Nsi To Close Hijack Hole
by Kevin Poulsen
After allowing an embarrassing string of web jackings, Network Solutions prepares for the July 8th launch of a new authentication scheme.
In an apparent effort to squelch a growing epidemic of high-profile Internet hijackings, Network Solutions Inc. (NSI) is adding another step to the process of changing contact and routing information for the 10 million domain name records in its database.
"If you send a modification in to make any sort of changes to a domain name, the system currently operates in that it processes the changes and then the contact is given notification that the changes have occurred," said NSI spokesman Brian O'Shaughnessy. "Now, the admin will have to affirmatively notify us that they do or do not want the changes made."
O'Shaughnessy cited NSI's recent acquisition by computer security powerhouse VeriSign as an impetus for the change. "We felt that with the new acquisition, and the level of sophistication in people's concern for protecting their Internet identities, that it was an appropriate time to begin rolling out higher levels of security for our customers."
Currently, owners of Internet domain names choose from three different "Guardian" authentication systems. One scheme let's owners manage a domain with a password known only to them; another relies on encryption using the free PGP package.
But by far the most common scheme in use is the lowest, default level of security, in which the billing, administrative or technical contact associated with a domain name can redirect it by simply sending a properly formatted email message to NSI. The company checks the return address on the email against the list of authorized contacts, and if it matches, the modification goes through automatically.
'I think that the system that's going to be in place will work rather well for most users. ' - Brian O'Shaughnessy, NSI
That system has proven easy to fool, and in recent weeks domain name hijackers have forged email messages to redirect or take down such sites as GTE.net, IndianaJones.com, and Web.net.
Under the new system, scheduled to go into effect on July 8th, all three contacts for a given domain name would be notified in email of a pending change before it occurs, and at least one of them will have to send a second email to NSI confirming it, said O'Shaughnessy.
"That would have been helpful," said Corby Casler, a spokesperson for Nike, which found its web site redirected to an anti-globalization site last week. "Somebody had sent an email that was at a level that they were not authorized to do, so if we were able to confirm that they were unauthorized to do it, that would not have happened," said Casler.
But an executive at Web.net, which hosts web pages for 3500 nonprofit and charity groups, was not as confident that the extra hijacking-hurdle would have spared them the week long outage they suffered when their site was redirected earlier in late May. "Whoever did it sent an email that looked like it came from Web.net," said Heather Urquhart, business and finance manager. "But our account was supposed to be password protected" and should not have been changeable through email at all.
O'Shaughnessy, citing ongoing investigations, declined to comment on the Web.net case, or on other cases in which domain owners reportedly had their names hijacked via email despite having selecting the more secure password or PGP encryption authentication schemes. Be he said that the scheduled change is part of a plan to overhaul the entire system, which will culminate with the company protecting domain records with VeriSign's digital certificates. "The current structure for all the levels of security is being upgraded," said O'Shaughnessy.
For now, it's hoped that the new email authentication step will stop the hijacking spree. But O'Shaughnessy admitted he wasn't certain how the new scheme would guard against hijackers forging the confirmation email. "I think that the system that's going to be in place will work rather well for most users, but I would urge users who want to greater level of security to use a password or PGP."