huridocs-tech Balkan War in Domain Attacks?

Edited/Distributed by HURINet - The Human Rights Information Network
---------------------------------------------------------------------
## author     : ehajdarp@VIRTU.SAR.USF.EDU
## date       : 24.05.00
---------------------------------------------------------------------
http://www.wired.com/news/politics/0,1283,35674,00.html

Balkan War in Domain Attacks?
by Chris Oakes

Apr. 15, 2000
www.wired.com

Domain-name hijackers are taking over hundreds of websites
in a campaign that may be rooted in tensions among Balkan
states, site owners and monitors say.

Individuals listing Serbian and Albanian postal addresses in
recent weeks have exploited a weakness in registrar Network
Solutions and appropriated names registered through the
company, officials there said.

Domain takeovers enable the hijacker to control the server
associated with a domain name, such as Viagra.com or
Indianajones.com. Hijackers can then reassign the domain
name to another Web server, or to no server at all,
scuttling all traffic intended to go to the site.

This latest round of mass hijackings could be random hacking
or part of a fledgling Balkan info-war, but since online
identities can be easily spoofed, it's hard to know for
sure.

Network Solutions spokeswoman Cheryl Regan confirmed that
many domains had recently been "redirected" to a registrant
listing an Albanian address, but refused to pinpoint the
exact number of affected domains beyond "considerably less
than 2,000."

WebDNS, a domain-name system-monitoring service based in
England, reported Thursday that at least 50 domain names
have been attacked since April 9, including Adidas.com,
Jamesbond.com, Mafia.com, France.com, Italy.com, Spain.com,
Slovenia.com, Croatia.com, Sarajevo.com, Kosova.com,
Washington.com, and Bosnia.com.

"We have been in contact with owners of some of the domain
names affected and have found the companies were either not
aware of the situation or had been alerted by the fact
services were failing," said WebDNS founder Alex Jeffreys.
"Many had been in touch with Network Solutions and were in
the process of having the domain re-transferred."

Among the victimized sites were those run by pro-democracy
groups and other Web publications maintained by Serbian
political opponents, such as Montenegro.com and Bosnia.com,
both of which have since been returned to their owners.

Hijackers have targeted Internet domain names belonging to
Montenegran pro-democracy activists and to news and
information sites, said Montenegro.com owner Alex Obradovic,
who runs Montenegro.com and related domains from Los
Angeles. The sites provide updates on developments between
Montenegro and its parent republic of Serbia.

Obradovic is convinced the hijacking is the work of hackers
conducting an electronic attack on Montenegro, a
Serbo-Croatian constituent republic bordering Serbia. Using
electronic tracing tools, he determined that the Internet
service hosting the hijackers is based in the Serbian
capital of Belgrade. He says the possibility that hackers
were dialing into the service's account from outside Serbia
is "unlikely."

Network Solutions was able to return the domains to
Obradovic before any changes were made, he said. But other
Balkan-related domains, including Slovenia.com and
Croatia.com have been hijacked for weeks and remain so, he
said.

Late Friday, the Slovenia.com domain carried the message:
"KOSOVO IS SERBIA Site hacked BYGreb-a-Thor and
ScsiMaster.... Be happy if we hacked your site because we
hack ONLY the best sites on the Internet!"

Obradovic suspects the hijackers are trying to undermine the
spread of information in Montenegro and other republics as
part of a propaganda war against opposition states.

Network Solutions' Regan would not comment on the possible
info-war motive, nor confirm the likely geographical origins
of the hijacking campaign. "We cannot address specifics of
our active investigation of this domain-name attack," she
said.

Regan said many of the hijacked domains had since been
returned to their original owners. But a registry search
early Friday showed that at least 50 domains still listed
the hijackers' phony contact name, justdoit@megapost.net.

Later Friday the same search showed zero results, suggesting
the company had disabled many of the hijacked records.

An assortment of random domains were caught in the attack as
well, suggesting that the Balkan sites may be only a red
herring in the campaign.

Among the other domains reported stolen was
UnitedStates.com, which said two of its domain names were
redirected to addresses in Serbia and then Albania.

But according to WebDNS, all of the hijacked accounts had
one thing in common: They all were registered by Network
Solutions.

The hijackers took advantage of the same weakness in Network
Solutions' registration system that has plagued the company
for months.

The Network Solutions technical or procedural glitch
resulted in the temporary loss of a domain earlier this week
owned by Web-filtering company Solid Oak Software.

Ongoing hijackings are not unusual, Network Solutions
acknowledges, but the company said the numbers are typically
small.

WebDNS's Jeffreys concluded that Network Solutions has
serious security problems with database maintenance and
changes, blaming it in part on the company's automated email
system used to execute changes.

In response to the recent attacks, Network Solutions' only
suggestion was for customers to invest in higher security.
The company said early this week in response to the problem
at Solid Oak that an overhaul of its registry system was a
possibility.

"Emphasis needs to be made here that the domain names that
had been attacked or "hijacked" were those whose registrants
had subscribed to .... the lowest protection scheme
available (by Network Solutions) for a domain-name record,"
Regan said.



----------------------------------
Send mail for the 'huridocs-tech' list to <huridocs-tech@hrea.org>.
Mail administrative requests to <majordomo@hrea.org>.
For additional assistance, send mail to: <owner-huridocs-tech@hrea.org>.
Archives of previous messages posted to the list can be found at:
http://www.hrea.org/lists/huridocs-tech/markup/maillist.html