Archive for the “Uncategorized” Category

Password Security

Password security is important generally and does not just apply to domains.  The number one rule:  DON’T USE THE SAME PASSWORD ON DIFFERENT SITES.

The way to do this and still remember the password is to use a password vault.  See the privacy.net review of the free KeePass program that can run on a pen drive or phone.  It can generate complex passwords for each site and save them all in one place.

Registrant

The registrant is the owner of the domain.  That means if an employee, hosting company, or one member of a partnership has their name in there then they are the domain owner.  There have been many disputes and lawsuits because the domain owner was not properly identified when the domain was registered.

Whois “privacy” services:  The so-called “whois privacy” or proxy services offered by many domain registration providers cost a couple dollars per year.  There is no official whois proxy policy for domain names so when you use this service you are essentially transferring ownership to the domain registrar because they are now the legal owner.  While these proxy services have been recognized in some legal proceedings there is no guarantee.  Most registrars will simply turn off whois privacy if there is a legal dispute because they will not spend thousands in legal fees for a customer paying $2/year for a privacy service.  If privacy in the whois records is required you should set this up yourself and not depend on a $2/year service.  (Note that just using a PO Box is not sufficient in the USA.  The information can be obtained from the post office using the Freedom of Information Act).   See Theodore Presser Company v. John Smith/Whois Protection | Letter from Intellectual Property Consituency (IPC) to ICANN concerning whois privacy | NameCheap sued over WhoisGuard | Moniker sued for child porn because of whois privacy

ICANN CEO found using fake whois data

The registrant name and address is used for all types scams.  These include:

-Sending false or misleading “renewal” notices or “search engine optimization” subscriptions is common.  (See 2003 case: Court Bars Canadian Company from Misleading Consumers in Marketing of Internet Domain Name Services)

-Sending trademark “warnings” that similar domains may be registered unless you pay them to get it first.

-Extortion attempts claim defamatory information will be posted about you on the Internet so it will appear in search engines … unless you pay up.

-Extortion threats related to defacing web sites or stealing personal data of your customers.

-Frivolous trademark claims.

Adminstrative Contact

The administrative contact is used for a variety of attacks:

-E-mail addresses that can be compromised or hacked (like Sarah Palin) or a keystroke logger could be installed on your system by a hacker.

-Abandoned e-mail addresses for free e-mail services such as Yahoo or Hotmail.  The attacker can simply sign up for the account and take over the domain.  A variation of this is to look for expired domains used for the administrative e-mail.  the domain can be registered new and the e-mail account set up to take control of the domain.

-False domain renewals notices can be sent to the e-mail address with the intent of capturing the login credentials.

-False offers of a domain purchase in order to get the owner to pay for an “appraisal.”

 

Registrar of Record

The Registrar identity can be used to attempt to get the login credentials.

-If your registrar offers “secret” questions to recover a password this could lead to compromise (like Sarah Palin)

-The registrar has control of your records and they could simply take your domain and put it someone else’s name.  Be careful about which company registered your domain.  For instance, would you put your money in a bank that uses strippers in Super Bowl ads?  Use common sense when using a domain registrar and check to see what happened in previous legal disputes.

-Note that some registrars will make it difficult to transfer the domain to a different registrar.  Transfer requires the Transfer Authorization Code (called Extensible Provisioning Protocol (EPP) code, auth code, transfer secret, etc.).  By denying access to the code the registrar can prevent your transfer out and force a payment for renewal if it expires.  A complaint can be filed at Internic.net if this happens.

Domain Name

The domain name itself can be attacked by the registration of similar domains such as typos or domains in different extensions (for example, .net vs. .com or registering wwwexample.com).  These typos (both web sites and e-mail addresses) could be sent to these domains instead of the intended domain.

Expiration Date

The domain expiration date is very important because if your domain expires it could be lost.  Most, but not all, give a grace period for renewal after it expires.  There have been many situations, lawsuits, and grief because domain owners did not keep their domain renewed.  Domains can be registered up to 10 years in advance for less than $10 per year.

Note that if a domain is in “Redemption Period” the domain MAY be able to be renewed for an additional fee of around $80 – $200.  If the domain is valuable the registrar may take it or auction it off.

 

DNS Servers

The DNS servers hold the records for the domain.  Many people are confused about this because they think the domain registrar mainatins their domain configuration information.  That is not true, they simply maintain the identity of the servers that contain the actual records.  For WhoisSecurity.com the computers “dns.help.org” and “dns2.help.org” hold the configuration information for the domain.

The main source of attack is to compromise those servers by breaking into the machine directly, or using some other scheme such as sending false information (DNS cache poisoning).   Usually these servers are operated by a web hosting company and the user is not aware of the settings or security.

One way to improve security of spoofed e-mail from your domain is to use a sender Policy Framework (SPF record).  An SPF record is a text record that indicates which servers should send e-mail for a domain.  (Microsoft SPF Tool).   If a spammer uses your domain to send forged spam the receiver can tell it is s forgery from the SPF configuration.  This is usually configured at the mail server.

DNS Security, or DNSSEC can be implemented for some types of domains and give a greater level of security for DNS requests.  The DNS records are verified by encryption but, at this point, not many applications untilize the feature.

Domain Status

The Domain status shows if your domain is “locked.”  Locking a domain at your registrar prevents unauthorized transfers and may prevent other changes such as the DNS servers or registrant (Rules vary for different types of domains).  Always keep domains locked unless changes are being made.