Protecting and Securing your Domain Name

Number: IN14-003
Date: 15 December 2014

Purpose

CCIRC, in collaboration with the Canadian Internet Registration Authority (CIRA), has developed this Information Note to provide best practices and advice on securing your domain.

Assessment

Having a domain is an integral part of business today and care should be taken to protect it. Malicious attackers may be interested in your domain for a variety of reasons and CCIRC has recently observed a number of attacks using Domain Name System (DNS) & domain hijacking, and cybersquatting.

DNS & Domain Hijacking
Domain hijacking occurs when the registration of a domain name is changed without the permission of the owner. Attackers can use personal information obtained through social engineering to impersonate and then persuade the domain registrar to change DNS information or transfer the domain to another registrant.  This can lead to visitors who are intending to visit your website are instead being delivered to content controlled by the malicious actor.  Examples of this malicious content can include credential phishing, malware delivery, and brand/website defacement.

Another reason for attackers to hijack DNS and domain information could be to take control of the domain and associated email addresses in order to monitor traffic and capture data.  Analysis of captured traffic could provide a malicious actor with sensitive information, including usernames and passwords.  The malicious attackers could also submit and intercept password reset requests from cloud applications to hijack personal accounts.

Cybersquatting
Cybersquatting occurs when a registered domain expires, either intentionally or by mistake, and someone other than the original owner is able to gain ownership of it. This usually results in the new owner attempting to extort payment from the original owner. 

Impact
The loss or unauthorized modification of a domain could result in data compromise and service downtime.  This can lead to the loss of brand reputation, customers and revenue.

Past domain related attacks have involved high profile, high traffic websites including the Huffington Post, New York Times and Twitter. In those cases, reports indicate that DNS information was modified so that the domains were pointing to servers controlled by the attackers.

Suggested Action

CCIRC strongly encourages information technology owners and operators to select a domain registrar which support the following security products:

Registry Lock – Enabling Registry Lock helps ensure that attributes of the domain are unchangeable and no transfer or deletion transactions can be processed against the domain name (with the exception of renewals) unless authorized. Registry Lock is a service offered by CIRA through certified registrars, whereas a registrar lock is offered by a registrar only.
http://www.cira.ca/ca-websites/enhancing-the-security-of-ca/ca-registry-lock/

DNSSEC – Enabling DNSSEC with your domain registrar and DNS host help to prevent sophisticated malicious attacks including DNS hijacking and spoofing.
http://www.cira.ca/ca-websites/enhancing-the-security-of-ca/dnssec/

Domain owners should review the following domain name portfolio management best practices:

Additionally, domain owners should review the following best practices for domain registry user accounts and any email addresses listed in your domain contact information:

References:

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: