Latest news of the domain name industry

Recent Posts

Web.com got pwned

Kevin Murphy, November 4, 2019, Domain Registrars

Web.com, which owns top 20 registrars Network Solutions and Register.com, got itself and millions of its customers hacked a few months ago.

The company disclosed last week that malicious hackers broke into its network in late August, making off with customer account information.

The attack was not discovered until October 16.

The compromised data included “name, address, phone numbers, email address and information about the services that we offer to a given account holder”, Web.com said.

“We encrypt credit card numbers and no credit card data was compromised as a result of this incident,” it added.

Customers are being told to change their password next time they log in to their services.

It’s not clear how many registrants were affected. The NetSol accreditation has over seven million domains in the gTLDs alone, while Register.com has almost 1.8 million.

Web.com said it brought on a private security firm to investigate the attack, and informed US law enforcement.

Microsoft seizes “Russian election hacking” domains

Kevin Murphy, August 21, 2018, Domain Policy

Microsoft has taken control of six domains associated with a hacker group believed to be a part of Russian military intelligence, according to the company.

Company president Brad Smith blogged yesterday that Microsoft obtained a court order allowing it to seize the names, which it believes were to be used to attack institutions including the US Senate.

The domains in question look like they could be used in spear-phishing attacks. The are: my-iri.org, hudsonorg-my-sharepoint.com, senate.group, adfs-senate.services, adfs-senate.email and office365-onedrive.com.

Historical Whois records archived by DomainTools show they were registered last year behind WhoisGuard, the Panama-based privacy service. Now, of course, the Whois records are all redacted due to GDPR.

Smith said that Microsoft believes intended targets besides the Senate also include the International Republican Institute and the Hudson Institute, two conservative think-tanks.

The company believes, though it did not show evidence, that the domains were created by the group it calls “Strontium”.

Strontium is also known as “Fancy Bear”, among other names. It’s believed to be backed by the GRU, Russia’s intelligence agency.

It’s the same group alleged members of which Special Counsel Robert Mueller recently indicted as part of his investigation into Russian meddling in the 2016 US presidential election.

“We have now used this approach 12 times in two years to shut down 84 fake websites associated with this group,” Smith said in his blog post.

He added that Microsoft does not know whether the domains have been used in an attack yet.

Hacker hostage crisis at ICANN secret key ceremony! (on TV)

Kevin Murphy, March 24, 2017, Gossip

One of ICANN’s Seven Secret Key-Holders To The Internet got taken out as part of an elaborate heist or something on American TV this week.

In tense scenes, a couple of secret agents or something with guns were forced to break into one of ICANN’s quarterly root zone key signing ceremonies to prevent a hacker or terrorist or something from something something, something something.

The stand-off came after the secret agents or whatever discovered that a hacker called Mayhew had poisoned a guy named Adler, causing a heart attack, in order to secure his position as a replacement ICANN key-holder and hijack the ceremony.

This all happened on a TV show called Blacklist: Redemption that aired in the US March 16.

I’d be lying if I said I fully understood what was supposed to be going on in the episode, not being a regular viewer of the series, but here’s the exposition from the beginning of the second act.

Black List

Botox Boss Lady: Seven keys control the internet? That can’t be possible.

Neck Beard Exposition Guy: They don’t control what’s on it, just how to secure it. All domain names have an assigned number. But who assigns the numbers?

Soap Opera Secret Agent: Key holders?

Neck Beard Exposition Guy: Seven security experts randomly selected by ICANN, the Internet Corporation for Assigned Names and Numbers.

Bored Secret Agent: Max Adler’s wife mentioned a key ceremony.

Neck Beard Exposition Guy: Yeah, four times a year the key holders meet to generate a master key and to assign new numbers, to make life difficult for hackers who want to direct folks to malicious sites or steal their credit card information.

Botox Boss Lady: But by being at the ceremony, Mayhew gets around those precautions?

Neck Beard Exposition Guy: Oh, he does more than that. He can route any domain name to him.

That’s the genuine dialogue. ICANN, jarringly, isn’t fictionalized in the way one might usually expect from US TV drama.

The scene carries on to explain the elaborate security precautions ICANN has put in place around its key-signing ceremonies, including biometrics, smart cards and the like.

The fast-moving show then cuts to the aforementioned heist situation, in which our villain of the week takes an ICANN staffer hostage before using the root’s DNSSEC keys to somehow compromise a government data drop and download a McGuffin.

Earlier this week I begged Matt Larson, ICANN’s VP of research and a regular participant in the ceremonies (which are real) to watch the show and explain to me what bits reflect reality and what was plainly bogus.

