain Hijacking - "It Happens" http://dev.whitehats.com/papers/internic/index.html Max On Thu, 13 Jan 2000, Haight, Kristofer wrote: > This reminds me of something that happened to me, and a domain. > > There is a reason why you dont want to use a hotmail account as your primary > email address for a domain. Not that hotmail can be hacked, but for sheer > fact that it is very easy to take a domain this way. > > here's what happened to me. I will leave my domain out of this b/c its a > politcal domain, and some people on this list may find it offensive.. so in > its place I will use domain.com (mine) and doma1n.com (theirs). > > Basicly.. the owner of doma1n.com used hotmail as their primary email > contact with this domain. Well a visitor of my site, who dislikes > www.doma1n.com, decided to keep track of the hotmail account of the owner of > doma1n.com. Well Microsoft has a 60 day (I believe) non-usage expire date on > all hotmail accounts.. so when the expiration date happens, the account is > deleted. Well this person tried to register the same email address every day > for (as I found out) almost a year until the same email address came free. > Then they just signed up for the same exact email address. > > It worked. And then all this person did was change the contact information > to myself, and then *POOF* I owned both www.domain.com and www.doma1n.com .. > and of course I setup DNS to put to my page ... and well, the rest is apart > of media history forever. > > This is why SECURITY (and a brain) is needed when registering domains, so > that something (as stupid) like this can't happen. > > Anyways, that is my 2 cents ($10.89 with inflation) about this, as I can > speak first hand about this type of "Hack". > > -- Kris > > > -----Original Message----- > > From: Thomas Reinke [mailto:reinke@E-SOFTINC.COM] > > Sent: Wednesday, January 12, 2000 12:27 AM > > To: BUGTRAQat_private > > Subject: Anyone can take over virtually any domain on the net... > > > > > > Wired recently ran an article on the fact that someone > > recently hijacked a number of domains in the Network > > Solutions database using email spoofing. > > > > At first I thought this had to be a joke. After thinking > > about it, I realized that its no joke at all, and in > > fact quite easy to do. > > > > Step 1: Send a spoofed email to Network solutions requesting > > a DNS change to your own DNS server. > > > > Step 2: Wait for a short while (the amount of time it normally > > takes Network Solutions to send out a confirmation > > email request) > > > > Step 3: Send a second spoofed email confirming the request. > > > > Step 4: Have your DNS server serve the new web server address > > from a new webserver with your own content. > > > > Network Solutions rep quoted in the wired article: > > > > "O'Shaughnessy pointed out that Network > > Solutions offers more secure services. > > Most accounts will not need the extra > > security he said, but in the age of > > e-commerce and more vital Web services, > > the onus is on the registrant to see that > > his domain is secure." > > > > Doesn't take too much rocket science to point out that other > > than the obvious flaws in insecure email, the fact that > > confirmations to make domain changes do not carry any > > sort of tracking number make it possible for spoofed email > > to confirm illegitimate requests. I think it might be > > appropriate for Network Solutions to add at least THAT > > much reliability into their confirmation scheme so that > > that kind of change couldn't occur in the future... > > > > BTW, Network Solution's instructions on changing the > > scheme to a userid and password based system doesn't > > work very well. We've attempted on several occasions > > to do this with no luck...thereby forcing on us the guardian > > scheme :( > > > > Cheers, Thomas > > -- > > ------------------------------------------------------------ > > Thomas Reinke Tel: (905) 331-2260 > > Director of Technology Fax: (905) 331-2504 > > E-Soft Inc. http://www.e-softinc.com > > >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:28:37 PDT