How The New York Times could have prevented yesterday’s attack for just $50
Adding Registry Lock service to a domain name prevents unauthorized name server changes.
Yesterday the nameservers for The New York Times’ NYTimes.com domain name were altered, allegedly by the Syrian Electronic Army, which led to some internet users not being able to access the company’s website.
The New York Times could have easily prevented this from happening at a cost of under $50 a month. All it needed to do was add a product called Registry Lock to its domain name registration.
As a bit of background, there are two parties that play a key role with .com domain names. One is the domain name registrar, such as GoDaddy or Melbourne IT. The other is Verisign, which manages the registry for .com domains.
Domain name registrants don’t deal directly with Verisign. Registrants instead request changes to their domains through their domain name registrar.
For example, if I want to change the nameservers for DomainNameWire.com to point to a different location, I can log in to my GoDaddy account and make the change. GoDaddy, in turn, automatically sends this information to Verisign to update its records.
But what if your domain name registrar account is compromised?
That’s what apparently happened in the case of NYTimes.com and its domain registrar Melbourne IT.
And that’s where Registry Lock, which Verisign offers through domain name registrars, comes in to play. It prevents the registrar from making a nameserver change directly.
If NYTimes.com had Registry Lock*, then when the perpetrators tried to change the nameservers it would have triggered a manual verification process between Melbourne IT and Verisign:
Melbourne IT would send a request to Verisign. Verisign would then verify the request and require a verbal passphrase before removing Registry Lock and thus allowing the name server change.
It’s not foolproof, but it’s pretty solid protection. Unless someone managed to use social engineering to trick a registrar employee (which can happen) or if there’s an “inside man” at the registrar or customer, it would be very difficult to make an unauthorized change.
Patrick Kane, SVP for Naming and Directory Services at Verisign, describes Registry Lock as an “additional layer” of protection.
“If a registrar has not done something, such as preventing a hack, they can rely on us as a backstop to prevent most of these types of attacks,” Kane told Domain Name Wire today.
Registry Lock does not prevent someone from changing the registrant name or contact details for a .com domain name, since this information is managed solely at the domain registrar level. We saw this yesterday with Twitter. Twitter.com uses Registry Lock, so its nameservers weren’t compromised. However, the perpetrators did change the contact information for Twitter.com in whois.
Normally, changing the contact information might be enough to enable someone to hijack the domain name and transfer it to a different registrar. But with Registry Lock on, domain names can’t be transferred to another registrar.
Registries for other top level domain names, such as .biz and .eu, offer a similar service.
Registry Lock is primarily offered by domain name registrars that focus on brand management and corporate customers, such as Mark Monitor.
Verisign charges domain name registrars no more than $10 a month per domain for the service. Domain name registrars mark the price up from there, with some including it in a bundle of services. The mark up can be rather high because of the manual process involved, but Irish domain name registrar Blacknight told me it generally charges 30 euros per month for the service. I have inquired with Melbourne IT for its pricing.
No matter the cost, it’s a small price for a company like The New York Times to pay to protect its online presence.
*The New York Times has now added Registry Lock to NYTimes.com.