“There are some points about it that are quite close to how the how the root KSK administration works,” he said, describing the depiction as “kind of surreal”.

“But then they take it not one but two steps further. The way the ceremony happens is not accurate, the consequences of what happens at the ceremony are not accurate,” he added.

“They talk about how at the ceremony we generate a key, well that’s not true. It’s used for signing a new key. And then they talk about how as a result of the ceremony anyone can intercept any domain name anywhere and of course that’s not true.”

The ceremonies are used to sign the keys that make end-to-end DNSSEC possible. By signing the root, DNSSEC resolvers have a “chain of trust” that goes all the way to the top of the DNS hierarchy.

Black ListThe root keys just secure the bit between the root at the TLDs. Compromising them would not enable a hacker to immediately start downloading data from the site of his choosing, as depicted in the show. He’d then have to go on to compromise the rest of the chain.

“You’d have to create an entire path of spoofed zones to who you wanted to impersonate,” Larson said. “Your fake root zone would have to delegate to a fake TLD zone to a fake SLD zone and so on so you could finally convince someone they were going to the address that you wanted.”

“If you could somehow compromise the processes at the root, that alone doesn’t give you anything,” he said.

But the show did present a somewhat realistic description of how the ceremony rooms (located in Virginia and California, not Manhattan as seen on TV) are secured.

Among other precautions, the facilities are secured with smart cards and PINs, retina scans for ICANN staff, and have reinforced walls to prevent somebody coming in with a sledgehammer, Larson said.

Blacklist: Redemption airs on Thursday nights on NBC in the US, but I wouldn’t bother if I were you.

.hotel losers gang up to threaten ICANN with legal bills

Kevin Murphy, August 30, 2016, Domain Registries

The six losing applicants for the .hotel new gTLD are collectively threatening ICANN with a second Independent Review Process action.

Together, they this week filed a Request for Reconsideration with ICANN, challenging its decision earlier this month to allow the Afilias-owned Hotel Top Level Domain Sarl application to go ahead to contracting.

HTLD won a controversial Community Priority Evaluation in 2014, effectively eliminating all rival applicants, but that decision was challenged in an IRP that ICANN ultimately won.

The other applicants think HTLD basically cobbled together a bogus “community” in order to “game” the CPE process and avoid an expensive auction.

Since the IRP decision, the six other applicants — Travel Reservations, Famous Four Media, Radix, Minds + Machines, Donuts and Fegistry — have been arguing that the HTLD application should be thrown out due to the actions of Dirk Krischenowski, a former key executive.

Krischenowski was found by ICANN to have exploited a misconfiguration in its own applicants’ portal to download documents belonging to its competitors that should have been confidential.

But at its August 9 meeting, the ICANN board noted that the timing of the downloads showed that HTLD could not have benefited from the data exposure, and that in any event Krischenowski is no longer involved in the company, and allowed the bid to proceed.

That meant the six other applicants lost the chance to win .hotel at auction and/or make a bunch of cash by losing the auction. They’re not happy about that.

It doesn’t matter that the data breach could not have aided HTLD’s application or its CPE case, they argue, the information revealed could prove a competitive advantage once .hotel goes on sale:

What matters is that the information was accessed with the obvious intent to obtain an unfair advantage over direct competitors. The future registry operator of the .hotel gTLD will compete with other registry operators. In the unlikely event that HTLD were allowed to operate the .hotel gTLD, HTLD would have an unfair advantage over competing registry operators, because of its access to sensitive business information

They also think that HTLD being given .hotel despite having been found “cheating” goes against the spirit of application rules and ICANN’s bylaws.

The RfR (pdf) also draws heavily on the findings of the IRP panel in the unrelated Dot Registry (.llc, .inc, etc) case, which were accepted by the ICANN board also on August 9.

In that case, the panel suggested that the board should conduct more thorough, meaningful reviews of CPE decisions.

It also found that ICANN staff had been “intimately involved” in the preparation of the Dot Registry CPE decision (though not, it should be noted, in the actual scoring) as drafted by the Economist Intelligence Unit.

The .hotel applicants argue that this decision is incompatible with their own IRP, which they lost in February, where the judges found a greater degree of separation between ICANN and the EIU.

Their own IRP panel was given “incomplete and misleading information” about how closely ICANN and the EIU work together, they argue, bringing the decision into doubt.

The RfR strongly hints that another IRP could be in the offing if ICANN fails to cancel HTLD application.

The applicants also want a hearing so they can argue their case in person, and a “substantive review” of the .hotel CPE.

