Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Perl

The One-Week Hijacking of Perl.com - Explained (perl.com) 10

"For a week we lost control of the Perl.com domain," a long-running site offering news and articles about the programming language, writes the site's senior editor, brian d foy.

"Now that the incident has died down, we can explain some of what happened and how we handled it." This incident only affected the domain ownership of Perl.com and there was no other compromise of community resources. This website was still there, but DNS was handing out different IP numbers...

Recovering the domain wasn't the end of the response though. While the domain was compromised, various security products had blacklisted Perl.com and some DNS servers had sinkholed it. We figured that would naturally work itself out, so we didn't immediately celebrate the return of Perl.com. We wanted it to be back for everyone. And, I think we're fully back. However, if you have problems with the domain, please raise an issue so we at least know it's not working for part of the internet.

What we think happened

This part veers into some speculation, and Perl.com wasn't the only victim. We think that there was a social engineering attack on Network Solutions, including phony documents and so on. There's no reason for Network Solutions to reveal anything to me (again, I'm not the injured party), but I did talk to other domain owners involved and this is the basic scheme they reported. John Berryhill provided some forensic work in Twitter that showed the compromise actually happened in September. The domain was transferred to the BizCN registrar in December, but the nameservers were not changed. The domain was transferred again in January to another registrar, Key Systems, GmbH. This latency period avoids immediate detection, and bouncing the domain through a couple registrars makes the recovery much harder...

Once transferred to Key Systems in late January, the new, fraudulent registrant listed the domain (along with others), on Afternic (a domain marketplace). If you had $190,000, you could have bought Perl.com. This was quickly de-listed after the The Register made inquiries.

"I think we were very fortunate here and that many people with a soft spot in their hearts for Perl did a lot of good work for us," the article notes. "All sides understood that Perl.com belonged to Tom and it was a simple matter of work to resolve it. A relatively unknown domain name might not fare as well in proving they own it..."

But again, the incident ended happily, foy writes, and "The Perl.com domain is back in the hands of Tom Christiansen and we're working on the various security updates so this doesn't happen again. The website is back to how it was and slightly shinier for the help we received."
This discussion has been archived. No new comments can be posted.

The One-Week Hijacking of Perl.com - Explained

Comments Filter:
  • by bill_mcgonigle ( 4333 ) * on Saturday March 06, 2021 @06:25PM (#61131576) Homepage Journal

    https://2fa.directory/ [2fa.directory] says that NetSol still doesn't offer 2FA. Is that really true?


    Domain Name: PERL.COM
    Registry Domain ID:
    Registrar WHOIS Server: whois.networksolutions.com
    Registrar URL: http://networksolutions.com/ [networksolutions.com]
    Updated Date: 2021-02-05T19:59:16Z
    Creation Date: 1994-08-16T04:00:00Z
    Registrar Registration Expiration Date: 2031-02-05T16:54:08Z
    Registrar: Network Solutions, LLC
    Registrar IANA ID: 2

    • It's a mistake to have anything left at NetSol... they were the monopoly years ago, but an attempted price increase resulting in a phone company like breakup.

      • Why does anyone use Net Sol? Last time I looked, they were far more expensive than any other registrar and they have a history of incompetence (sex.com).

  • by Motherfucking Shit ( 636021 ) on Saturday March 06, 2021 @07:17PM (#61131674) Journal

    Whoever jacked the domain obviously wasn't a Slashdotter, or they'd have redirected it to pictures of Heidi Wall.

  • by mrsam ( 12205 ) on Saturday March 06, 2021 @09:29PM (#61131866) Homepage

    Yes, it was a social engineering attack on Network Solution. Via the "chat" feature with their outsourced off-shored customer service support. A bunch of very impressive looking documents submitted via chat, and a bunch of domains were fraudulently transferred. Just like that.

    The off-shored customer service morons, of course, had no fucking clue what Perl was all about. Of course, when the tech side got involved, it was an oh-sheeeet moment.

    Network Solutions f.u.c.k.e.d.u.p. You said, brother -- who in their fracking mind would still register with Netsol, these days?

  • Early on, Network Solutions let you choose a digital signature as your confirmation mechanism and post your public key so they could validate your signed requests with that. Much more difficult to 'trick' a Network Solutions employee that way. I wish they would go back to that.

The opossum is a very sophisticated animal. It doesn't even get up until 5 or 6 PM.

Working...