Imagine coming to work one morning and discovering your company Web site and all staff e-mail accounts have ceased to exist.
Three years ago it happened to Web Networks, a Toronto-based company that provides e-mail and Web sites for 3,500 non-profit and charity groups. After some digging, it
discovered its Web.net URL was usurped by a devious cyber-thief who sent a forged fax to Web Networks’s former registrar.
“”The person (responsible) was never identified,”” says Oliver Zielke, executive director for Web Networks. “”For about four days, it affected a large number of people who host their Web sites with us.””
He says there wasn’t much his company could do other than rely upon its registrar to ensure secure procedures were in place.
More unnerving than Web Networks’s ordeal would be having your corporate site erased because of an internal clerical error. Microsoft neglected to renew its Passport.com URL in 1999 and had it not been for a Good Samaritan who re-registered the URL and informed the company of this faux pas, the result could have been worse than mere embarrassment.
“”There are slimeballs out there who watch out for Web site expirations,”” says Jim Carroll, author of several books on the Internet, including the Canadian Internet Handbook. “”They sit and wait, and when they get the chance, they’ll slap a porn site up where your corporate site once was.””
Carroll says organizations with several domain names ought to consider domain name management outsourcing to prevent loss of their URLs due to administrative foul-ups.
“”A lot of companies don’t know what domains they own, when they expire, who it was registered with and by whom,”” he says.
Ross Rader, director of research and innovation for Tucows Inc., says domain name theft is still prevalent, but these days it’s not the big issue in terms of overall Web security. Toronto-based Tucows provides domain name registrations in more than 100 countries.
“”Nine times out of 10 (an illegal domain name transfer) can be sorted out,”” he says. “”The real theft comes into play when the registrar has lax security.””
Rader advises IT managers to find a registrar that works with an enterprise to ensure security.
“”You should keep your (Web site administration) data up-to-date and ensure the appropriate people are listed with the registrar — for instance, the IT manager, not the company receptionist,”” he says. “”Ensure you have the registrar lock down the domain so it can’t be easily transferred and the database is read-only.””
Greg Lane, national vice-president of the Canadian Information Processing Society, says domain name theft is the Web version of stealing intellectual property.
“”It can become a problem for a legitimate business, but most mature businesses have done their due diligence and have processes in place to safeguard against it,”” he says.
Lane says the issues surrounding domain-name theft could launch a new legal practice should lawyers stop to consider it.
“”The problem is global; it’s not national or regional,”” he says. “”So the question becomes who’s responsible for governing this process? It would have to be an international body and someone would have to pay for it.””
David Senf, analyst with Toronto’s IDC Canada Ltd., says the threat of domain name theft experienced by Web Networks is unlikely to happen today given the security measures practiced by registrars, but he admits better overall governance is needed.
“”It should be ICANN (the Internet Corporation for Assigned Names and Numbers) that is responsible for (monitoring registrars’ practices) since they’re the organization that maps out DNS settings to actual Web addresses. They are the gatekeepers.””