doc_strange (![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
doc_strange) wrote2005-01-16 10:57 am
doc_strange) wrote2005-01-16 10:57 am
A bad week for email -- gmail vulnerability and Panix's domain hijacked
It's been a bad week for email... well, ok, for a lot more than that, though it's email that is mostly at risk in both disturbing items.
Researchers accidentally found a bug in gmail (the free Google email service) that reveals the contents of the previous transaction the server processed -- whatever its content. I.e., you could see other peoples' emails. Google managed to fix the bug about an hour after the story was slashdotted.
--------
Much more disturbing, because it will be harder to fix and is more disruptive, a post I'm calling, "The Security Implications of Domain Name Registrar choice and ICANN policies..."
In a disturbing turn of events, age-old (in Internet terms) commercial access provider Panix has had their main domain name, panix.com, hijacked. While panix.net works still correctly, panix.com is the domain used for their thousands of subscribers' email, web pages, etc.
Bad. Very bad. One wonders how it happened. Did the domain expire and get grabbed up? Did someone break into Panix's Dotster account? Did someone bamboozle Dotster? Did someone put in a transfer request that went unheeded by Panix (the new ICANN policy is that, "Failure by the Registrar of Record to respond within five (5) calendar days to a notification from the Registry regarding a transfer request will result in a default "approval" of the transfer")?
Note that everything including the nameservers has been changed. Email to users "@" panix.com may actually still work for a time, because DNS caches will maintain the data until it expires or the cache buffer gets overwritten. (For example, my DNS cache server shows 22 hours remaining on the cache timer for the "real" panix.com MX record.) The "new" www site has a placeholder page from freeparking.co.uk.
After the caches expire, web browsers will go to the bogus site, and mail to users "at" panix.com will go ... where-ever the people who hijacked the domain want. Unless it's quickly resolved. As I write this, the "new" MX records point to 207.61.90.0 and 142.46.200.0 -- network addresses rather than normal host IPs -- which means the mail probably will fail (and thus just queue up, and with luck be delivered to the real panix.com once this mess is cleared up). Fortunately, right now, the cache expiry on the 'new' MX record is 24 hours, while email delivery is normally attempted for 5-10 days, depending on the mail software and configuration.
The relevant content from Panix's REAL website:
Researchers accidentally found a bug in gmail (the free Google email service) that reveals the contents of the previous transaction the server processed -- whatever its content. I.e., you could see other peoples' emails. Google managed to fix the bug about an hour after the story was slashdotted.
Much more disturbing, because it will be harder to fix and is more disruptive, a post I'm calling, "The Security Implications of Domain Name Registrar choice and ICANN policies..."
In a disturbing turn of events, age-old (in Internet terms) commercial access provider Panix has had their main domain name, panix.com, hijacked. While panix.net works still correctly, panix.com is the domain used for their thousands of subscribers' email, web pages, etc.
Bad. Very bad. One wonders how it happened. Did the domain expire and get grabbed up? Did someone break into Panix's Dotster account? Did someone bamboozle Dotster? Did someone put in a transfer request that went unheeded by Panix (the new ICANN policy is that, "Failure by the Registrar of Record to respond within five (5) calendar days to a notification from the Registry regarding a transfer request will result in a default "approval" of the transfer")?
Domain Name.......... panix.com Creation Date........ 1991-04-22 Registration Date.... 2005-01-15 Expiry Date.......... 2006-04-23 Organisation Name.... vanessa Miranda Organisation Address. 1010 Grand Cerritos Ave Organisation Address. Organisation Address. Las Vegas Organisation Address. 89123 Organisation Address. NV Organisation Address. UNITED STATES Admin Name........... na vanessa Miranda Admin Address........ 1010 Grand Cerritos Ave Admin Address........ Admin Address........ Las Vegas Admin Address........ 89123 Admin Address........ NV Admin Address........ UNITED STATES Admin Email.......... jzoh@yahoo.com Admin Phone.......... +44.702413697 Admin Fax............ +44.7026413697 Tech Name............ Domain Admin Tech Address......... Burnhill Business Centre Tech Address......... Tech Address......... Beckenham Tech Address......... BR3 3LA Tech Address......... Kent Tech Address......... GREAT BRITAIN (UK) Tech Email........... admin@powerhost.co.uk Tech Phone........... +44.2082496081 Tech Fax............. +44.2082496076 Name Server.......... ns1.ukdnsservers.co.uk Name Server.......... ns2.ukdnsservers.co.uk
Note that everything including the nameservers has been changed. Email to users "@" panix.com may actually still work for a time, because DNS caches will maintain the data until it expires or the cache buffer gets overwritten. (For example, my DNS cache server shows 22 hours remaining on the cache timer for the "real" panix.com MX record.) The "new" www site has a placeholder page from freeparking.co.uk.
After the caches expire, web browsers will go to the bogus site, and mail to users "at" panix.com will go ... where-ever the people who hijacked the domain want. Unless it's quickly resolved. As I write this, the "new" MX records point to 207.61.90.0 and 142.46.200.0 -- network addresses rather than normal host IPs -- which means the mail probably will fail (and thus just queue up, and with luck be delivered to the real panix.com once this mess is cleared up). Fortunately, right now, the cache expiry on the 'new' MX record is 24 hours, while email delivery is normally attempted for 5-10 days, depending on the mail software and configuration.
The relevant content from Panix's REAL website:
Panix victim of domain name hijacking
Status as of Sun Jan 16 12:24:37 EST 2005
Panix's main domain name, panix.com, has been hijacked by parties
unknown. The ownership of panix.com was moved to a company in
Australia, the actual DNS records were moved to a company in the
United Kingdom, and panix.com's mail has been redirected to yet
another company in Canada. Panix staff are currently working around
the clock to recover our domain, but this may take until Monday, due
to the time differences and difficulties in reaching responsible
parties over the weekend.
For most customers, accesses to Panix using the panix.com domain will
not work or will end up at a false site. Since the Internet domain
name system is distributed, some network providers (such as Speakeasy
and Roadrunner at the time of this writing) still have the correct
information in their name servers, but this could change at any
moment.
As a temporary workaround, you can use the panix.net domain in place
of panix.com. In other words, if you're trying to log onto
"shell.panix.com" or see your mail at "mail.panix.com," use
"shell.panix.net" or "mail.panix.net" instead. However, you should
only change the names of hosts that you connect to or your return
address: the name you use to login to our mail servers,
username@panix.com, should stay the same.
Mail to username@panix.com is currently being redirected to the false
site , and should be considered lost or compromised if it does not
arrive in your Panix mailbox. If you have online accounts that
authenticate via email address, you might wish to protect them against
fraud by changing that address to your username "@panix.net". However,
the domain name wildcarding for users.panix.net is NOT working at this
time - use username+tag@panix.net instead.
_________________________________________________________________
When contacting hosts that use SSL security (URLs that begin with
"https" rather than "http", or SSL-wrapped services such as secure
SMTP, secure IMAP, or secure POP), you will see a hostname error. The
server will present a certificate that says it is
"something.panix.com", and your browser or mail program, which expects
to see "something.panix.net", will complain about the mismatch. This
is an expected consequence of using the "panix.net" workaround.
_________________________________________________________________
If you have urgent concerns that are not addressed by this message,
you can contact us by calling +1 (212) 741-4400, and pressing 0. (You
may need to leave a message for us, but we're checking frequently.)
For less-than urgent concerns, please write to us at staff@panix.net.
_________________________________________________________________
no subject