attrition.1999-09-16.nsi Thu Sep 16 12:45:00 PDT 1999 Vendor: Network Solutions Inc. Platform: N/A Attrition's Little Errata Report Team -<) A . L . E . R . T (>- ----------------------------------------------------------------- This advisory reports a recently-discovered security issue. It may contain a workaround or information on where to obtain an appropriate patch. Advisories should be considered urgent as these notices are written only when the likelihood of wide impact is determined by the Attrition staff. An HTML version of this and other advisories can be found at Attrition.Org at http://www.attrition.org/security/ ----------------------------------------------------------------- NSI are morons AFFECTED SYSTEMS --------------------------------------------------------------------------- Any system with a registered domain name. BACKGROUND --------------------------------------------------------------------------- Network Solutions Inc. has the monopoly on the registration of domain names across the .com, .org and .net top level domains (TLDs). Thus, they have a "captive audience." It was to this audience that Unsolicted Bulk Email (UBE) was sent regarding their services. Due to Network Solutions (NSI) unsolicited email, practical monopoly on domain registration, and their own stupidity, all NSI "customers" are at risk. Two vulnerabilities have been identified at this time, "stupidity" and "blackmail" respectively. NSI was contacted and made aware of this issue on Wed, 15 Sep. Due to past lack of correspondence on their part, no reply is expected. BUG REPORT --------------------------------------------------------------------------- Any NSI customer is vulnerable to a wide variety of social engineering attacks stemming from a "service" being forced upon them by NSI. NSI customers must continue to receive unsolicited spam at the threat of losing service from NSI. Stupidity: ---------- Beginning mid September, NSI began spamming their 'customers' with the mail regarding "Important information about your domain name account". For anyone who has registered a domain via NSI, you are likely to be targeted and potentially affected by this security threat. NSI's mail goes on to offer all domain holders a free "dot com" email service. This web based email is akin to Hotmail or any of the other free mail services out there. Unfortunately, NSI makes two mistakes. 1. As a domain holder, you are not given a choice in receiving this account. Further, NSI sends you the login name and password, via email, with no encryption or other means of protection or verification. Here is a sample from the mail I received. (Yes, my password was changed). "3. Lastly, we are pleased to offer you a FREE e-mail account using our new dot com now mail service. Because it's Web-based, you can use it in the office, at home or on the road. You'll need the following information to set up your account: >>>>>>>>>>>>Login name: jericho >>>>>>>>>>>>Password: jerichonsi" 2. As you can probably guess, the login name and password are quite easily guessed. Examining my domain: Forced Attrition (ATTRITION2-DOM) Administrative Contact, Technical Contact, Zone Contact: Jericho, T (TJ2573) jericho@DIMENSIONAL.COM 602.347.0028 (FAX) private By using the last name as the "login name", and "last name+nsi" as the password, it is trivial to log into the 'dot com' mail service and pose as the legitimate owner of the domain. Blackmail: ---------- The last paragraph of the unsolicted mail reads: "If you do not wish to receive e-mail from Network Solutions, click on this e-mail address and type "remove" in the subject line. PLEASE NOTE: by opting to be removed from this list we will not be able to communicate to you, in real-time, on issues regarding your account." This is a clear case of blackmail on NSI's part. By clicking on the link, they inform you that no further updates will reach you regarding your domain. This means that you must suffer under their unethical ways and receive their spam if you wish to receive mail about your registered domain that you paid for. Reference: ---------- Here is the full text of the mail for reference. Use this to alert others and watch for blatant spam by NSI. Date: Wed, 15 Sep 1999 21:00:29 -0400 From: Network Solutions To: "T Jericho" Reply-To: Network Solutions Subject: Important information about your domain name account Dear T Jericho, As a customer of Network Solutions or one of our Premier Program members, we'd like to update you on three important items: 1. On September 18, 1999, Network Solutions plans to move to a new Web-based prepayment process for registering domain names. At that point, we will no longer accept NEW registrations without payment in full at time of registration. This new online payment method gives customers the convenience of payment by credit card. THIS CHANGE DOES NOT AFFECT YOUR CURRENT DOMAIN(S) IN ANY WAY AND NO ACTION IS REQUIRED ON YOUR PART. If you register ten or more domain names per month, you could be eligible for Network Solutions' Affiliates or Business Account Programs. Under these programs, you may qualify to continue receiving invoices for domain name registrations. To be eligible, you must apply at http://www.netsol.com/affiliates or http://www.netsol.com/business_account. 2. Because you registered your domain name with us, your company has received a FREE listing in the NEW dot com directory. We believe the dot com directory gives you a unique competitive advantage, enabling potential customers to find and do business with you. Search the directory for your own business to see how easy it is! Go to http://www.netsol.com/directory to find your business. You can also click on "Update Your Listing" to search for and verify your company information. 3. Lastly, we are pleased to offer you a FREE e-mail account using our new dot com now mail service. Because it's Web-based, you can use it in the office, at home or on the road. You'll need the following information to set up your account: >>>>>>>>>>>>Login name: jericho >>>>>>>>>>>>Password: jerichonsi Please visit http://www.netsol.com/dotcomnowmail to review all the features of dot com now mail and set up your account. Thank you for choosing Network Solutions to launch and develop your Internet identity. We look forward to serving you for many years to come. Network Solutions, Inc. the dot com people Copyright 1999 Network Solutions, Inc. Network Solutions is a registered trademark. The following are trademarks of Network Solutions, Inc.: the dot com people; dot com directory; dot com now mail. All rights reserved. If you do not wish to receive e-mail from Network Solutions, click on this e-mail address and type "remove" in the subject line. PLEASE NOTE: by opting to be removed from this list we will not be able to communicate to you, in real-time, on issues regarding your account. RECOMMENDED ACTIONS --------------------------------------------------------------------------- Recipients of this UBE are encouraged to file a complaint with NSI regard- ing their lack of netiquette and obvious lack of security in handling their customer accounts. Recipients are also encouraged to send a cc: of the complaint to uce@ftc.gov as well as noc@netsol.com and ap@netsol.com. CREDITS --------------------------------------------------------------------------- ADVISORY AUTHOR: Jericho CONTACT INFORMATION --------------------------------------------------------------------------- Questions regarding this advisory or information regarding new advisories and potential vulnerabilities should be directed to ALERT using one of the following methods: E-Mail: alert@attrition.org WWW : http://www.attrition.org/security/attrition.html The ALERT PGP Public Key (PGP v2.6.2, RSA) is available at: http://www.attrition.org/security/advisory/attrition/pubkey.txt