Protect Yourself Against Domain Name Theft: Lessons From Panix.com

The domain name hijacking of panix.com last week highlights a weaknesses in the Internet's registrar system and should serve as a warning to all companies. It could happen to anyone.

Last Saturday, the panix.com domain name, which belongs to the New York Internet service provider Panix, was hijacked. An unauthorized person created an account with an Australian Internet registrar, MelbourneIT, and requested that the domain name be transferred. This resulted in a disruption of e-mail service for about 5,000 of Panix's customers. Essentially, these users were denied access to their e-mail -- some for several days. Once Panix realized what had happened, it advised customers to use panix.net in place of panix.com to get around the problem until it could take back control of the domain name, which it did late Sunday, New York time, when the company in Australia opened for business first thing Monday morning, Australia time.

Details are unclear at this point, but the story so far suggests that Panix took all the appropriate precautions in advance to protect themselves. Yet the hijacking happened anyway. Existing safeguards designed to stop domain hijacking simply did not work.

MelbourneIT would not comment on the matter, but interviews with security experts and published reports suggest that the hacker took the domain with a very unsophisticated attack. The attacker simply used normal registration procedures and a stolen credit card to claim panix.com with a MelbourneIT registrar reseller.

Panix's official statement on the hijacking notes that MelbourneIT "failed to do proper confirmation of a fraudulent domain transfer request they received."

This statement suggests that the Australian registrar simply assumed that the request to transfer domains was legitimate, even though "lockdown"--which instructs other registrars not to initiate a domain name transfer-was in place on panix.com

Some security experts note that this incident points out a weakness in the global registrar system.

"The domain name system in general is a very precarious balancing act between different country registrars," says Edward Ferris, a security technology analyst at TeleChoice. Enforcement of Internet policies are not uniform from country to country, he said.

What exacerbates the problem is that the Internet Corporation for Assigned Names and Numbers (ICANN) in November weakened the safeguards for companies to transfer domains between registrars. The changes were designed to make the transfer process easier. The changes were put in place because of demand by Internet users, who wanted the transfer process speeded up.

"Before, it was really quite hard [to make a transfer]," said Roger Thompson, director of malicious content research at Computer Associates. "You had to ask both parties if it was okay." Many registrars required a fax confirmation before they would act on a domain transfer request.

Reducing Hijacking Risks
Given how easy it is to make a domain name transfer, companies should take steps to reduce the chance of a similar hijacking happening to them.

Companies should be sure to lock down domain records, to prevent them from being transferred or modified. Using lockdown, someone requesting a transfer needs to have an account with the registrar that currently holds the domain, and administrative privileges to make the change. The person making the change enters the account of the current registrar, switches off the lockdown, and then makes the change.

Normally, when making an account transfer, the new registrar checks with the current administrator of the domain name to verify that the request is legitimate. And the new registrar would also check to see if the domain is locked down. These steps were not taken in the panix.com transfer, according to published reports,

Lockdown is standard procedure for midsized and big Internet businesses, although very small businesses will often avoid using it, to give themselves the flexibility to quickly make changes or transfer domain names from registrar to registrar.

The Panix.com domain name is currently locked according to its WHOIS listing.

Perhaps a more practical option to reduce the chances of a hijacking is to make it harder for a hacker to spoof a domain's administrative information and e-mail address.

Businesses should also make the administrative contact for a domain private. While ICANN requires that contact information for a domain owner needs to be listed in the WHOIS database, some registrars offer an optional service that allows a company to make that contact information private. ICANN requires a public contact be listed in the database, but the registrar would know that the public contact is not the administrator. For example, for $9 per year per domain name, Network Solutions Inc. (NSI) will let a company make its contact information private.

If a domain owner makes the administrator contact private, then a registrar getting a domain name transfer request from the listed contact would know that the request is not legitimate.

Ideally, the administrative contact information should not be published anywhere. That way, a hacker couldn't simply get, say, the CIO's e-mail address off the company's web site and try to use that to make a change.

Legal Issues Abound
Taking standard precautions will help safeguard a domain name. Moreover, taking those precautions will also minimize legal liabilities for a business if a domain name is stolen. "If the owner of a domain made a mistake, [they] could be liable," said attorney Benjamin Wright. So taking precautions such as locking down the domain name and perhaps making administrative contact information private might help a company avoid legal problems if a hijacking does take place."

Moreover, if a company is in the habit of exchanging business-critical information over e-mail with business partners, the company should make sure that channels are in place to exchange that information if the e-mail channel breaks down.

"You have to think about the [end user]," said Wright, who is author of the book "Business Law & Computer Security," published by the SANS Institute.

Lawyers, accountants, bankers, and others who use e-mail to deliver time-critical information to clients have a responsibility to make sure the information gets through. If a law firm's, bank's, or accounting house's domain is hijacked and e-mail is not being delivered, there could be a problem.

Whenever time-critical material is sent via e-mail, a procedure to follow up should be in place to ensure that the intended recipient got the information. "You could ask them to call, reply back, or fax to confirm they received the message. Getting confirmation of a [time-critical] communication should be part of the normal professional diligence of a company's daily business," Wright said.

If a major mail outage occurs because of a hijacking, a company that does business through e-mail may also want to take steps after service is restored. "[A company] should send out a notice explaining what happened and ask people to resend any communications sent when the mail service was out," Wright said.

Companies that rely on the timely exchange of critical business information should also put in place agreed-to alternative procedures, such as fax, certified mail, or FedEx, in case a domain hijacking disrupts e-mail.