MelbourneIT Lapse Permitted Panix Hijack

McSpew writes "Netcraft reports MelbourneIT's CTO, Bruce Tonkin, has admitted the Panix domain hijacking occurred because of a loophole in MIT's domain transfer process. He doesn't go into detail about what that loophole was, or how it was closed. As a Panix user, I'd like more detail, and I'd like to know what can be done to stop this sort of nonsense happening to other domains."

Melbourne IT have a history of fucking with this.

[Anonymous Coward]

For quite some time, on the NS redelegatiom page of the MelbIT web site, you could enter in either a hostname, or an IP address, or both, to chose your new nameservers. Great for those of us having to move IP ranges or whatnot.

The problem is, the web form did nothing at all with the IP addresses you put in. It completely ignored them. You had to call up Melbourne IT and speak to somebody to get the mess sorted out. That one caused me a day of pain.

Other times, the staff members have stated facts that clearly went against all of their procedures on the web page for redelegation and/or key retreival. "Sorry, no, even though thats what the web page says, it REALLY means the opposite"

Lock your domain

[Anonymous Coward]

If your registrar doesn't support locking, find another one that does. GoDaddy, EV1servers, etc do.

"Loophole" - Corporate killspeak for fuckup

[schmaltz]

"Loophole" really means somebody at MelbourneIT didn't perform end-to-end tests of their registration server; that, or was only looking for primary adherence to the spec, and didn't check if their implementation could be fucked with.

What Happened

[Marlor]

Here is a basic explanation of what happened from what I have read.

ICANN recently changed the rules for domain name transfers so that rather than requiring confirmation for domain name transfers, they are transferred automatically if the owner does not object within a set period of time (a few weeks IIRC). This is meant to "streamline the domain transfer process". In this regard, I believe that ICANN is partially to blame for this hijacking. These policy changes need to be reviewed. You can, of course, lock your domain against this occurring, but it is a simple error to neglect to do this.

Melbourne IT is also more or less to blame for this hijacking (depending on who you believe). It has been confirmed that one of their resellers allowed someone to create an account with a stolen credit card number, and initiate the domain transfer process. Panix claims that Melbourne IT failed to send the notification of transfer to them or their registrar. They also state that they had asked that their domain be locked against transfers, but this did not occur. If this is the case, then this is a serious issue with Melbourne IT.

Mebourne IT has also been accused of being unavailable for contact over the weekend, despite promising 24/7 service. The only way that Panix managed to contact them was via the CEO's mobile number.

If these accusations are true, then this shows serious problems within Melbourne IT.

To prevent this from happening to your domains

[Somegeek]

Evidently ICANN made a policy change in November 2004 that was intended to make it easier to transfer domains between registrars, but it turns out to also make it easier to hijack domains. Apparently multiple domains have been hijacked from Dotster.com, (the registrar for panix.com), so I would guess that they have some holes in their procedure for confirming transfers with their customers.

How do you prevent this? Well, when reading the various articles about this, (I know, I'm new here), I ran across the phrase 'locking your domain'. I had never heard of this before, but I checked with my registrar, and sure enough they now have settings for 'normal' and 'high' transfer security. Basically they will not allow any domains that have 'high transfer security' set on to be transferred. Period. Whether they can get in contact with me or not. If I want the domain transferred, I have to log in and reset transfer security to normal, and then a transfer can go ahead. Otherwise it stays with me until it expires. Unfortunately the default setting was normal, but once I knew about it, it only took 30 seconds to set my domains to 'high'.

In theory anyway; panix.com says that their domain was set to 'locked' with dotster, so your mileage may vary. Maybe tucows or someone can randomly test transfer attempts of 'locked' domains and certify registrars that appropriately deny the transfers?

So, check your domains now, set them to locked, or high security, or whatever your registrar calls it. If they don't have such a setting, hey, it ought to be easy to transfer your domain to one that does!

The registration didn't lapse

[wytcld]

Registrations are year-to-year, so:

Registrar: DOTSTER
Domain Name: PANIX.COM
Created on: 22-APR-91
Expires on: 23-APR-06
Last Updated on: 16-JAN-05

It could only lapse in April - and it sure as hell didn't lapse in April of 2004 and stay working for this long!