The HTLD application for .hotel is currently “On Hold” while ICANN sorts through the mess.

Afilias set to get .hotel despite hacking claims

Kevin Murphy, August 19, 2016, Domain Registries

Afilias is back on the path to becoming the registry for .hotel, after ICANN decided claims of hacking by a former employee of the applicant did not warrant a rejection.

The ICANN board of directors decided last week that HOTEL Top-Level Domain Sarl, which was recently taken over by Afilias, did not gain any benefit when employee Dirk Krischenowski accessed competing applicants’ confidential documents via an ICANN web site.

Because HTLD had won a Community Priority Evaluation, it should now proceed to contracting, barring any further action from the other six applicants.

ICANN’s board said in its August 9 decision:

ICANN has not uncovered any evidence that: (i) the information Mr. Krischenowski may have obtained as a result of the portal issue was used to support HTLD’s application for .HOTEL; or (ii) any information obtained by Mr. Krischenowski enabled HTLD’s application to prevail in CPE.

It authorized ICANN staff to carry on processing the HTLD application.

The other applicants — Travel Reservations, Famous Four Media, Radix, Minds + Machines, Donuts and Fegistry — had called on ICANN in April to throw out the application, saying that to decline to do so would amount to “acquiescence in criminal acts”.

That’s because an ICANN investigation had discovered that Dirk Krischenowski, who ran a company with an almost 50% stake in HTLD, had downloaded hundreds of confidential documents belonging to competitors.

He did so via ICANN’s new gTLD applicants’ portal, which had been misconfigured to enable anyone to view any attachment from any application.

Krischenowski has consistently denied any wrongdoing, telling DI a few months ago that he simply used the tool that ICANN made available with the understanding that it was working as intended.

ICANN has now decided that because the unauthorized access incidents took place after HTLD had already submitted its CPE application, it could not have gained any benefit from whatever data Krischenowski managed to pull.

The board reasoned:

his searches relating to the .HOTEL Claimants did not occur until 27 March, 29 March and 11 April 2014. Therefore, even assuming that Mr. Krischenowski did obtain confidential information belonging to the .HOTEL Claimants, this would not have had any impact on the CPE process for HTLD’s .HOTEL application. Specifically, whether HTLD’s application met the CPE criteria was based upon the application as submitted in May 2012, or when the last documents amending the application were uploaded by HTLD on 30 August 2013 – all of which occurred before Mr. Krischenowski or his associates accessed any confidential information, which occurred from March 2014 through October 2014. In addition, there is no evidence, or claim by the .HOTEL Claimants, that the CPE Panel had any interaction at all with Mr. Krischenowski or HTLD during the CPE process, which began on 19 February 2014.

The HTLD/Afilias .hotel application is currently still listed on ICANN’s web site as “On Hold” while its rivals are still classified as “Will Not Proceed”.

It might be worth noting here — to people who say ICANN always tries to force contention sets to auction so it possibly makes a bit of cash — that this is an instance of it not doing so.

Afilias takes over .hotel, sidelines Krischenowski over hacking claims

Afilias has sought to distance itself from DotBerlin CEO Dirk Krischenowski, due to ongoing claims that he improperly accessed secret data on rival .hotel applicants.

The company revealed in a recent letter to ICANN that it has bought out Krischenowski’s 48.8% stake in successful .hotel applicant Hotel Top Level Domain Sarl and that Afilias will become the sole shareholder of HTLD.

The move is linked to claims that Krischenowski exploited a glitch in ICANN’s new gTLD applicants’ portal to access confidential financial and technical information belonging to rival .hotel applicants.

These competing applicants have ganged up to demand that HTLD should lose its rights to .hotel, which it obtained by winning a controversial Community Priority Evaluation.

Afilias chairman Philipp Grabensee, now “sole managing director” of HTLD, wrote ICANN last month (pdf) to explain the nature of the HTLD’s relationship with Krischenowski and deny that HTLD had benefited from the alleged data compromise.

He said that, at the time of the incidents, Krischenowski was the 50% owner and managing director of a German company that in turn was a 48.8% owner of HTLD. He was also an HTLD consultant, though Grabensee played down that role.

He was responding to a March ICANN letter (pdf) which claimed that Krischenowski’s portal credentials were used at least eight times to access confidential data on .hotel bids. It said:

It appears that Mr Krischenowski accessed and downloaded, at minimum, the financial projections for Despegar’s applications for .HOTEL, .HOTEIS and .HOTELES, and the technical overview for Despegar’s applications for .HOTEIS and .HOTEL. Mr Krischenowski appears to have specifically searched for terms and question types related to financial or technical portions of the application.

