http://www.wired.com/news/business/0,1367,36797,00.html
by Craig Bicknell
3:00 a.m. Jun. 8, 2000 PDT
Alan Meckler runs a $500 million public Net media company whose value
rests in good part on its eponymous Web address -- Internet.com.
Thirteen-hundred other domains help flesh out Meckler's media empire,
which delivers news and information to seasoned Web vets.
Last weekend, a thief armed with nothing more than a fax machine and a
piece of paper made off with the whole enterprise.
"It appears some forged documents were sent via fax to Network
Solutions indicating that the domains should be transferred to someone
in Canada," Meckler said.
Much to Meckler's chagrin, Network Solutions promptly made the
transfer. "There was no double-checking on the part of Network
Solutions," he said. "What kind of business would fax in a letter
saying, 'Just turn over these 1,300 domains?'"
After several days of wrangling with Network Solutions and Open SRS --
the Canadian registrar to which the stolen domains were transferred --
Meckler has his domains back, but not his confidence in Network
Solutions.
"It's resolved until it happens again to us or someone else," he said.
"There's no safeguard.
"Who would think that property you've paid for, you'd have to
double-check?" Meckler asked. "There's a definite flaw in the system."
Not to worry, says Network Solutions: It's a flaw that's being fixed.
"We're taking steps to ensure that this type of thing doesn't happen
again," said Network Solutions spokesman Brian O'Shaughnessy.
O'Shaughnessy said he couldn't specify what steps were being taken
without comprising their effectiveness in preventing further domain
heists.
Net entrepreneur Gary Kremen might be forgiven for failing to take
much comfort in the registrar's assurances.
A domain he owned, Sex.com, was allegedly stolen by an ex-felon who,
just like the Internet.com booster, forged a phony transfer document
to Network Solutions more than four years ago.
"It's outrageous," Kremen said of the Internet.com heist. "It's
exactly what happened to me. This is the exact thing! Can you
imagine?"
Unlike Meckler, Kremen never got the Sex.com domain back, though he
hopes to recover it following a pending lawsuit.
Meanwhile, Web Networks, a nonprofit ISP that hosts websites for other
nonprofits, is still assessing the damage after losing its domain,
Web.net, to a thief last week.
In the Web.net heist, the thief forged an email to Network Solutions
authorizing the transfer to Open SRS.
Web.net executive director Tonya Hancherow spent a week battling
Network Solutions reps before she regained control of the site. In the
interim, more than 3,500 of her customers went without email and other
Net services. "It was like banging my head against a brick wall," she
said. "Not a single person ever returned my phone calls. They'd
disappear into the black hole of business affairs."
Only by working with Open SRS was Hancherow able to wrest control of
Web.net back from the webjacker, she said.
Network Solutions downplays the webjacking incidents as a rare --
albeit unfortunate -- side effect of handling 30,000 domain requests
per day. While a number of sites have been hijacked in preceding
months, the number is "minuscule" when compared to the total number of
domain transactions.
"Overall, the system is very efficient," O'Shaughnessy said.
It's also very, very easy to trick, claim Meckler and Hancherow, both
of whom are mulling legal action against Network Solutions.
Unlike Hancherow, Meckler said Network Solutions had been helpful in
resolving the hijacking, but hadn't admitted any negligence or fault.
Both say Network Solutions ignored its own security procedures when it
transferred Web.net and Internet.com without receiving password
authorization from the rightful owners.
"That would be a big deal if we got ourselves organized to pursue
legal action," Hancherow said.
Attorneys, however, say that legal action against NSI is likely to
lead to a dead end. NSI recently prevailed in a suit brought against
by Kremen in the Sex.com case, and lawyers expect the same outcome in
future webjacking cases.
"Network Solutions is insulated from these kinds of claims," said
Connie Ellerbach, a partner with Fenwick and West in Palo Alto,
California. "If they've taken reasonable steps to prevent this sort of
thing, the court is not going to hold them responsible."
Meckler is unfazed by the legal precedent.
"Anyone who knows me knows I take people off at the knees. If I have
to, I'll go to court," he said. "If I go down, they'll go down."
*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*-------------------------------------------------*
ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".
Received on Thu Jun 8 14:44 CDT 2000