Misinformed

[dbIII]

A government organisation was put in place AUNIC, and the .com.au domain space went to tender

No - AUNIC was formed to take full control of "com.au" away from MelbourneIT, which has been around for a few years, and was started to take the pressure off the registrar for ".au" and eventually became a money making venture and then a publicly listed company. I do not know the proportion of the shares that Melbourne Uni retained.

Re:The weekend rule

[dbIII]

Those Aussie terrorist suspects are a lot more polite than the Muslim and American ones

The guy appeared to have got mixed up with some very scary people in terrorist groups and tried several times to get help in return for telling everything he knew after he was asked to identify sites in Australia to place bombs. Eventaully he got through to someone and gave them information, but it wasn't taken seriously. A couple of years later some results had to be shown, so someone went back through the files and pulled him in and charging him with conspiracy - despite him trying to stop the conspiricy in the first place and not supplying the list of targets the terrorist wanted despite not getting protection and being in fear of his life. A big waste of time and money becuase someone didn't do their job and then others wanted a head on a pike to display before the masses.

An example of keeping things in perspective is the recent arrest of a couple of guys in Kalgoorlie, Western Australia for using explosives to blow up a satellite dish. In other places people might start screaming "terrorist!" but in this case the judge decided it was safe enough to let them out on bail before the trial. Terrorists kill people, they don't highjack domains or blow up inanimate objects.

Re:To prevent this from happening to your domains

[belmolis]

ICANN is soliciting comments on the revised transfer policy: RFC [icann.org]. Let them know what you think.

Re:Alternatives in AU

[Morden]

I've used Enetica quite happily.

Re:Overworked

[adeydas]

The problem and how it was plugged is given here [merit.edu]. As there is no general rule for stopping crackers to gain access though all loopholes, there is no way to completely protect a domain.

oldest ISP in NY ?

[ccdotnet]

From the panix.com website

Panix, the oldest commercial Internet provider in New York, [...] We started in 1989, before the advent of the Internet, and we're still going strong.

Aside from the obvious chicken-and-egg problem of claiming to have been an ISP before the "I" was even invented - 1989 may pre-date the web but it's a long way short of pre-dating the Internet.

CEO had his attorney call Panix

[McSpew]

From the article: "I finally located their CEO's cellphone in an investor-relations web page."
That would be why the CEO was involved, so his involvement illustrates nothing about the company's laziness or otherwise

As a Panix subscriber (and submitter of this topic), I have seen informal update posts made to internal (Panix-only) newsgroups by Panix staff during and since the crisis.

Not only did Panix get MelbourneIT's CEO's cellphone number from a web page, but when they contacted him, he was most unhelpful and even directed MelbourneIT's corporate counsel to contact Panix and set them straight.

If this is the kind of leadership MelbourneIT shows in times of crisis, I pity anyone who has to depend on them--whether by their own choice or through someone else's--to do the right thing in a pinch.

Re:5 day period is for Registrars, not domain owne

[rufey]

That isn't to say that Registrars cannot simply deny the transfer though. The *current* Registrar cannot deny the transfer of a domain to a different Registrar if:

www.icann.org/transfers/policy-12jul04.htm [icann.org]

Instances when the requested change of Registrar may not be denied include, but are not limited to:

* Nonpayment for a pending or future registration period

* No response from the Registered Name Holder or Administrative Contact.

* Domain name in Registrar Lock Status, unless the Registered Name Holder is provided with the reasonable opportunity and ability to unlock the domain name prior to the Transfer Request.

* Domain name registration period time constraints, other than during the first 60 days of initial registration or during the first 60 days after a registrar transfer.

* General payment defaults between Registrar and business partners / affiliates in cases where the Registered Name Holder for the domain in question has paid for the registration.

The bottom line to all of this is to provide accurate information with your domain registrations, and, lock the domain so that if your Registrar gets a notice that another Registrar wants to transfer your domain, it can't be transfered, even if you are not contactable (say, on a cruise or something).