Companies point fingers over Nike Web site hijacking

The hijacking of Nike Inc.'s Web site earlier this month has sparked an international argument over whether the footwear company or Internet domain-name registrar Network Solutions Inc. (NSI) should bear responsibility for the temporary theft of

The incident occurred on June 21, when a group calling itself S-11 redirected traffic from to servers at a Scotland-based Web hosting company in a slap at both Nike and the World Economic Forum (see story). Now, the hosting firm is threatening legal action against Nike.

Greg Lloyd Smith, director of FirstNet Online (Management) Ltd. in Edinburgh, said the wayward Nike traffic swamped his company's Web servers and impaired service to its real customers. After unsuccessfully trying to bill Nike for use of his servers, Smith said he's preparing to sue the Beaverton, Ore.-based company for allegedly neglecting to secure its Internet domain.

Nike, in turn, said the responsibility lies with NSI in Herndon, Va. Changes to the status of Nike's domain status are supposed to be made only via NSI's encrypted and password-protected security system, said Nike spokesman Corby Casler. But NSI allowed a spoofed piece of e-mail from the S-11 group to drive changes in Nike's registry information without requiring a password, she claimed.

"We're still looking into exactly what happened," Casler said. "We were told that we had encryption and that we were secure, and for some reason it fell through."

Casler added that Nike has locked down any further changes to its registration information at NSI and is investigating the most secure way to manage its domain. Nike is also working with the FBI and local police in Oregon "to see exactly what happened and who is liable," she said.

Smith disputed Nike's claim that it had access to the Crypt-PW encryption system through NSI, and it charged that the footwear maker subscribed to a level of security that lets changes to its domain-name information be made from an approved e-mail address. "A responsible company would not deny the fact that their domain was stolen because they did not have satisfactory security in place," Smith said via e-mail.

However, Casler insisted that Smith's claims are inaccurate and said Nike doesn't consider itself liable for the unintended usage of FirstNet's Web servers. Smith "did try to bill us for it, and our response is we are both victims and the real problem is (with) whoever it was who hacked into the system," Casler said.

Smith got into a legal battle with Inc. last year after the company won a preliminary injunction against him for using the domain name in Greece in an alleged attempt to coerce a partnership. But Smith rejected any suggestion of involvement in the action against Nike. "No one from this company has anything to do with the original redirection," he said. "Our involvement was as an injured party."

NSI, which declined to comment on the circumstances surrounding the Nike domain theft, has come under harsh criticism for similar thefts in the past, including the heist of 1,300 domains from in May.

Alan Meckler, chairman and CEO of New York-based, said NSI told his company that its registry information had been changed by forged documents sent via fax. The FBI is also investigating the theft of his company's domains, Meckler said.

NSI officials "deny that it's their fault," Meckler said. "But the fact is that if you pay (NSI), you are presuming that in the morning the last thing you have to worry about is whether you own your domains. If it's not their fault and it's not Nike's fault, then whose fault is it?"

But Connie Ellerbach, a partner at the Fenwick and West law firm in Palo Alto, Calif., said past case law indicates that NSI wouldn't be liable for the domain theft because it's merely a conduit for domains and takes no responsibility for their validity or for changes in domain-name registrations. A domain theft suit brought against NSI by was recently settled in favor of the domain-name registrar, she said.

Ellerbach added, though, that it would also be difficult for FirstNet to prove that Nike was negligent. "They would have to seek their damages from a third party that changed the registrations," said Ellerbach. "How is Nike going to police registration of a domain and keep them from spoofing or fooling NSI?"

Meckler said some of the domains stolen from took a week to sort out but were at least discovered before any Web site traffic could be redirected. "Think of the damage to us PR-wise and revenue-wise if our sites were redirected," Meckler said. "Fortunately, we caught it, but Nike wasn't as lucky."

However, Casler said the impact on Nike product sales made through was minimal during the hijacking, which lasted from six to 24 hours depending on when the Web site was reloaded by different Internet service providers. During the incident, Web users who tried to access Nike's site were instead sent to one that criticized the company and the World Economic Forum, a pro-capitalism group that includes Nike as a member.

Related links:

  • For more security coverage, visit our Security Watch page.
  • Have opinions on security issues? Head to the forums. (Note: Registration required to post message; anyone may read messages. To register on Computerworld's forums, click here).

Copyright © 2000 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon