The One-Week Hijacking of Perl.com - Explained (perl.com) 10
"For a week we lost control of the Perl.com domain," a long-running site offering news and articles about the programming language, writes the site's senior editor, brian d foy.
"Now that the incident has died down, we can explain some of what happened and how we handled it." This incident only affected the domain ownership of Perl.com and there was no other compromise of community resources. This website was still there, but DNS was handing out different IP numbers...
Recovering the domain wasn't the end of the response though. While the domain was compromised, various security products had blacklisted Perl.com and some DNS servers had sinkholed it. We figured that would naturally work itself out, so we didn't immediately celebrate the return of Perl.com. We wanted it to be back for everyone. And, I think we're fully back. However, if you have problems with the domain, please raise an issue so we at least know it's not working for part of the internet.
What we think happened
This part veers into some speculation, and Perl.com wasn't the only victim. We think that there was a social engineering attack on Network Solutions, including phony documents and so on. There's no reason for Network Solutions to reveal anything to me (again, I'm not the injured party), but I did talk to other domain owners involved and this is the basic scheme they reported. John Berryhill provided some forensic work in Twitter that showed the compromise actually happened in September. The domain was transferred to the BizCN registrar in December, but the nameservers were not changed. The domain was transferred again in January to another registrar, Key Systems, GmbH. This latency period avoids immediate detection, and bouncing the domain through a couple registrars makes the recovery much harder...
Once transferred to Key Systems in late January, the new, fraudulent registrant listed the domain (along with others), on Afternic (a domain marketplace). If you had $190,000, you could have bought Perl.com. This was quickly de-listed after the The Register made inquiries.
"I think we were very fortunate here and that many people with a soft spot in their hearts for Perl did a lot of good work for us," the article notes. "All sides understood that Perl.com belonged to Tom and it was a simple matter of work to resolve it. A relatively unknown domain name might not fare as well in proving they own it..."
But again, the incident ended happily, foy writes, and "The Perl.com domain is back in the hands of Tom Christiansen and we're working on the various security updates so this doesn't happen again. The website is back to how it was and slightly shinier for the help we received."
"Now that the incident has died down, we can explain some of what happened and how we handled it." This incident only affected the domain ownership of Perl.com and there was no other compromise of community resources. This website was still there, but DNS was handing out different IP numbers...
Recovering the domain wasn't the end of the response though. While the domain was compromised, various security products had blacklisted Perl.com and some DNS servers had sinkholed it. We figured that would naturally work itself out, so we didn't immediately celebrate the return of Perl.com. We wanted it to be back for everyone. And, I think we're fully back. However, if you have problems with the domain, please raise an issue so we at least know it's not working for part of the internet.
What we think happened
This part veers into some speculation, and Perl.com wasn't the only victim. We think that there was a social engineering attack on Network Solutions, including phony documents and so on. There's no reason for Network Solutions to reveal anything to me (again, I'm not the injured party), but I did talk to other domain owners involved and this is the basic scheme they reported. John Berryhill provided some forensic work in Twitter that showed the compromise actually happened in September. The domain was transferred to the BizCN registrar in December, but the nameservers were not changed. The domain was transferred again in January to another registrar, Key Systems, GmbH. This latency period avoids immediate detection, and bouncing the domain through a couple registrars makes the recovery much harder...
Once transferred to Key Systems in late January, the new, fraudulent registrant listed the domain (along with others), on Afternic (a domain marketplace). If you had $190,000, you could have bought Perl.com. This was quickly de-listed after the The Register made inquiries.
"I think we were very fortunate here and that many people with a soft spot in their hearts for Perl did a lot of good work for us," the article notes. "All sides understood that Perl.com belonged to Tom and it was a simple matter of work to resolve it. A relatively unknown domain name might not fare as well in proving they own it..."
But again, the incident ended happily, foy writes, and "The Perl.com domain is back in the hands of Tom Christiansen and we're working on the various security updates so this doesn't happen again. The website is back to how it was and slightly shinier for the help we received."
Network Solutions (Score:3)
https://2fa.directory/ [2fa.directory] says that NetSol still doesn't offer 2FA. Is that really true?
Domain Name: PERL.COM
Registry Domain ID:
Registrar WHOIS Server: whois.networksolutions.com
Registrar URL: http://networksolutions.com/ [networksolutions.com]
Updated Date: 2021-02-05T19:59:16Z
Creation Date: 1994-08-16T04:00:00Z
Registrar Registration Expiration Date: 2031-02-05T16:54:08Z
Registrar: Network Solutions, LLC
Registrar IANA ID: 2
Re: (Score:2)
It's a mistake to have anything left at NetSol... they were the monopoly years ago, but an attempted price increase resulting in a phone company like breakup.
Re: (Score:3)
Why does anyone use Net Sol? Last time I looked, they were far more expensive than any other registrar and they have a history of incompetence (sex.com).
Missed opportunity (Score:3)
Whoever jacked the domain obviously wasn't a Slashdotter, or they'd have redirected it to pictures of Heidi Wall.
Heard it from those who heard it from Tom (Score:3, Interesting)
Yes, it was a social engineering attack on Network Solution. Via the "chat" feature with their outsourced off-shored customer service support. A bunch of very impressive looking documents submitted via chat, and a bunch of domains were fraudulently transferred. Just like that.
The off-shored customer service morons, of course, had no fucking clue what Perl was all about. Of course, when the tech side got involved, it was an oh-sheeeet moment.
Network Solutions f.u.c.k.e.d.u.p. You said, brother -- who in their fracking mind would still register with Netsol, these days?
Go back to signed requests (Score:2)