Re: [gnso-thickwhoispdp-wg] DNS attack and our topic

[Don Blumenthal <dblumenthal@xxxxxxx>]

Susan,

There probably were at least two simultaneous things going on, including a
DNS hack. The Cisco blog has some problems but I cited it because it was
the first published attempt that I've seen to put some coherence on what
happened. I expect more analyses.

I'll push the person who made the comment about a thick .com to submit a
comment on our draft. I see his point but his long record and reputation
in anti-abuse operations suggest that I defer to any writeup that he can
do. I'll keep carping at him until the end of our comment period.

Don

On 6/20/13 6:15 PM, "Susan Kawaguchi" <susank@xxxxxx> wrote:

>Hi Don, 
>
>It will be interesting to hear what really happened.  I read the article
>and do not understand how dealing with a denial of service attack could
>result in changing servers on specific domain name records.  In my
>experience, it just wouldn't happen that way.  It may be that there was a
>DDOS attack and a hacking or social engineering event at the same time.
>Obviously, someone made a major mistake.
>
>In 2008 when I was at eBay and managing PayPal domain names we sent in a
>phishing report to Network Solutions and instead of removing the servers
>off of the offending domain name they removed them from PayPal.com.
>Stupid human error which we are all capable of without good processes in
>place.  The registry lock came out of this event which would prevent any
>unauthorized modifications to the thin whois record.
>
>I cannot imagine this scenario would have been different with a thick
>whois or thin whois registry.  The registrar in both cases interacts with
>the registry to make modifications and if there is no double check or a
>security protocol in place to prevent automatic updates then the
>registrant will always run the chance of this happening.
>
>
>Susan Kawaguchi
>Domain Name Manager
>Facebook Legal Dept.
>
>Phone - 650 485-6064
>
>
>
>
>
>On 6/20/13 2:28 PM, "Don Blumenthal" <dblumenthal@xxxxxxx> wrote:
>
>>
>>There has been a lot of chatter on anti abuse and security lists today
>>about a major DNS hijack at Network Solutions yesterday that affected
>>some significant brands. LinkedIn, USPS, CarMax, and Mazda are among
>>them. This article is the first good description that I have seen.
>>http://blogs.cisco.com/security/hijacking-of-dns-records-from-network-sol
>>u
>>tions/
>>
>>If it had to occur, I wish that it had come before we finished drafting.
>>One post on the hack, from someone that I respect very much, said that it
>>could not have happened if .com were thick. I urged him to submit a
>>comment when our document goes up.
>>
>>FWIW,
>>
>>Don
>>
>