Why You Need To Add ?Protect Domain Name? To The Security Checklist

A domain hijacking is a security risk many organizations overlook when they develop security policy and business continuity plans. While name holders can take measures to protect their domain names

August 24, 2005

6 Min Read
Network Computing logo

Domain name hijacking broadly refers to acts where a registered domain name is misused or stolen from the rightful name holder. A domain hijacking is a security risk many organizations overlook when they develop security policy and business continuity plans. While name holders can take measures to protect their domain names against theft and loss, many measures are not generally known.

How Serious Is Domain Hijacking?
The answer is best illustrated with examples. In one hijacking scenario, you begin the day as an e-merchant doing business online at 'www.onlineseller.example.com.' At 2:15 p.m. that afternoon, your visitor traffic and merchant transactions disappear. You investigate and discover someone’s impersonated your company’s administrative contact, transferred your domain name to a different registrar, and modified the DNS. Visitors to your domain name land at a hoax Web site that impersonates your virtual store. Improbable? It happened to Hushmail in April of this year.

In another scenario, the email service you provide to thousands of users suddenly stops. You discover someone’s transferred your domain name to another registrar without your notice or consent. Your DNS configuration has been modified, and your user’s email is being delivered to someone else’s mail server. Hours later, your registration is restored, but only after an exhausting and frustrating incident response effort. Preposterous? It happened to PANIX back in January, 2005.Internet Corporation for Assigned Names and Numbers (ICANN) CEO Paul Twomey says that while “a domain hijacking is not as obvious a threat as spam and spyware, it can be just as disruptive to the business and operations of name holders; in extreme cases, a domain hijacking can have a lasting impact on an organization."

It may seem implausible that the consequences could be so severe, but domain name holders attribute value to their domain names, both tangible and intangible.

Tangible value increases when consumers associate brand with a domain name (in a positive way). Intangible value increases in proportion to the reputation of a domain name: the domain name of a respected security consulting company is worth more than any financial compensation the company is likely to recover through legal means. Speculative value--the ability to “acquire” a desirable domain name and resell it--creates additional incentives for would-be hijackers, who are motivated by financial gain as well as notoriety.The threats are real, and include denial and theft of electronic mail services, identity theft, traffic inspection, web site defacement, loss of revenue and even irrecoverable loss of online business operations.

How To Protect Yourself
The Security and Stability Advisory Committee (SSAC) report from ICANN, Domain Name Hijacking: Incidents, Threats, Risks and Remedial Actions , describes measures all parties to the registration process can take to protect domain names. Name holders (“registrants”) have a number of measures at their disposal that can measurably reduce the likelihood of a domain hijacking:

  • Make domain name protection a part of your security policy. Identify domain names as an asset and perform a risk assessment. Incorporate domain name hijacking into your incident response and business continuity planning, and develop an “urgent restoration of domain name and DNS configuration” strategy as part of business continuity planning. Investigate whether business interruption and losses related to a domain name or DNS configuration incident are covered by insurance policies.

  • Keep your registration records and contact information accurate. You give hijackers an edge if you fail to keep your contact information accurate. You can’t expect a registrar to know when you change staff, offices, or the email address used in domain name transfer communications. Keep business and emergency contact information for your registrar accurate and available for your incident response staff.

  • Keep your registrant account information private, secure, and recoverable. Protect this account information as you should every user account and password. This information should only be made available to staff in your company whose role(s) involve domain name administration. When staff changes, change account information, especially passwords. Use a name other than your Transfer Contact email address as your login to registrar domain name self-administration pages. Hijackers use the Whois service to identify transfer contact email addresses of targeted domain names, and will routinely check whether your Transfer Contact email address doubles as your account user name.

  • Lock it up. Request that domain names be placed on Registrar-Lock. In this state, your registration information and DNS configuration cannot be changed until you unlock your name. This important step can block many domain name transfer attacks. Registries that support the Extensible Provisioning Protocol (EPP) provide a second “lock”, the Authorization Information Code or “authInfo”. If EPP is implemented, your registrar must provide you with your “authInfo” code within five days of your request to transfer a domain “out”. You must then provide this code to the gaining registrar to initiate the transfer “in”. Some registrars let you set the authInfo value. Use a unique EPP authInfo code for each domain name you register; if one authInfo code is broken, only one of your domain names can be put at risk.

Once you’ve locked your domain name, routinely check the Whois service to make certain it remains locked, and that your domain name information has not been modified without your knowledge and consent.Then you need to choose a registrar wisely. If you value your domain name, then services are a more important differentiator than price.

Look for registrars who are willing to provide you with more than the minimum registration and transfer services. If you run your operation 24 x 7, do you need a registrar that offers 24 x 7 technical support? Does the registrar issue a transfer pending notification as its standard practice? (Registrars are not obligated to do so.) Is the registrar willing to notify you of registration record changes and transfer requests using contact methods in addition to (and in parallel with) standard email notices? Will the registrar allow you to specify the contact methods that must be used (e.g., any or all contacts in the registration record, including, email, telephone, messaging and paging services, fax, etc.)? Will the registrar implement additional authentication and authorization measures to safeguard against removing your transfer lock or changing your domain name configuration?

Such measures are sometimes maligned as inhibiting name transfers, but some name holders are perfectly happy with the service and relationship they have with their registrars and want that relationship protected.Some of these services are likely to be offered by registrars as part of a basic service. New security services may also appear as registrars, registries and ICANN review and implement the recommendations of the SSAC Domain Name Hijacking report. Encourage registrars to offer domain name protection services. If name holders demonstrate a willingness to pay for registration and DNS configuration protection, registrars will be more likely to offer them.

A Collaborative Effort Needed
The PANIX and Hushmail incidents attracted international attention and prompted a lengthy investigation by ICANN's SSAC. After investigating other reported incidents, the SSAC produced a report , concluding that “domain name hijacking incidents are commonly the result of flaws in registration and related processes, failure to comply with the transfer policy, and poor administration of domain names by registrars, resellers, and registrants.”

Simply stated, if everyone involved in the name registration process were to try a bit harder, domain name hijacking would be much less a threat. As SSAC chairman Steve Crocker explained in a July, 2005 press release announcing the committee’s official report, “no single party to the registration process is wholly at fault for all hijacking incidents, and there is room for improvement in policies and processes across the board. Name holders have a responsibility to protect their domain names as they would any valuable asset.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights