Hundreds of high profile sites unprotected from domain hijacking
Should a company entrust the integrity of its high value Web property to a domain registrar, or a DNS service provider in the wake of the most recent Twitter and Baidu domain hijackings? How much damage can be done to brand's reputation in an event of domain hijacking? Where's the weakest link?
Go through the Q&A with Elisa Cooper, Director, Product Marketing, at MarkMonitor.
Were you surprised to find out that less than 10% of the 300 top high trafficked web sites were using the newly introduced "Registry Lock Service"?
Elisa: I was disappointed to see that the adoption of this service was so low, but not entirely surprised because most registrars are not actively promoting or even offering it, in many cases.
What exactly is the VeriSign's Registry Lock Service, and how does it differentiate itself from the already established services offered by a domain registrar?
Elisa: Unlike security options offered by registrars, VeriSign's Registry Lock Service secures domains at the registry-level. The only way domains with this setting can be updated is if the registrar contacts VeriSign and completes a specific set of security protocols.
So even if a registrant's credentials are compromised, or hackers infiltrate a registrar's back-end system, domains with this security setting can not be updated in any way. At MarkMonitor, only a limited number of individuals know how to complete this set of security protocols to add a further check-and-balance to the process.
Why do you think the companies remain reluctant to implement the service? Lack of awareness building on its existence, or a false feeling of security offered by the protection currently in place on their domain registrars?
Elisa: I think that a number of factors are in play. While this service is not actively promoted or offered, even by corporate-only registrars, due to the added responsibility of working directly with the registry to complete legitimate updates, the bigger issue is that many high-profile domains are still registered with retail registrars.
The business models of retail registrars are focused on providing high-volume, highly-automated registration services and this type of security solution falls outside that model. Retail registrars would find it extremely difficult, if not impossible, to offer such a service.
How much damage do you think can be caused to a brand's reputation in case of a DNS hijacking incident? Is the negative publicity a short-lived PR disaster, or do you think there are other long-term negative issues that the company is facing?
Elisa:If a website is only providing information, and is not collecting credential information, I think that the harm caused is likely to be short-lived. However, for sites collecting credential information - even basic information like a username/password combination - or conducting transactions, I think that effects could be longer lasting as visitors of the affected site may be reluctant to provide sensitive information fearing that they may have fallen prey to a phishing scam.
Despite the fact that so far, we haven't seen embedded malware attacks in any of the high profile DNS hijacking incidents, how realistic do you think is a scenario where the attackers move beyond their hacktivist ambitions, and go truly malicious? Would such an event drive growth in the adoption of Registry Lock Services?
Elisa: I definitely think that is possible, and I am frankly surprised that we haven't seen these types of attacks yet. I would hate to have to come to the point where this type of event is the driving factor for the adoption of this service.
We've seen instances of attacks targeted at both the registrant and the registrar. Although the registrants of highly-trafficked domains are sophisticated and would not likely fall prey to simple phishing scams, I am concerned about the possible use of keyword loggers to collect credential information to access domain management portals.
I think also that domains that are registered by large retail registrars are also highly vulnerable to social engineering attacks. At this point, I'd say that both are equally vulnerable but that there are a number of security measures that can be implemented including Two-Factor authentication of users, restrictions to online management tools by IP Address, and of course, VeriSign's Registry Lock Service.
Consider going through related posts on high profile DNS/Domain hijackings from the past two years, including details on how the incidents took place:
- ICANN and IANA's domains hijacked by Turkish hacking group (June, 2008)
- Photobucket's DNS records hijacked by Turkish hacking group (June 2008)
- Comcast's DNS records hijacked, redirect to hacked page (May, 2008)
- Hackers hijack DNS records of high profile New Zealand sites (April, 2009)
- Twitter's DNS records hijacked (December, 2009)
- Baidu DNS records hijacked by Iranian Cyber Army (January, 2010)
The message from MarkMonitor's findings is clear - leaving the faith of your Web property into the hands of a domain registrar or a DNS service provider, is the worst thing you could do given the availability of additional layers of security.