Naked Security Naked Security

Surveillance watchdog learns that old domains never die

Keep your old domains, forever.

Forgetting to renew your domain name can be embarrassing. Letting the domain slip out of your control because, well, maybe your organization doesn’t think it’s necessary anymore … can have equally embarrassing repercussions, as the latest domain stumble makes clear.
As far as the memory-lapse variety goes, we’ve seen a telco get fined $3 million for the flub-up, which led to deaf, hard-of-hearing and speech-disabled people losing access to emergency services for three days.
The Dallas Cowboys did it. Microsoft did it. Twice (buh-bye, Hotmail!). Foursquare did it. Dell’s auto-backup and recovery vendor let a domain slip into the grasp of a typosquatter that started showing up in malware alerts about two weeks later. Ketchup king Heinz did it with a label-design contest, Fundorado.com, that wound up as a porn site.


And now, we have the retired-domain screwup. This most recent example of URL dysfunction takes shape at the site for the UK’s Interception of Communications Commissioner (IOCCO).
It might have seemed like the agency didn’t need the domain anymore. The IOCCO was a watchdog created by the UK government to produce annual reports on the government’s use of its surveillance powers. It was folded into the Investigatory Powers Commissioner’s Office (IPCO) in September 2017 as part of the UK’s Investigatory Powers Act, also known as the Snooper’s Charter.
IPCO or no IPCO, the IOCCO website can still be found on Google:
IOCCO
The IoCCO’s Twitter account is still up too, and, at the time of writing, linking to the now defunct domain – a domain now hosting a company advertising Easy Solutions to Premature Ejaculation To End Your Headache NOW!
To wit:
Not the IOCCO
According to WHOIS records, the domain is now registered to a man in Washington DC with a phone number that’s no longer in service.
The mothballed website can be seen in all its original, nonsexual fustiness in the national archives.
The IPCO didn’t respond to media requests for comment.
Perhaps the IPCO thought that the old IOCCO domain name had outlived its usefulness, or maybe renewing the domain was a detail easily overlooked (or it simply wasn’t part of anyone’s job anymore).
Unfortunately, there are plenty of spammers and typosquatters who are more than happy to jump on a suddenly available, well-trafficked domain name and redirect visitors to a malware-infested hell hole or a spammy solution to their sexual problems.
For anyone worried about this happening to their business the lesson is that domains are cheap and your organization’s reputation is expensive: just set your old domains to auto-renew and keep them all, forever.