Network Solutions Inc. Security Problem

               Attrition's Little Errata Report Team

                    -<)  A . L . E . R . T  (>-

 -----------------------------------------------------------------
   This advisory reports  a  recently-discovered security issue.
   It may contain a workaround or information on where to obtain
   an appropriate patch.  Advisories should be considered urgent
   as these notices are written only when the likelihood of wide
   impact is determined by the Attrition staff.  An HTML version
   of this and other advisories can be found at Attrition.Org at
   http://www.attrition.org/security/
 -----------------------------------------------------------------

                          NSI are morons

AFFECTED SYSTEMS

Any system with a registered domain name.

BACKGROUND

Network Solutions Inc. has the monopoly on the registration of domain names across the .com, .org and .net top level domains (TLDs). Thus, they have a “captive audience.” It was to this audience that Unsolicted Bulk Email (UBE) was sent regarding their services.

Due to Network Solutions (NSI) unsolicited email, practical monopoly on domain registration, and their own stupidity, all NSI “customers” are at risk. Two vulnerabilities have been identified at this time, “stupidity” and “blackmail” respectively.

NSI was contacted and made aware of this issue on Wed, 15 Sep. Due to past lack of correspondence on their part, no reply is expected.

BUG REPORT

Any NSI customer is vulnerable to a wide variety of social engineering attacks stemming from a “service” being forced upon them by NSI. NSI customers must continue to receive unsolicited spam at the threat of losing service from NSI.

Stupidity:

Beginning mid September, NSI began spamming their ‘customers’ with the mail regarding “Important information about your domain name account”. For anyone who has registered a domain via NSI, you are likely to be targeted and potentially affected by this security threat.

NSI’s mail goes on to offer all domain holders a free “dot com” email service. This web based email is akin to Hotmail or any of the other free mail services out there. Unfortunately, NSI makes two mistakes.

  1. As a domain holder, you are not given a choice in receiving this account. Further, NSI sends you the login name and password, via email, with no encryption or other means of protection or verification. Here is a sample from the mail I received. (Yes, my password was changed). “3. Lastly, we are pleased to offer you a FREE e-mail account using our new dot com now mail service. Because it’s Web-based, you can use it in the office, at home or on the road. You’ll need the following information to set up your account:
    >>>>>>>>>>>>Login name: jericho
    >>>>>>>>>>>>Password: jerichonsi”
  2. As you can probably guess, the login name and password are quite easily guessed. Examining my domain:

    Forced Attrition (ATTRITION2-DOM)
    Administrative Contact, Technical Contact, Zone Contact: Jericho, T (TJ2573) jericho@DIMENSIONAL.COM
    602.347.0028 (FAX) private

    By using the last name as the “login name”, and “last name+nsi” as the password, it is trivial to log into the ‘dot com’ mail service and pose as the legitimate owner of the domain.

Blackmail:

The last paragraph of the unsolicted mail reads:

“If you do not wish to receive e-mail from Network Solutions, click on this e-mail address netsolremove@integram.org and type “remove” in the subject line. PLEASE NOTE: by opting to be removed
from this list we will not be able to communicate to you, in real-time, on issues regarding your account.”

This is a clear case of blackmail on NSI’s part. By clicking on the link, they inform you that no further updates will reach you regarding your domain. This means that you must suffer under their unethical ways and receive their spam if you wish to receive mail about your registered domain that you paid for.

Reference:

Here is the full text of the mail for reference. Use this to alert others and watch for blatant spam by NSI.

Date: Wed, 15 Sep 1999 21:00:29 -0400
From: Network Solutionsnetsol1@INTEGRAM.ORG
To: “T Jericho” jericho@dimensional.com
Reply-To: Network Solutionsnetsol1@INTEGRAM.ORG
Subject: Important information about your domain name account

Dear T Jericho,

As a customer of Network Solutions or one of our Premier Program members, we’d like to update you on three important items:

  1. On September 18, 1999, Network Solutions plans to move to a new Web-based prepayment process for registering domain names. At that point, we will no longer accept NEW registrations without payment in full at time of registration. This new online payment method gives customers the convenience of payment by credit card. THIS CHANGE DOES NOT AFFECT YOUR CURRENT DOMAIN(S) IN ANY WAY AND NO ACTION IS REQUIRED ON YOUR PART.

