attrition advisory #001

September 16, 1999 - "NSI are morons"
99.09.16-001.nsi_stupidity_and_blackmail
by: jericho@attrition.org

Vulnerability: Due to Network Solutions (NSI) unsolicited email, practical
               monopoly on domain registration, and their own stupidity,
               all NSI "customers" are at risk. Two vulnerabilities have
               been identified at this time, "stupidity" and "blackmail"
               respectively. 

Vendor Status: NSI was contacted and made aware of this issue on Wed, 15
               Sep. Due to past lack of correspondance, no reply is
               expected. 

Impact: Any NSI customer is vulnerable to a wide variety of social
        engineering attacks stemming from a "service" being forced upon
        them by NSI. NSI customers must continue to receive unsolicited
        spam at the threat of losing service from NSI.


Details >-------------------------------------------------------------------

Stupidity:
----------

Beginning mid September, NSI began spamming their 'customers' with the
mail regarding "Important information about your domain name account". For
anyone who has registered a domain via NSI, you are likely to be targeted
and potentially affected by this security threat. 

NSI's mail goes on to offer all domain holders a free "dot com" email
service. This web based email is akin to Hotmail or any of the other free
mail services out there.  Unfortunately, NSI makes two mistakes. 

   1. As a domain holder, you are not given a choice in receiving this
      account. Further, NSI sends you the login name and password, via
      email, with no encryption or other means of protection or
      verification. Here is a sample from the mail I received. (Yes, my
      password was changed). 

     "3. Lastly, we are pleased to offer you a FREE e-mail account using
      our new dot com now mail service. Because it's Web-based, you can
      use it in the office, at home or on the road. You'll need the
      following information to set up your account:
		 >>>>>>>>>>>>Login name:  jericho
		 >>>>>>>>>>>>Password:    jerichonsi"

   2. As you can probably guess, the login name and password are quite
      easily guessed. Examining my domain:

	Forced Attrition (ATTRITION2-DOM)

	   Administrative Contact, Technical Contact, Zone Contact:
	      Jericho, T  (TJ2573)  jericho@DIMENSIONAL.COM
	      602.347.0028 (FAX) private

      By using the last name as the "login name", and "last name+nsi"
      as the password, it is trivial to log into the 'dot com' mail
      service and pose as the legitimate owner of the domain.


Blackmail:
----------

The last paragraph of the unsolicted mail reads:

   "If you do not wish to receive e-mail from Network Solutions, click on
    this e-mail address  and type
    "remove" in the subject line. PLEASE NOTE: by opting to be removed
    from this list we will not be able to communicate to you, in
    real-time, on issues regarding your account." 

This is a clear case of blackmail on NSI's part. By clicking on the link,
they inform you that no further updates will reach you regarding your
domain. This means that you must suffer under their unethical ways and
receive their spam if you wish to receive mail about your registered
domain that you paid for. 


Reference >-----------------------------------------------------------------

Here is the full text of the mail for reference. Use this to alert others and
watch for blatant spam by NSI.

Date: Wed, 15 Sep 1999 21:00:29 -0400
From: Network Solutions
To: "T Jericho" 
Reply-To: Network Solutions
Subject: Important information about your domain name account

Dear T Jericho,

As a customer of Network Solutions or one of our Premier Program members,
we'd like to update you on three important items: 

1. On September 18, 1999, Network Solutions plans to move to a new
Web-based prepayment process for registering domain names.  At that point,
we will no longer accept NEW registrations without payment in full at time
of registration.  This new online payment method gives customers the
convenience of payment by credit card. THIS CHANGE DOES NOT AFFECT YOUR
CURRENT DOMAIN(S) IN ANY WAY AND NO ACTION IS REQUIRED ON YOUR PART. 

If you register ten or more domain names per month, you could be eligible
for Network Solutions' Affiliates or Business Account Programs. Under
these programs, you may qualify to continue receiving invoices for domain
name registrations.  To be eligible, you must apply at
http://www.netsol.com/affiliates or
http://www.netsol.com/business_account. 

2. Because you registered your domain name with us, your company has
received a FREE listing in the NEW dot com directory.  We believe the dot
com directory gives you a unique competitive advantage, enabling potential
customers to find and do business with you.  Search the directory for your
own business to see how easy it is!  Go to http://www.netsol.com/directory
to find your business.  You can also click on "Update Your Listing" to
search for and verify your company information. 

3. Lastly, we are pleased to offer you a FREE e-mail account using our new
dot com now mail service.  Because it's Web-based, you can use it in the
office, at home or on the road. You'll need the following information to
set up your account: 
 >>>>>>>>>>>>Login name:  jericho
 >>>>>>>>>>>>Password:    jerichonsi

Please visit http://www.netsol.com/dotcomnowmail to review all the
features of dot com now mail and set up your account. 

Thank you for choosing Network Solutions to launch and develop your
Internet identity.  We look forward to serving you for many years to come. 

Network Solutions, Inc.  the dot com people

Copyright 1999 Network Solutions, Inc.  Network Solutions is a registered
trademark.  The following are trademarks of Network Solutions, Inc.: the
dot com people; dot com directory; dot com now mail.  All rights reserved. 

If you do not wish to receive e-mail from Network Solutions, click on this
e-mail address  and type "remove" in the
subject line. PLEASE NOTE: by opting to be removed from this list we will
not be able to communicate to you, in real-time, on issues regarding your
account. 



(c)opyright 1999, Brian Martin. Permission granted to reprint this
advisory in full for any non-profit purpose.