Photo by Vook tv
Domain name hijacking broadly refers to acts where a registered domain name is misused or stolen from the rightful name holder. A domain hijacking is a security risk many organizations overlook when they develop security policy and business continuity plans. Name holders can take measures to protect their domain names against theft and loss, but many measures are not generally known.
Is domain hijacking that a serious problem?
The answer is best illustrated by examples. In one hijacking scenario, you begin the day as an e-merchant doing business online at www.onlineseller.example.com. At 2:15 p.m. that afternoon, your visitor traffic and merchant transactions disappear. You investigate and discover someone's impersonated your company's administrative contact, transferred your domain name to a different registrar, and modified the DNS. Visitors to your domain name land at a hoax web site that impersonates your virtual store. Improbable? It happened to Hushmail on 25 April 2005.
In another scenario, email service you provide to thousands of users suddenly comes to a halt. You discover someone's transferred your domain name to another registrar without your notice or consent. Your DNS configuration has been modified, and your user's email is being delivered to someone else's mail server. Hours later, your registration is restored, but only after an exhausting and frustrating incident response effort. Preposterous? It happened to PANIX on 17 January 2005.
The PANIX and Hushmail incidents attracted international attention and prompted a lengthy investigation by the Security and Stability Advisory Committee (SSAC) of the Internet Corporation for Assigned Names and Numbers (ICANN). After investigating other reported incidents, the SSAC produced a report, concluding that "domain name hijacking incidents are commonly the result of flaws in registration and related processes, failure to comply with the transfer policy, and poor administration of domain names by registrars, resellers, and registrants."
Simply stated, if everyone involved in the name registration process were to try a bit harder, domain name hijacking would be much less a threat. As SSAC chairman Steve Crocker explained in a 12 July 2005 press release announcing the committee's official report, "no single party to the registration process is wholly at fault for all hijacking incidents, and there is room for improvement in policies and processes across the board. Name holders have a responsibility to protect their domain names as they would any valuable asset.
ICANN CEO Paul Twomey comments that "a domain hijacking is not as obvious a threat as spam and spyware, but it can be just as disruptive to the business and operations of name holders; in extreme cases, a domain hijacking can have a lasting impact on an organization".
Resellers, registrars and registries have an obligation to provide a secure and reliable registration service, and ICANN has to make certain that domain name registration policies are upheld."
If this is an easily solved problem, is domain name hijacking really a threat?
Domain Name Registration Lingo
Registrant - a party who registers a domain name
Registrar - an organization that is authorized to register domains within a top level domain (TLD, e.g., .com, .net, .org)
Registry - a term used to identify both a database of names assigned within a TLD and an organization that is authorized to maintain that database (e.g., Verisign, PIR, Afilias)
TLD - the highest level of the domain name hierarchy after the root. The TLD is the part of the domain name furthest to the right (.com, .org, net)
SLD - second level domains are names assigned within a TLD, e.g., example.com,
Transfer Policy - the ICANN Inter-Registrar Transfer Policy
Threat or F.U.D.?
It may seem implausible that the consequences could be so severe, but domain name holders attribute value to their domain names, both tangible and intangible. Tangible value increases when consumers associate brand with a domain name (in a positive way). Intangible value increases in proportion to the reputation of a domain name: the domain name of a respected security consulting company is worth more than any financial compensation the company is likely to recover through legal means. Speculative value - the ability to acquire a desirable domain name and resell it - creates additional incentives for would-be hijackers, who are motivated by financial gain as well as notoriety.
The threats are real, and include denial and theft of electronic mail services, identity theft, traffic inspection, web site defacement, loss of revenue and even irrecoverable loss of online business operations.
Protect your assets
The SSAC report, Domain Name Hijacking: Incidents, Threats, Risks and Remedial Actions , describes measures all parties to the registration process can take to protect domain names. Name holders (registrants) have a number of measures at their disposal that can measurably reduce the likelihood of a domain hijacking.
Make domain name protection a part of your security policy. Identify domain names as an asset and perform a risk assessment. Incorporate domain name hijacking into your incident response and business continuity planning, and develop an "urgent restoration of domain name and DNS configuration" strategy as part of business continuity planning. Investigate whether business interruption and losses related to a domain name or DNS configuration incident are covered by insurance policies.
Keep your registration records and contact information accurate. You give hijackers an edge if you fail to keep your contact information accurate. You can't expect a registrar to know when you change staff, offices, or the email address used in domain name transfer communications. Keep business and emergency contact information for your registrar accurate and available for your incident response staff.
Keep your registrant account information private, secure, and recoverable. Protect this account information as you should every user account and password. This information should only be made available to staff in your company whose role(s) involve domain name administration. When staff changes, change account information, especially passwords. Use a name other than your Transfer Contact email address as your login to registrar domain name self-administration pages. Hijackers use the Whois service to identify transfer contact email addresses of targeted domain names, and will routinely check whether your Transfer Contact email address doubles as your account user name.
Lock it up. Request that domain names be placed on Registrar-Lock. In this state, your registration information and DNS configuration cannot be changed until you unlock your name. This important step can block many domain name transfer attacks. Registries that support the Extensible Provisioning Protocol (EPP) provide a second "lock", the Authorization Information Code or authInfo. If EPP is implemented, your registrar must provide you with your authInfo code within five days of your request to transfer a domain "out". You must then provide this code to the gaining registrar to initiate the transfer in. Some registrars let you set the authInfo value. Use a unique EPP authInfo code for each domain name you register; if one authInfo code is broken, only one of your domain names can be put at risk.
Once you've locked your domain name, routinely check the Whois service to make certain it remains locked, and that your domain name information has not been modified without your knowledge and consent.
Choose a registrar wisely! If you value your domain name, then services are a more important differentiator than price. Look for registrars who are willing to provide you with more than the minimum registration and transfer services. If you run your operation 24 x 7, do you need a registrar that offers 24 x 7 technical support? Does the registrar issue a transfer pending notification as its standard practice? (Registrars are not obligated to do so.) Is the registrar willing to notify you of registration record changes and transfer requests using contact methods in addition to (and in parallel with) standard email notices? Will the registrar allow you to specify the contact methods that must be used (e.g., any or all contacts in the registration record, including, email, telephone, messaging and paging services, fax, etc.)? Will the registrar implement additional authentication and authorization measures to safeguard against removing your transfer lock or changing your domain name configuration? Such measures are sometimes maligned as inhibiting name transfers, but some name holders are perfectly happy with the service and relationship they have with their registrars and want that relationship protected.
Some of these services are likely to be offered by registrars as part of a basic service. New security services may also appear as registrars, registries and ICANN review and implement the recommendations of the SSAC Domain Name Hijacking report. Encourage registrars to offer domain name protection services. If name holders demonstrate a willingness to pay for registration and DNS configuration protection, registrars will be more likely to offer them.
Originally published August 2005 in Security Pipeline, reprinted courtesy of CMP Technology and Dark Reading
You can follow this conversation by subscribing to the comment feed for this post.