back to article .UK domains left at risk of theft in Enom blunder

Thousands of UK companies were at risk of having their .uk domain names stolen for more than four months by a critical security failure at domain registrar Enom. The security lapse allowed .uk domains to be transferred between Enom accounts with no verification, authorisation or logs. Any domains hijacked would have been “ …

  1. Cronus
    FAIL

    No doubt they'll claim that there's no evidence that this has been exploited in the wild. Which of course will be true as they weren't bloody logging anything!

    1. Lee D Silver badge

      I remember being on the receiving end of a complaint from a customer that their website that I managed for them was "gone". After much digging, the FTP site was completely empty. Given that only I had the access codes, it was quite strange as I hadn't touched that customer's site in months.

      They were paying 123-Reg for FTP hosting, I set it up for them and they just paid it each year, so it wasn't really much to do with me, and I had backups so recovering it wasn't a big deal. But then I obviously told the customer what happened, and they complained to 123-Reg.

      I got a really stroppy call from them soon after saying that I was lying, etc. etc. etc. So after much discussion, and getting through to the only guy who actually had techy access, I got to the bottom of the problem: They couldn't tell me who logged into FTP. When. From where. What was done. What backup those files were on. No way to restore from their backups. Nothing whatsoever.

      So they could not disprove my "You just trashed the storage for the account, didn't you?" assertion. And they had to concede. Especially given as they had NO WAY to even say "Ah, but you logged in just before the files were reported missing" or whatever.

      Shortly after, they lost all the custom anyway, but I couldn't fathom how a major web-host hosting business FTP servers at the prices they charge could not maintain the most basic of access logs.

  2. Chewi

    Mmmm domains

    Nom nom nom.

  3. SteveK

    The security lapse allowed .uk domains to be transferred between Enom accounts with no verification, authorisation or logs.

    Any domains hijacked would have been “extremely hard or impossible” to recover, according to The M Group, the security firm that discovered the flaw.

    Err, why? Surely if both victim and thief have Enom accounts, you just use the same trick to steal the domain back again?

    1. Alan J. Wylie

      Surely if both victim and thief have Enom accounts, you just use the same trick to steal the domain back again?

      Step 5 of the M group's advisory (linked to in the original article):

      (optional) Immediately transfer the domain elsewhere by changing the IPS tag and registrant email address making the domain extremely difficult if not impossible to recover without a manual intervention

  4. Anonymous Coward
    Anonymous Coward

    Re: "extremely hard or impossible” to recover

    Can't you just log in to Nominet to recover the domain? I don't think registrars can change the email address associated with .uk domains, Nominet charges £10+VAT to transfer domain ownership.

    1. Eccles1

      Re: "extremely hard or impossible” to recover

      Accredited registrars can change the registrants email address and do tag changes within a few seconds.

      1. Stuart 22

        Re: "extremely hard or impossible” to recover

        But you can still go back to Nominet - one of the few internet organisations with a usually helpful support desk. If the registrant name/organisation has not been changed then you can, as long as you can verify yourself.

        Remember if they try to change registrant - its probably going to fail on verification. We often have issue with perfectly legitimate ones. if anything their controls are too tight. Which is good here.

        This is probably the one great advantage of .uk - there is a lifeboat of local organisation rather more dedicated to serving the legitimate internet community than shareholders. Though this dedication is fading a little as subservience to government and the whims of expansionist CEOs take precedence.

        Bottom line give 'em a call. They will want to help,

  5. Anonymous Coward
    Anonymous Coward

    Crap response...

    ... they only actually did something once it became public knowledge, until that point they just sat on their collective arses hoping it would go away, instead of disabling it and coming up with a solution - which isn't rocket science to come up.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon