by Amy H. Blankstein
It’s Fall 2000, do you know where your Web site is? A series of Web site thefts this summer has made some site owners take another look. Unlike the perpetrators of denial of service or graffiti attacks, Web site thieves achieved their goals using plain vanilla e-mail and faxes. Web sites ranging from the high profile like Internet.com and GTE.net, to the not-so-well-known like Bali.com and Web.net were hit, with varying degrees of damage.
Even ISPs aren’t safe. Web Networks, the legal owner of Web.net, was crippled for a week in early June. The Toronto-based company hosts Web sites and e-mail for 3,500 Canadian non-profit organizations. In this case, the thief, in a process known as “spoofing,” sent a series of e-mail requests, disguised to look as though they came from within Web Networks, to the company’s domain name registrar, Herndon, Va.-based Network Solutions (NSI). The first e-mail requested a change in the account’s administrative contact information to Billy Tandoko of Jakarta. The second e-mail request switched the account’s registration from NSI to Canadian registrar Open SRS. The third, sent to Open SRS, was a request to change the ownership of Web.net from Web Networks to Tandoko. Each request was granted in turn, effectively stealing ownership away from its rightful owner.
After working with both registrars’ investigation teams for a month, Web Networks was able to regain control over its domain name — but not before damage had been done to the business. “It happened over a course of a week, but the disruption to our business was at least a month long in terms of people calling, saying what the heck happened and are you still in business.” says Heather Urquhart, Web Networks’ business and finance manager. “All our staff, myself included, had to be diverted to answer phones.”
“If there is a domain name that’s rerouted and causes disruption in service, of course that can be devastating to a business online,” comments NSI’s Cheryl Regan, a spokesperson for NSI. “But in the scheme of things, it is a relatively small amount of instances in which domain names and Web sites are rerouted and hijacked.” But regardless of the numbers, Regan urges owners to protect themselves by adopting higher levels of security when registering an account. “It’s not clearly understood that when you register for a domain name, you can opt for three levels of security for your domain name,” she says. “But its free, and available to you at the time of registration.”
The simplest means of security is the Mail-From level. If NSI receives a simple e-mail from a contact listed as the registered contact for a given domain name, they will make the requested change. The second level of security is Crypt-Password, meaning that to make a change in an account, any requests must be accompanied by an encrypted password. The third level is PGP, or Pretty Good Privacy, which requires setting up a public/private key infrastructure.
But according to Web Networks’ Urquhart, Tandoko effected the changes by simple e-mail. “We had on the file very explicitly requested that for any changes, an encrypted password be provided and a faxback authorization be provided, and they didn’t implement them.” Urquhart says. “I think NSI has been trying to automate its system, but it very clearly left its security measures ineffective and wide open.”
If you think your site is too small to attract the attention of a Web predator, you’re wrong. None of the hijackings have elicited demands for ransom, but a well-chosen domain name can be a very valuable commodity. A hijacker may want to divert your audience to see their wares, or they may just be out for a cyber joy ride.
So what’s a Web site owner to do? Lebanon MobileFone, a Lebanon, Penn.-based ISP and Web hosting service, has experienced more than 10 attempted Web hijackings. The company’s system administrator, Steve Vingst, recommends steady vigilance. “Check your domains every day using a name server that is not affiliated with the domain [such as whois.com],” he says. “If it reports a different IP address then you are expecting, then there’s a good chance that either your DNS server is messed up or someone stole your domain. It should be investigated immediately.”