RealTime IT News

Panix.com Hijacking Causes Panic

UPDATED: Officials at Public Access Networks (PAN) found itself on the receiving end of a domain-stealing incident that left its customers without Web or e-mail access over the holiday weekend.

According to the Panix Web site, an unknown individual was able to register as the owner of its domain -- panix.com -- Saturday morning. As a result, e-mail or Internet-related activity normally pointed to PAN servers was bounced because the panix.com servers, now pointed to a server in Canada, according to the domain name server (DNS) information that keeps track of all registrations.

Officials weren't able to regain control of the domain until Sunday evening, and full service wasn't restored until Monday evening. Officials are working with U.S. and foreign law enforcement agencies to determine who the perpetrator was and apprehend the offender.

The incident shines a hard light on a recent domain name registration policy enacted by the Internet Corporation for Assigned Names and Numbers (ICANN) late last year to prevent just such a thing from occurring.

ICANN officials were not available for comment at press time.

According to the site, while the server was located in Canada, the DNS records were transferred to a company in the United Kingdom with corporate registration in Delaware at the behest of an Australian registrar. Officials are still trying to determine what went wrong.

"It's not supposed to be possible to transfer a domain name from one registrar to another without notifying both the current registrar and the current domain owner, but that's what seems to have happened," officials said in their Web site explanation to customers.

Alexis Rosen, PAN president, said that while he is going to talk to Dotster in the near future about his company supposedly not signing up for the domain locking service, the point is academic since Dotster was never contacted in the first place. MelbourneIT failed, he said, when it allowed the fraudulent request to go through without verifying the transfer. The incident throws the whole process in question.

"We want to find the individual who was responsible for the fraudulent transfer, [but] we also want to find out how the process failed, because that's really the much bigger issue here," Rosen said. "As infuriated as we are by the whole situation, our real worry is that the system is broken. First of all, the system clearly depends on the reliability of the registrars and clearly the registrars are not reliable, at least in some cases, and that's worrisome."

George DeCarlo, vice president of marketing at Dotster, PAN's registrar, said his company had nothing but trouble since ICANN adopted its new policy in early November.

Ostensibly, the policy change was intended to help companies looking to move their domains from one registrar to another. However, to "lock" down their Web site address, domain owners need to formally request that a switch to a new registrar be verified first.

"Anyone that doesn't have their domain locked down at the registrar is at risk to a registrar that has a loophole in their system or doesn't follow the appropriate guidelines," he said. "They're basically at risk to more than 200 accredited ICANN registrars that have the ability to submit a command to request transfer of the domain and we have no way to know whether that command was authorized or wasn't authorized."

DeCarlo said PAN did not sign onto the domain-locking service provided by the company, even though it sent notices to all its customers on different occasions.

That left www.panix.com open to abuse when Australian registrar MelbourneIT failed to check with PAN officials to authorize the transfer.

Bruce Tonkin, MelbourneIT chief technology officer, wrote in an e-mail to the North American Network Operators Group list Tuesday that the transfer request came from one of its third-party resellers, which approved the transfer based on an account set up from a person using a stolen credit card.

In some cases, his e-mail states, registrars like his company can delegate authority for domain switch approval from its resellers, a loophole that puts the onus on the third-party reseller.

"There was an error in the checking process prior to initiating the transfer, and thus the transfer should never have been initiated," Tonkin's e-mail states. "The loophole that led to this error has been closed."

DeCarlo warns domain owners to ensure their domain is locked down. As a result of the hijacking, DeCarlo said Dotster is locking down all customer domains by default, though registrants can request to opt-out of the domain locking policy.