If you register ten or more domain names per month, you could be eligible for Network Solutions’ Affiliates or Business Account Programs. Under these programs, you may qualify to continue receiving invoices for domain name registrations. To be eligible, you must apply at
http://www.netsol.com/affiliates or
http://www.netsol.com/business_account.

  1. Because you registered your domain name with us, your company has received a FREE listing in the NEW dot com directory. We believe the dot com directory gives you a unique competitive advantage, enabling potential customers to find and do business with you. Search the directory for your own business to see how easy it is! Go to http://www.netsol.com/directory to find your business. You can also click on “Update Your Listing” to search for and verify your company information.
  2. Lastly, we are pleased to offer you a FREE e-mail account using our new dot com now mail service. Because it’s Web-based, you can use it in the office, at home or on the road. You’ll need the following information to
    set up your account:

Login name: jericho
Password: jerichonsi

Please visit http://www.netsol.com/dotcomnowmail to review all the features of dot com now mail and set up your account.

Thank you for choosing Network Solutions to launch and develop your Internet identity. We look forward to serving you for many years to come.

Network Solutions, Inc. the dot com people

Copyright 1999 Network Solutions, Inc. Network Solutions is a registered trademark. The following are trademarks of Network Solutions, Inc.: the dot com people; dot com directory; dot com now mail. All rights reserved.

If you do not wish to receive e-mail from Network Solutions, click on this e-mail address netsolremove@integram.org and type “remove” in the subject line. PLEASE NOTE: by opting to be removed from this list we will not be able to communicate to you, in real-time, on issues regarding your account.

RECOMMENDED ACTIONS

Recipients of this UBE are encouraged to file a complaint with NSI regarding their lack of netiquette and obvious lack of security in handling their customer accounts. Recipients are also encouraged to send a cc: of the complaint to uce@ftc.gov as well as noc@netsol.com and ap@netsol.com.

CREDITS

ADVISORY AUTHOR: Jericho jericho@attrition.org

CONTACT INFORMATION

Questions regarding this advisory or information regarding new advisories and potential vulnerabilities should be directed to ALERT using one of the following methods:

E-Mail: alert@attrition.org
WWW : http://www.attrition.org/security/attrition.html

The ALERT PGP Public Key (PGP v2.6.2, RSA) is available at:
http://www.attrition.org/security/advisory/attrition/pubkey.txt

Defacto Damage: Unusual Trends in Loss Figures

[This was originally published on Aviary Magazine and mirrored on attrition.org.]

A disturbing trend is emerging in computer crime across the United States. A trend that can not easily be passed off as mere coincidence either. With each computer crime comes a figure for damages and losses. Not surprisingly, when media and law enforcement report these figures, they are rarely presented as estimates. These figures are reminiscent of the Software Publishing Association (SPA) and their stupendous ability to narrow in on precise damage figures. The SPA says that $3,074,266,000 in damages occurred as a result of software piracy in the United States in 1997. Ever wonder how the SPA can nail a figure like this down to the last 6,000 dollars?

This ability is migrating from software piracy to computer crime damage figures. Rather than inflate and use an age old tactic in bolstering claims by using precise figures, the ones waving these damage figures around aren’t that refined. Every time I see any monetary value placed on computer crime damage, be it software piracy of fallout from a malicious hacker, I always think back to a book I once read. The first two pages of the book How to Lie With Statistics explained this miraculous ability.

Relevant Numbers in Computer Crime

There are several numbers one should be familiar with when discussing computer crime. None of these are necessarily exact figures, but more importantly give a range to help put things in perspective. These numbers have been derived from patterns based on several years of computer crime.

  • $10,000 – This unwritten amount of damage that must occur before the Federal Bureau of Investigation will take serious interest in the case. This figure exists because of the overwhelming cases they must deal with using limited resources.
  • “million” – Often times “one million”, this is the magic figure to elicit public shock and a solid reaction. There is nothing like telling the public that millions of people were affected or millions of dollars in damage occurred.
  • 288 million – This figure is based on a single case discussed in more detail later. This number represents too much damage. If claims of damage or loss grow too high, the number can no longer be related to, and public sympathy is lost as a result.

Four Diverse Examples

We can examine four specific cases that illustrate the point and support the trend. Each example involves wildly different means that mysteriously reach the same ends.

