It happened over the weekend, when no one was watching: Six domain names quietly disappeared from the registry of Herndon, Va.-based Network Solutions Inc. (NSI). This is a very bad thing when you're an Internet
business like Web Networks Inc., a Toronto-based Web hosting service for Canadian nonprofit organizations that had registered its domain name, Web.net, with NSI. The May 27 loss of its domain name cut it, along with the nonprofits that use its service, off from the Web for five days. It took seven days to restore ownership.
"It's been nutty. Nobody could get to our site, and we had no way of directing incoming traffic to our clients' sites," said a very tired Tonya Hancherow, Web Networks' executive director, from her Toronto office last week.
That same weekend, Naked.com, Valley.com, Web.org, Adultpass.com and Internetbanking.com also fell victim to domain name theft. Then, last week, Internet industry news provider Internet.com and GTE Internet both reported that their domain names had been stolen. All were registered with NSI.
It doesn't take a technical genius to steal a domain name when the change process is fully automated. Someone posing as the administrators of the actual sites simply filled out templates on the NSI Web site asking for an ownership change.
These administrative contacts and their e-mail addresses are conveniently provided free of charge through a "who is" lookup at any of the 40-odd accredited registrars around the world. In some cases, the perpetrator spoofed the return e-mail header to match that of the registered administrator.
In Web.net's case, the perpetrator didn't even have to spoof an e-mail header. He simply keyed the registered administrator's address into the template and, voilý, NSI's application template accepted the change of ownership, no questions asked.
At this point, the perpetrator simply transferred the hijacked domain names to another registrar, OpenSRS, managed by Toronto-based Tucows Inc.
Preventing such thefts seems simple enough. "Work it out so the only way (a domain name registrar can) accept changes is through telephone verification," says Peter Van de Gohm, director of information asset protection at Enron Energy Services in Houston.
But NSI, the official registrar of 10 million of the world's 15 million .com, .net and .org domain names, has no telephone or fax-in verification option. NSI instead offers the following three levels of authentication:
• "Mail from," which accepts all forms from the e-mail address as listed in its database or from the administrative/technical contact.
• Encrypted password, which allows updates from any e-mail address, as long as the requests are accompanied by an NSI-provided encrypted password.
• Pretty Good Privacy, which requires encryption and NSI-issued digital signatures to make updates.
Brian O'Shaughnessy, an NSI spokesman, blamed the security snafu on those using the least-secure option, "mail from." But Web.net registered under the encrypted-password security level. And, according to Hancherow, the system failed to support that level of security.
"We had an encrypted password. It wasn't used. And Network Solutions processed the change request anyway," she says.
O'Shaughnessy says the matter is "still under investigation." Perhaps it's a matter of scale. The NSI system processes 30,000 to 40,000 requests per day, which "could have" overwhelmed it, he says.
Things will likely get worse, especially if, as NSI predicts, domain name registration grows to 160 million in the next three years.
Hal Lubsen, president of Domain Bank Inc., another domain registry in Bethesda, Pa., offers this advice: "When you register, find a real registrar, not some third- or fourth-level retailer. Investigate what the rules are to make changes. Personally, I wouldn't register with someone who didn't require letterhead paper transactions."