Krischenowski has denied any wrongdoing and told DI last month that he simply used the portal assuming it was functioning as intended.

Grabensee said in his letter that any data Krischenowski may have obtained was not given to HTLD, and that his alleged actions were not done with HTLD’s knowledge or consent.

He added that obtaining the data would not have helped HTLD’s application anyway, given that the incident took place after HTLD had already submitted its application. HTLD did not substantially alter its application after the incident, he said.

HTLD’s rival .hotel applicants do not seem to have alleged that HTLD won the contention set due to the confidential data.

Rather, they’ve said via their lawyer that HTLD should be disqualified on the grounds that new gTLD program rules disqualify people who have been convicted of computer crime.

Even that’s a bit tenuous, however, given that Krischenowski has not been convicted of, or even charged with, a computer crime.

The other .hotel applicants are Travel Reservations, Famous Four Media, Radix, Minds + Machines, Donuts and Fegistry.

ICANN is now pressing HTLD for more specific information about Krischenowski’s relationship with HTLD at specific times over the last few years, in a letter (pdf) published last night, so it appears that its overdue investigation is not yet complete.

.hotel fight gets nasty with “criminal” hacking claims

Kevin Murphy, April 19, 2016, Domain Registries

A group of would-be .hotel gTLD registries have called on ICANN to reject the winning applicant’s bid or be complicit in “criminal acts”.

The group, which includes Travel Reservations, Famous Four Media, Radix, Minds + Machines, Donuts and Fegistry is threatening to file a second Independent Review Process complaint unless ICANN complies with its demands.

Six applicants, represented by Flip Petillion of Crowell & Moring, claim that Hotel Top Level Domain Sarl should forfeit its application because one of its representatives gained unauthorized access to their trade secrets.

That’s a reference to a story we covered extensively last year, where an ICANN audit found that DotBerlin CEO Dirk Krischenowski, or at least somebody using his credentials, had accessed hundreds of supposedly confidential gTLD application documents on ICANN’s web site.

Krischenowski, who has denied any wrongdoing, is also involved with HTLD, though in what capacity appears to be a matter of dispute between ICANN and the rival .hotel applicants.

In a month-old letter (pdf) to ICANN, only published at the weekend, Petillion doesn’t pull many punches.

The letter alleges:

Allowing HTLD’s application to proceed would go agaist everthing that ICANN stands for. It would amount to an acquiescence in criminal acts that were committed with the obvious intent to obtain an unfair advantage over direct competitors.

ICANN caught a representative of HTLD stealing trade secrets of competing applicants via the use of computers and the internet. The situation is even more critical as the crime was committed with the obvious intent of obtaining sensitive business information concerning a competing applicant.

It points out that ICANN’s Applicant Guidebook disqualifies people from applying for a new gTLD if they’ve been convicted of a computer crime.

To the best of my knowledge Krischenowski has not been convicted of, or even charged with, any computer crime.

What ICANN says he did was use its new gTLD applicants’ customer service portal to search for documents which, due to a dumb misconfiguration by ICANN, were visible to users other than their owners.

Krischenowski told DI in an emailed statement today:

According to ICANN, the failure in ICANN’s CSC and GDD portals was the result of a misconfiguration by ICANN of the software used (as mentioned at https://www.icann.org/news/announcement-2-2015-11-19-en). As a user, I relied on the proper functioning of ICANN’s technical infrastructure while working with ICANN’s CSC portal.

HTLD’s application for .hotel is currently “On Hold”, though it is technically the winner of the seven-application contention set.

It prevailed after winning a controversial Community Priority Evaluation in 2014, which was then challenged in an Independent Review Process case by the applicants Petillion represents.

They lost the IRP, but the IRP panelists said that ICANN’s failure to be transparent about its investigation into Krischenowski could amount to a breach of its bylaws.

In its February ruling, the IRP panel wrote:

It is not clear if ICANN has properly investigated the allegation of association between HTLD and D. Krischenowski and, if it has, what conclusions it has reached. Openness and transparency, in the light of such serious allegations, require that it should, and that it should make public the fact of the investigation and the result thereof.

The ruling seems to envisage the possibility of a follow-up IRP.

ICANN had told the panel that its investigation was not complete, so its failure to act to date could not be considered inaction.

The ICANN board resolved in March, two days after Petillion’s letter was sent, to “complete the investigation” and “provide a report to the Board for consideration”.

While the complaining applicants want information about this investigation, their clear preference appears to be that the HTLD application be thrown out.