One: New York Times (www.nytimes.com)

In September of 1998, the New York Times found themselves victim to hackers who defaced their web page. The intrusion and web page altering occurred on a Sunday morning and left the site down for nine hours. Varying reports followed claiming parts of the web site were still down up to a week later. The intrusion involved compromising between one and a dozen machines in their DMZ. Monday morning, the bulk of their web site appeared to be up and ready, faithfully kicking out news including the newly released Starr Report.

Summary: Between 1 – 12 machines compromised. Up to 24 hours of downtime on a Sunday (typically low traffic compared to weekday). The site does not charge viewers for any service.

Damage tag: $1,500,000. One million five hundred thousand dollars according to some.

Two: Route 66 ISP (www.rt66.com)

Throughout a significant part of 1998, an ISP located in New Mexico supposedly received a devastating hacker attack. During this lengthy intrusion, hackers kept control of machines despite administrator attempts to boot them off the system. The intruders compromised the customer credit card file containing some 1749 credit card numbers. They went on to deface the web page of the ISP and were eventually blamed for 5% of the customers cancelling service.

Summary: Between 1 – 6 machines compromised. Several months of administrator headache in dealing with intruders. Credit card database compromised.

Damage tag: $1,800,000. One million eight hundred thousand dollars according to some close to the case.

Three: Kevin Mitnick

Perhaps one of the most prolific hackers in the media, Kevin Mitnick’s deeds are a matter of legend. Kevin is allegedly responsible for intruding into the networks of Sun Microsystems, Motorola, Fujitsu, Novell, Colorado Supernet, Netcom, Nokia, the Well and other systems. The intrusions are believed to have occurred over a year or more time, involving hundreds of machines. Kevin reputedly stole proprietary source code for operating systems or cellular phones from half a dozen companies. Included in his escapades was the pilfering of the Netcom customer credit card database, almost 20,000 cards.

Pinpointing damage on the Mitnick sage is a monumental task. In the past twelve months, damage figures have dropped from $299,927,389.61 to you guessed it, $1.5 million. Interim figures also pinned damages at between $80 million and $291 million.

Summary: Hundreds of machines compromised over two year span. Proprietary source code to half a dozen operating systems or cellular telephones stolen. Approximately 20,000 credit cards compromised.

Damage Tag: $1,500,000. One million five hundred thousand dollars according to federal prosecutors.

Four: The Phonemasters

In the span of three or more years, three individuals known as the ‘phonemasters’ infiltrated systems belonging to (list of cos). Demonstrating complete control and access to these systems, federal prosecutors claimed life threatening resources were at risk because of their intrusions. Everything from 911 emergency systems to air traffic control could be shut down with a push of a button. What kind of price do you put on that many human lives?

Damage Tag: $1,850,000. One million eight hundred fifty thousand dollars according to federal prosecutors.

Comparison

Looking at a damage tag of 1.5 million dollars, we can compare the case of the New York Times with Kevin Mitnick’s deeds. A single web page defaced, versus an alleged two year spree of breaking into some of the largest cellular phone manufacturers as well as vendors who create powerful operating systems. The New York Times which involved no theft of information compared to Kevin Mitnick who was believed to have stolen millions of lines of proprietary source code, tens of thousands of credit card numbers and more. Is it coincidence or logic that lead to each having the same damage placed on them?

Perhaps more bizarre is the comparison between Route 66 and the ‘phonemasters’. A single ISP with no more than five thousand customers claims the same amount of damages as three hackers compromising hundreds of phone systems, credit bureaus, emergency systems and more. The loss of 1749 credit cards versus the compromise of entire credit companies with access to hundreds of thousands of credit cards. Yet each incident claimed almost the same amount. 1.85 million dollars in supposed damages from each.

Conclusion: The Magic Number

It is extremely ironic that these four drastically different cases of computer crime all ended with roughly the same monetary damage figure. Two claims of 1.5 million and two claims of 1.8 million. It becomes obvious that these claims can not all be right. At best, only two of the four cases could feasibly be accurate and maintain any semblance of logic. I think it more accurate to say that perhaps only a single one is near the actual damage tag. The rest are cashing in on a convenient number that is ideal for public relations and courtrooms.

The next time you are the victim of computer crime, don’t bother paying a dime for investigation into the events or the actual damage. Instead, use that money to secure your system while you casually slap on a damage figure of roughly 1.5 million dollars. It is far too easy to use the magic number than to spend time and effort researching the actual damage. After all, you are the victim, why would anyone challenge you.

