More on the AA situation
Apr. 28th, 2006 09:17 am![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
heidiBNMQ.com, the entity that managed to get ArtisticAlley to point to their site, shows up a few times in Google as a spammer, and as a hijacker. I'd love to be able to get some press on this situation, because this is clearly not the first time it's happened, but in the non-industry press, I've haven't seen much coverage - if any - of this kind of situation. If anyone wants to do more investigation of the Bad Guys, that would be great.
The situation is this - they hide their real name and address on their domain name registration things, and instead, they've used a company called PrivacyProtect.org as their address/contact information, but, of course, PrivacyProtect's phone number didn't work *either*. So, luckily, Google allowed me to google for the address on the registration - 14781 Memorial Dr. Suite # 792 in Texas - which led me to www.publicdomainregistry.com, who do have a working phone number, which I called. So they told me how to report it via their website, which I did via this page. While I don't normally recommend sending barrages of emails to registrants, if we don't get results from them by the end of the day today, I can't see a downside to people making legitimate complaints about BNMQ.com via their Report a False WHOIS page, as, well, it is false WHOIS info, isn't it?
Just so the techies can have it, the DNS they switched everything to is NS1.bnmq.com and NS2.bnmq.com.
The situation is this - they hide their real name and address on their domain name registration things, and instead, they've used a company called PrivacyProtect.org as their address/contact information, but, of course, PrivacyProtect's phone number didn't work *either*. So, luckily, Google allowed me to google for the address on the registration - 14781 Memorial Dr. Suite # 792 in Texas - which led me to www.publicdomainregistry.com, who do have a working phone number, which I called. So they told me how to report it via their website, which I did via this page. While I don't normally recommend sending barrages of emails to registrants, if we don't get results from them by the end of the day today, I can't see a downside to people making legitimate complaints about BNMQ.com via their Report a False WHOIS page, as, well, it is false WHOIS info, isn't it?
Just so the techies can have it, the DNS they switched everything to is NS1.bnmq.com and NS2.bnmq.com.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
(no subject)
Date: 2006-04-28 01:46 pm (UTC)(no subject)
Date: 2006-04-28 02:23 pm (UTC)Just say the word, and I'll be happy to oblige with a complaint report! Of course, as it's the end of the week, they'll probably hide behind the whole "it's after business hours Friday so we couldn't do anything until Monday" excuse.
(no subject)
Date: 2006-04-28 02:37 pm (UTC)But I'm also sure it's a common street name.
I hope the news picks it up. I don't see why not. Everything HP related seems to make some news these days.
-Ani at work
(no subject)
Date: 2006-04-28 03:28 pm (UTC)(no subject)
Date: 2006-04-28 03:27 pm (UTC)(no subject)
Date: 2006-04-28 03:14 pm (UTC)Out of curiousity, was the domain locked? (as the person above mentioned) Because if it was, perhaps you could force your registrar to do something about it, since you didn't confirm the change. Plus, I'm curious to see if domain-locking is vulnerable (mine are all locked). I get emails about 'changes' all the time, that seem to end implying the domain-lock stopped the changes, but I'm not really sure of the process.
(no subject)
Date: 2006-04-28 03:28 pm (UTC)(no subject)
Date: 2006-04-28 03:35 pm (UTC)(no subject)
Date: 2006-04-28 03:40 pm (UTC)(no subject)
Date: 2006-04-28 03:47 pm (UTC)Bizarre, I went through and relocked everything just in case and it says:
Locking your domain prevents changes from being made to domain contacts and name servers, and prevents the domain name from being transferred to another registrar without your knowledge.
And then not only was I able to make name server changes, but also contact info changes without having to unlock the domain (I've always had to unlock them before to do anything). Yeah... that works well.
(no subject)
Date: 2006-04-28 04:14 pm (UTC)(no subject)
Date: 2006-04-29 01:19 am (UTC)(no subject)
Date: 2006-04-28 05:16 pm (UTC)(no subject)
Date: 2006-04-28 05:16 pm (UTC)I've always boggled at domain hijackers. There's not much to gain from it other than pissing people off. However, I guess that there are people who get off on such things.
not sure if this is redundant or not:
Date: 2006-04-28 05:42 pm (UTC)"But what if some one changed the IP address for an authoritative name server in the registrar's database? If that happened, users would be sent to the wrong web server—without the user or the owner of the real site being aware of the redirection. Though making such domain name changes is a powerful attack tool, it's also relatively simple to do. Why? Because changes to domain registrations are frequently done through email, and the authentication methods to ascertain whether an authorized person is making the changes are most often very weak. The problem with authentication is that the registrar doesn't send a confirmation email if the request is sent from the same email as the person owning the contact or the domain name itself. Therefore, utilizing this flaw, someone could spoof anyone's email address and change any domain name's information."
"To prevent these types of attacks, it's necessary to have security built directly into DNS systems:
*
To minimize the risk of a spoofing attack, every organization or individual responsible for a domain should consult the developer of the domain's name server as to whether the server is secure against DNS spoofing.
*
Email can be forged, as mentioned earlier. If you accept domain changes via email, require an SSL-encrypted web page or PGP signed and encrypted email for all changes to domain information.
*
One of the best solutions so far to guard against DNS hijacking has appeared in the form of DNS Security (DNSSEC). DNSSEC supplies cryptographic verification information along with DNS messages. That means that public key cryptography is combined with digital signatures to provide a means for a requester of domain information to authenticate itself. DNSSEC ensures that a request can be traced back to a trusted source, either directly or via a chain of trust linking the source of the information to the top of the DNS hierarchy.
DNSSEC adds two new record types for authentication in DNS: the KEY record and the SIG record. Like many encryption schemes, the KEY record stores the public key for a host or administrative zone. The SIG record stores a digital signature associated with each set of records. In a signed zone, each record set includes a SIG record. The SIG record contains the signature of the set as generated by the above zone KEY. Briefly, a DNSSEC-aware resolver can determine whether a zone is signed, and if the resolver sees an unsigned recordset when it expects a signed one it can identify that there's an error.
*
Use strong passwords and SSL systems for registering and authorizing changes to your domain names, and use registrars that assist you with setting up these security methods. In addition, don't rely on faxed documents or phone calls, as malicious attackers can easily forge them."
This is what happened to RSA, the security company. Article here:
http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=8170&DisplayTab=Article
You know this is totally your Web Hosts fault.
(no subject)
Date: 2006-04-28 07:40 pm (UTC)(no subject)
Date: 2006-04-28 09:18 pm (UTC)Contact Information
ResellerSRS Inc dba http://www.ResellerSRS.com
14781 Memorial Dr., Suite # 792
Houston, Texas 77079
United States
Houston, TX: +1 (832) 615 1680, Miami, FL: +1 (305) 503 6155
sales@resellersrs.com
I doubt this is much help - but there you go.
(no subject)
Date: 2006-04-28 09:50 pm (UTC)