Perl.com theft blamed on social engineering attack: Registrar 'convinced' to alter DNS records by miscreants The short-lived theft of Perl.com in late January is believed to have been the result of a social engineering attack that convinced registrar Network Solutions to alter the domain's records without valid authorization. In a blog post published on Sunday, Perl.com website editor Brian D. Foy said as much, noting that while …
From the article: a social engineering attack that convinced registrar Network Solutions to alter the domain's records without valid authorization.
Network Solutions - they're pretty much the OLDEST one out there, as i recall. Used to be 'internic'. I set up a domain with them in 1995. Still registered there, too. I was under the impression they had safety procedures in place to PREVENT this kind of thing.
Apparently they need to review their internal procedures...
"All sides understood that Perl.com belonged to Tom and it was a simple matter of work to resolve it "
If all sides understood, then how come somebody got conned into changing the records ?
I know nothing about how DNS records are managed, but if someone can get a hold of something that doesn't belong to them with a simple phone call or email, then security needs to be tightened up somewhere. My website is insignificant, but if someone managed to take it away from me, I'd be pretty pissed.
So imagine you're a customer service agent at Network Solutions.
100 times a day clueless domain owners phone you and tell you they forgot their password or for whatever other reason can't get into their accounts or change their information.
99.999% of the time it turns out they're real and just need help.
How do you as a customer service agent reliably identify the one time they aren't?
The tradeoff between convenience and security depends in part upon how much damage is done by a security breach. That in turn depends on the blast radius (i.e., what asset is being compromised and what else can be done with it) and the difficulty/cost of recovery (i.e., how much work/money/time will it take to put things right again, if possible, and what else will be lost/damaged in the meantime)? Given the potential for enormous damage from domain name theft including malware distribution, compromise of customer and other downstream confidential information, and in some cases the simple loss of assets worth thousands or millions of currency units, the tradeoff needs to be made pretty heavily in favour of security. When one factors in the difficulty of recovery -- days to weeks in "simple" cases like this one up to months to years plus court costs, etc. in more difficult ones -- it becomes apparent that convenience simply must take a back seat, at least until a faster, more robust recovery mechanism is available.
What does that mean? The answer to your question is simple: you don't. You send a recovery code by postal mail to the administrative contact's address on file. Whatever changes the person on the other end of the call wants to make will simply have to wait. That's far better than the consequences of domain theft. This happens to be a specific case of a much more general problem: there is currently no reliable way for any human to authenticate his or her identity. The best means by far is the shared secret, which is specific to a particular relationship and usually the thing that's been lost due to carelessness or stupidity. The right tradeoff here is to stop punishing people who maintain secure custody of their shared secrets in order to provide a better experience for people who don't.
"Whatever changes the person on the other end of the call wants to make will simply have to wait. That's far better than the consequences of domain theft."
That's up to each customer. For some, the security of a domain name is paramount. For others, immediate restoration is critical (business lost far exceeds the damage done by a temporarily wayward domain). The problem seems to be that the criticality is only determined at the time the customer's site has failed. Then, the car has broken down, the dog died, there are six children crying and unfed in soiled diapers. And the landlord is pounding on the door with a past-due rent bill. And now my web site is broken. At least that's how the scammers make it sound.
Perhaps there could be some pre-negotiated process, selected by the user at the time of domain purchase to set a level of identity verification. At least it will make the customer think carefully about how well to secure that password. And if it was a legitimate emergency, well .... shame about the dog.
maybe 2014, or 2015, or thereabouts, TCS (my employer, Tata Consultancy Services) was "hacked" (1) the same way.
I'm really too lazy to look it up but I think that was also NetSol when that happened.
Looks like they haven't learnt any lessons or modified any of their processes to cover this!
----
(1) "hacked", in quotes because everyone said we got hacked and we had to go around explaining that it was actually the DNS provider that was "hacked"
I see what you are saying, but with some whois fields redacted for privacy reasons more recently, it's become more difficult.
My money would be on an element of impersonation - and yes I have had to do that on behalf of clients before (one died & one was incommunicado for hours).
I once found myself inadvertently helping someone steal a domain.
I visited a shop to help the owner/manager recover his domain from an ex-employee that set it up.
The website was definitely for the shop I was actually sat in, everything checked out... shop name, address, phone number was the same as above the door. The manager had access to the sales/admin emails so we were able to reset passwords and transfer domain ownership. The manager was a key holder, the shop was open and staff / customers were milling about.
Couldn't really get much more proof of ownership than that. Did the job, got paid, emailed a receipt.
Turns out that the 'manager' and some of the team were actually staff that were about to leave and set up on their own. He was sabotaging the website and social network accounts on the way out.
My email receipt reached the 'real' boss, who aggressively threatened all sorts of things. I tactfully reminded him that I'd done what the manager in the shop had asked me to do, and that I didn't know this person on the phone. If he could provide proof of business ownership (not a ltd company) I'd gladly switch it back and he could claim the cost from the rogue employees. I didn't hear anything else.
Who do you trust?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
