Panix.com Hijacking Causes Panic

UPDATED: Officials at Public Access Networks (PAN) found itself on the receiving end
of a domain-stealing incident that left its customers without Web or e-mail
access over the holiday weekend.

According to the Panix Web site, an unknown individual was able to
register as the owner of its domain — panix.com — Saturday morning. As
a result, e-mail or Internet-related activity normally pointed to PAN
servers was bounced because the panix.com servers, now pointed to a server in Canada,
according to the domain name server (DNS) information that
keeps track of all registrations.

Officials weren’t able to regain control of the domain until Sunday evening,
and full service wasn’t restored until Monday evening. Officials are
working with U.S. and foreign law enforcement agencies to determine who the
perpetrator was and apprehend the offender.

The incident shines a hard light on a recent domain name registration policy
enacted by the Internet Corporation for Assigned Names and Numbers (ICANN)
late last year to prevent just such a thing from occurring.

ICANN officials were not available for comment at press time.

According to the site, while the server was located in Canada, the DNS
records were transferred to a company in the United Kingdom with corporate
registration in Delaware at the behest of an Australian registrar.
Officials are still trying to determine what went wrong.

“It’s not supposed to be possible to transfer a domain name from one
registrar to another without notifying both the current registrar and the
current domain owner, but that’s what seems to have happened,” officials
said in their Web site explanation to customers.

Alexis Rosen, PAN president, said that while he is going to talk to Dotster in the near future about his company supposedly not signing up for the domain locking service, the point is academic since Dotster was never contacted in the first place. MelbourneIT failed, he said, when it allowed the fraudulent request to go through without verifying the transfer. The incident throws the whole process in question.

“We want to find the individual who was responsible for the fraudulent transfer, [but] we also want to find out how the process failed, because that’s really the much bigger issue here,” Rosen said. “As infuriated as we are by the whole situation, our real worry is that the system is broken. First of all, the system clearly depends on the reliability of the
registrars and clearly the registrars are not reliable, at least in some cases, and that’s worrisome.”

George DeCarlo, vice president of marketing at Dotster, PAN’s registrar, said his company
had nothing but trouble since ICANN adopted its
new policy in
early November.

Ostensibly, the policy change was intended to help companies looking to move
their domains from one registrar to another. However, to “lock” down their
Web site address, domain owners need to formally request that a switch to a
new registrar be verified first.

“Anyone that doesn’t have their domain locked down at the registrar is at
risk to a registrar that has a loophole in their system or doesn’t follow
the appropriate guidelines,” he said. “They’re basically at risk to more
than 200 accredited ICANN registrars that have the ability to submit a
command to request transfer of the domain and we have no way to know whether
that command was authorized or wasn’t authorized.”

DeCarlo said PAN did not sign onto the domain-locking service provided by the company,
even though it sent notices to all its customers on different occasions.

That left www.panix.com open to abuse when Australian registrar MelbourneIT
failed to check with PAN officials to authorize the transfer.

Bruce Tonkin, MelbourneIT chief technology officer, wrote in an e-mail to the
North American Network Operators Group list Tuesday that the transfer
request came from one of its third-party resellers, which approved the
transfer based on an account set up from a person using a stolen credit
card.

In some cases, his e-mail states, registrars like his company can delegate
authority for domain switch approval from its resellers, a loophole that
puts the onus on the third-party reseller.

“There was an error in the checking process prior to initiating the
transfer, and thus the transfer should never have been initiated,” Tonkin’s
e-mail states. “The loophole that led to this error has been closed.”

DeCarlo warns domain owners to ensure their domain is locked down.
As a result of the hijacking, DeCarlo said Dotster is
locking down all customer domains by default, though registrants can request
to opt-out of the domain locking policy.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web