Web.com hacked, 93,000 cards stolen

Kevin Murphy, August 19, 2015, Domain Registrars

The credit card details of 93,000 Web.com customers have been stolen by hackers.

The name, address and credit card number of the affected customers were accessed. The verification numbers (from the back of the cards) were not stolen.

Web.com said the attack was discovered August 13 and has been reported to the proper authorities.

Network Solutions and Register.com, its leading registrar businesses, were not affected, the company said.

It has 3.3 million customers. Those whose details were stolen have been emailed and will receive a letter in the mail.

The company said it will provide affected customers with a year of free credit monitoring.

Human glitch lets hackers into ICANN

Kevin Murphy, December 17, 2014, Domain Policy

It’s 2014. Does anyone in the domain name business still fall for phishing attacks?

Apparently, yes, ICANN staff do.

ICANN has revealed that “several” staff members fell prey to a spear-phishing attack last month, resulting in the theft of potentially hundreds of user credentials and unauthorized access to at least one Governmental Advisory Committee web page.

According to ICANN, the phishers were able to gather the email passwords of staff members, then used them to access the Centralized Zone Data Service.

CZDS is the clearinghouse for all zone files belonging to new gTLD registries. The data it stores isn’t especially sensitive — the files are archives, not live, functional copies — and the barrier to signing up for access legitimately is pretty low.

But CZDS users’ contact information and login credentials — including, as a matter of disclosure, mine — were also accessed.

While the stolen passwords were encrypted, ICANN is still forcing all CZDS users to reset their passwords as a precaution. The organization said in a statement:

The attacker obtained administrative access to all files in the CZDS. This included copies of the zone files in the system, as well as information entered by users such as name, postal address, email address, fax and telephone numbers, username, and password. Although the passwords were stored as salted cryptographic hashes, we have deactivated all CZDS passwords as a precaution. Users may request a new password at czds.icann.org. We suggest that CZDS users take appropriate steps to protect any other online accounts for which they might have used the same username and/or password. ICANN is providing notices to the CZDS users whose personal information may have been compromised.

As a victim, this doesn’t worry me a lot. My contact details are all in the public Whois and published on this very web site, but I can imagine other victims might not want their home address, phone number and the like in the hands of ne’er-do-wells.

It’s the second time CZDS has been compromised this year. Back in April, a coding error led to a privilege escalation vulnerability that was exploited to view requests by users to new gTLD registries.

Also accessed by the phishers this time around were several pages on the GAC wiki, which is about as interesting as it sounds (ie, not very). ICANN said the only non-public information that was viewed was a “members-only index page”.

User accounts on the ICANN blog and its Whois information portal were also accessed, but apparently no damage was caused.

In summary, the hackers seem to have stolen quite a lot of information they could have easily obtained legitimately, along with some passwords that may allow them to cause further mischief if they can be decrypted.

It’s embarrassing for ICANN, of course, especially for the staff members gullible enough to fall for the attack.

While the phishers made their emails appear to come from ICANN’s own domain, presumably their victims would have had to click through to a web page with a non-ICANN domain in the address bar order to hand over their passwords.

That’s not the kind of practice you’d expect from the people tasked with running the domain name industry.

Russian hackers breaking in to NameCheap accounts

Kevin Murphy, September 2, 2014, Domain Registrars

If you have an account at NameCheap, now might be a good time to think about changing your password.

According to the registrar, hackers based in Russia are using a haul of a reported 4.5 billion username/password combinations to attempt to break into its customers’ accounts.

Some attempts have been successful, NameCheap warned.

The attackers are using credentials stolen from third-party sources in a large-scale, automated attempt to log in to user accounts, disguised as regular users, the company said in a blog post.

NameCheap said:

The vast majority of these login attempts have been unsuccessful as the data is incorrect or old and passwords have been changed. As a precaution, we are aggressively blocking the IP addresses that appear to be logging in with the stolen password data. We are also logging these IP addresses and will be exporting blocking rules across our network to completely eliminate access to any Namecheap system or service, as well as making this data available to law enforcement.

While the vast majority of these logins are unsuccessful, some have been successful. To combat this, we’ve temporarily secured the Namecheap accounts that have been affected and are currently contacting customers involved requesting they improve the security for these accounts.

Affected users have been emailed, the company said.

NameCheap suspects the attack is linked to a reported cache of 1.2 billion unique username/password combinations amassed by a hacker group from databases vulnerable to SQL injection.

The registrar pointed out that its own systems haven’t been hacked. Customers should only be vulnerable if they use the same username and password at NameCheap as they use on other sites.

  • Page 1 of 2
  • 1
  • 2
  • >