Hijacked Web addresses show weak link in Net

Web.net, an email and information site for 3,500 charities and volunteer groups, and holiday website Bali.com had their domain names re-registered to people in Hong Kong and Madrid respectively.

The registrar handling those names, Network Solutions, eventually restored the sites to their rightful owners, but during the outage the owners estimated 400,000 emails went astray from web.net and $100,000 in bookings were lost from bali.com.

"It happened through a simple spoofing," said Brian O'Shaughnessy, program director, policy and registry at Network Solutions. "In these cases, individuals spoofed emails to us, automated systems recognised the fake email header information and made someone else the owner. These things are incredibly unfortunate but very infrequent."

When a site is registered with Network Solutions, the owner can elect to set up a password or a PGP-based system to authenticate messages requesting changes. However, the default is just to accept requests if they appear to be emailed from the original registration address. "We suggest stronger security measures", said O'Shaughnessy, "but we have over ten million people using us, and 30,000 registrations a day. 99.9 percent of the time it works incredibly well. I don't want to minimise the problem, but it doesn't mean the system failed. Obviously, all the major commercial clients use stronger protection than the 'mail from' field in an email header."

Chris Lewis, ZDNet's technical director, recommends that anyone registering a domain name should ensure that at least a password is required to reassign the name, but PGP is preferable. "You'd have to be an idiot not to use the strongest security available to you."

What do you think? Tell the Mailroom. And read what others have said.

Take me to Hackers