From: Rishab Aiyer Ghosh <rishab@best.com>
Date: Fri, 2 Feb 1996 15:14:50 +0800
To: dm@amsterdam.lcs.mit.edu (David Mazieres)
Subject: Re: Domain hijacking, InterNIC loopholes
In-Reply-To: <199602010926.EAA19923@amsterdam.lcs.mit.edu>
Message-ID: <199602011457.GAA29387@shellx.best.com>
MIME-Version: 1.0
Content-Type: text/plain



David Mazieres wrote:
> I don't think Domain hijacking is a terribly big threat.  First of
> all, the modification process insn't fully automated.  Second of all,
> it takes several weeks for the changes to go through.  Before the

My new ISP got the domain modified in a day, or so. The proces
_is_ automated, as long as you follow the template perfectly.

> changes go through, the internic sends out mail to a bunch of people,
> including all previous administrators and administrators of all
> domains which contain old or new nameservers.

More to the point, the InterNIC informs all the major nameservers
(such as ns.nasa.gov and all those that mirror ns.internic.net). 
Obviously. Without that, how would anyone know where to find your
domain (even if 'hijacked')? But I never did say domain hijacking
was a security threat - unlike spoofing, this can't in itself
compromise your systems. But, as the InterNIC admits, it can 
have "serious consequences" on commercial organisations, for whom
the loss of net presence for even a day could be considerable.

> Thus, I'd say the domain modification process is slightly more secure
> than First Virtual :-) :-) :-).  It relies on the security of the
> network routers and existing nameservers, and requires one or more
> active attacks or viruses to defeat.  Probably your best is to wait

You obviously didn't get the point. There are no routers involved
at all, or even nameservers. The Internet domain registry structure
(unlike much else) is strictly hierarchic - the InterNIC is the source
of all. Modify the InterNIC record, and the new record is official,
and will be promptly accepted by all the nameservers that bother to track 
these things.

> for as many as possible of the relevant sysadmins to go on vacation,
> and then mail-bomb them rest so hard they end up not reading all of
> their real E-mail.  Then again, there's always the possibility that
> the domain administrator knows how to use procmail...

Again, whether the sysadmin eventually catches on is not the point.
Unless the hijacker is exceptionally sophisticated (by, for
example, not interrupting but only intercepting web and mail 
traffic) and the victim exceptionally stupid, the truth will be
known soon. But perhaps not soon enough for, say, Hotwired or
Yahoo who can't afford to go down.

To drive my point home: suppose the owners of www.howtired.com
(yes, it does exist) were to hijack hotwired. Further suppose 
that they mirrored (or otherwise replicated) hotwired's content, 
displaying it to users with some nasty changes, and filtering
out all complaint mail. One assumes HotWired's admins are savvy
enough to think of this, but you never know, and if they took
a few days or more over fixing it, it would not be nice for them.
Of course, their lawyers wouldn't make it nice for howtired
either, if they had their address, and it wasn't in ... China!

Rishab