Diary Entry 8[15]99

[This was originally published in Underground Experts United Issue #514 and mirrored on attrition.org. The exact publish date is not known.]

Sunday night has come and gone, time spent at the usual. I can’t help but wonder why I go to that place with all the preppy assholes. Even dancing alone I feel a thousands eyes staring me up and down, as if they are fighting over which one will come up and verbally molest me next. I can’t even wear half my clothes in that place since they take nice outfits to mean “please, date rape me”. Fuckers.

Tonight was different though. Four hours of public solitude interrupted by some guy who had the nerve to catch my eye. Just as I had resolved myself to give up on dating and men in general, someone stands out and actually makes me wonder. I am not pleased with myself. Becoming a lesbian had a certain appeal.

Nothing stood out about this guy at all. Perhaps that is what bothers me and has prompted me to flesh out my thoughts right now. Average height, average looks. He looked a bit beyond his age from what I could tell, but not unattractive. For all intents and purposes, just ‘average’. dressed in solitary, unrelenting black, except for his shirt, which stated in bleach discolorment “shy”.

No doubt that is what prompted some dickhead jock to start in on him. At first it was just bumping into him while dancing. Then it lead to dirty looks and implied confrontation, as if the jock was begging for a fight. Mr. Shy shrugged it off and continued to dance to himself, barely looking up at anyone, often dancing for minutes at a time with his eyes closed.

I thought nothing would happen. Mr. Shy showed patience and tolerance well beyond what I would have had I been in his boots. Anyone that received that much shit in a one hour period was a likely candidate to go postal (to be politically incorrect). So I danced, all night long as close to him as I could. No matter how much I looked at him I couldn’t get up the nerve to talk. Yes, me, the so called slut couldn’t hit on him.

The last part of the night was a blur, but I won’t forget it I don’t think. The jock squaring off with Mr. Shy under the light in the parking lot. Challenging him and insulting him for every pathetic reason that came to mind. Situations like this disgust me and I guess I wasn’t the only one. Mr. Shy stood there with his hands clasped behind his back, with a look of pity on his face.

Before a crowd could gather, jock loser lashed out and punched Mr. Shy in the jaw. It whipped his head around in such a way I thought his neck could have been broken. Surprise. Instead of falling back or reacting in any normal fashion, Mr. Shy slowly turned his head back around. A trickle of a tear streamed down his left cheek. The smile that adorned his face was one of intense pleasure and evil rolled in one. It had the same shocking effect on jock loser as it did me I believe.

I can’t remember exactly what Mr. Shy said, and I don’t think I heard it all either. He was smiling, licked the blood running at the corner of his mouth and said “Any more of that and you’re going to turn me on.” I don’t know if he meant it or was just saying it to get a reaction out of the preppy asshole, but it worked. Jockboy looked around as if this was some kind of joke, or maybe looking for his friends or merely reassurance that he was still cool. Didn’t matter.

Jockboy tried to don a face of anger and lashed out again, once again to the jaw. Mr. Shy stood there, head whipped back again, hands clasped behind his back. It was my turn to look around as if this was some kind of joke. Compared to the jock, he was small, almost frail even. I had stepped forward to see what was going on and hear anything further. I’m glad I did. Mr. Shy responded to the second hit with a more disturbing comment. “This is foreplay bitch.”

It must have been a minute later, that or Mr. Shy’s reflexes were much better than I could imagine. It seemed like five seconds at the time. Four hits to the face, three to the gut, and a swift kick to jock’s balls making sure he would get no play that night. The controlled rage that must have been pumping through Mr. Shy was impressive. No other way to describe it.

As jock loser lie bleeding on the ground, Mr. Shy sat on his chest pinning him to the asphalt. He reached down grabbing Jockboy’s shirt, half pulling him up, half leaning down. I couldn’t hear what Mr. Shy said, but it had its intended effect. I don’t recall seeing terror personified on someone’s face like it was on Jockboy’s. Scary shit.

The transition from shy dancer enjoying the music to savage ass kicker extraordinaire. Someone so plain and average, yet so different even though we didn’t talk. I’m glad to have seen him for the short term tonight. He is the first guy that has brought back feelings I lost over a year ago after breaking up with John. Strangers dance in the night, and I pay the price of solitude a bit longer.