A lot of people lost e-mail, access to Web administration and even their porno accounts over the weekend. Yes, it was a momentous and stressful couple of days.
Several domains were stolen, including panix.com, the home domain of Internet service provider Panix, the oldest ISP in the New York area (or so they say about themselves). This particular thievery is what raised most of the attention, because Panix customers who use a panix.com e-mail address stopped getting their mail.
According to this message on ICANNs message boards by George Kirikos, aem.com and f3.com (both of which, I think, are car-related sites), as well as xybererotica.com, appear to have been stolen as well. In fact, all three of these domains seem now to have the same whois data and point to the same Web site. Some serious traffic was diverted, and the new sites are spyware-infected. (Perhaps the old ones were too, I cant say.)
It may be the first great test of the response of ICANN and the domain registrar industry to a violation of their new policies implemented late in 2004. I expressed concern about these new policies at the time, but was reassured that one of the strengths of the new system was the well-defined mechanism for dealing with disputes.
But theres a good chance here that the central issue is not so much disputes between registrars but sloppy procedures at some registrars that allowed an unverified transfer through. Panix says on its home page (as of Monday morning, EST) that Melbourne IT, the Aussie registrar to whom the domain was illegitimately transferred, has reverted the domain back to them. This does indicate that there was no real dispute once Melbourne IT woke up Monday morning and realized what had happened. Incredibly, Melbourne IT, not a teeny company, has no support available over the weekend. The hijackers may have counted on this fact.
The motivation behind the ICANN rule changes was actually to streamline domain transfers between registrars. Some registrars (cough! Verisign! cough!) had a reputation for sitting on valid requests for transfers to other, almost certainly less-expensive registrars. The new rules create a presumption that the transfer will proceed after some period of time unless it is denied for some valid reason. The registrars still have to contact the owner of the domain, presumably through the whois records.
I was concerned on two fronts: 1) that a “rogue registrar” could more easily steal domains this way, and 2) that so much data in whois is inaccurate, intentionally on the part of the owners, that notifications could go unnoticed by legitimate owners.
I still think phony whois data is a problem in this regard, but I was assured that the rogue registrar scenario wasnt credible, and this incident doesnt seem to be an example of it. On the other hand, it does appear to me that at least one registrar was delinquent in some way, in that I cant believe that all these domain owners didnt see a notification of a transfer request, not to mention changes in the whois records themselves.
The stolen domains have ended up with more than one registrar, but according the Kirikos post they were all previously at Dotster, a deep discounter that has domain names like killbush.com and hairyarmpits.net for sale on its home page.
Kirikos believes, and with good reason, that the answer is to use the registry LOCK feature. Actually, he says that registrars should, by default, lock all domains, and I cant see a good reason not to. Its just good security for a registrar, and thats what this story is probably all about: good practices, especially security practices, by domain registrars. The system may be all set up now to make transfers go smoothly, so its up to the registrars to make sure that domain hijackings dont.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Check out eWEEK.coms for the latest security news, reviews and analysis.
More from Larry Seltzer