now browsing by tag


Dangerous Domain Corp.com Goes Up for Sale — Krebs on Security

Source: National Cyber Security – Produced By Gregory Evans

As an early domain name investor, Mike O’Connor had by 1994 snatched up several choice online destinations, including bar.com, cafes.com, grill.com, place.com, pub.com and television.com. Some he sold over the years, but for the past 26 years O’Connor refused to auction perhaps the most sensitive domain in his stable — corp.com. It is sensitive because years of testing shows whoever wields it would have access to an unending stream of passwords, email and other proprietary data belonging to hundreds of thousands of systems at major companies around the globe.

Now, facing 70 and seeking to simplify his estate, O’Connor is finally selling corp.com. The asking price — $1.7 million — is hardly outlandish for a 4-letter domain with such strong commercial appeal. O’Connor said he hopes Microsoft Corp. will buy it, but fears they won’t and instead it will get snatched up by someone working with organized cybercriminals or state-funded hacking groups bent on undermining the interests of Western corporations.

One reason O’Connor hopes Microsoft will buy it is that by virtue of the unique way Windows handles resolving domain names on a local network, virtually all of the computers trying to share sensitive data with corp.com are somewhat confused Windows PCs. More importantly, early versions of Windows actually encouraged the adoption of insecure settings that made it more likely Windows computers might try to share sensitive data with corp.com.

At issue is a problem known as “namespace collision,” a situation where domain names intended to be used exclusively on an internal company network end up overlapping with domains that can resolve normally on the open Internet.

Windows computers on an internal corporate network validate other things on that network using a Microsoft innovation called Active Directory, which is the umbrella term for a broad range of identity-related services in Windows environments. A core part of the way these things find each other involves a Windows feature called “DNS name devolution,” which is a kind of network shorthand that makes it easier to find other computers or servers without having to specify a full, legitimate domain name for those resources.

For instance, if a company runs an internal network with the name internalnetwork.example.com, and an employee on that network wishes to access a shared drive called “drive1,” there’s no need to type “drive1.internalnetwork.example.com” into Windows Explorer; typing “\drive1” alone will suffice, and Windows takes care of the rest.

But things can get far trickier with an internal Windows domain that does not map back to a second-level domain the organization actually owns and controls. And unfortunately, in early versions of Windows that supported Active Directory — Windows 2000 Server, for example — the default or example Active Directory path was given as “corp,” and many companies apparently adopted this setting without modifying it to include a domain they controlled.

Compounding things further, some companies then went on to build (and/or assimilate) vast networks of networks on top of this erroneous setting.

Now, none of this was much of a security concern back in the day when it was impractical for employees to lug their bulky desktop computers and monitors outside of the corporate network. But what happens when an employee working at a company with an Active Directory network path called “corp” takes a company laptop to the local Starbucks?

Chances are good that at least some resources on the employee’s laptop will still try to access that internal “corp” domain. And because of the way DNS name devolution works on Windows, that company laptop online via the Starbucks wireless connection is likely to then seek those same resources at “corp.com.”

In practical terms, this means that whoever controls corp.com can passively intercept private communications from hundreds of thousands of computers that end up being taken outside of a corporate environment which uses this “corp” designation for its Active Directory domain.


That’s according to Jeff Schmidt, a security expert who conducted a lengthy study on DNS namespace collisions funded in part by grants from the U.S. Department of Homeland Security. As part of that analysis, Schmidt convinced O’Connor to hold off selling corp.com so he and others could better understand and document the volume and types of traffic flowing to it each day.

During an eight month analysis of wayward internal corporate traffic destined for corp.com in 2019, Schmidt found more than 375,000 Windows PCs were trying to send this domain information it had no business receiving — including attempts to log in to internal corporate networks and access specific file shares on those networks.

For a brief period during that testing, Schmidt’s company JAS Global Advisors accepted connections at corp.com that mimicked the way local Windows networks handle logins and file-sharing attempts.

“It was terrifying,” Schmidt said. “We discontinued the experiment after 15 minutes and destroyed the data. A well-known offensive tester that consulted with JAS on this remarked that during the experiment it was ‘raining credentials’ and that he’d never seen anything like it.”

Likewise, JAS temporarily configured corp.com to accept incoming email.

“After about an hour we received in excess of 12 million emails and discontinued the experiment,” Schmidt said. “While the vast majority of the emails were of an automated nature, we found some of the emails to be sensitive and thus destroyed the entire corpus without further analysis.”

Schmidt said he and others concluded that whoever ends up controlling corp.com could have an instant botnet of well-connected enterprise machines.

“Hundreds of thousands of machines directly exploitable and countless more exploitable via lateral movement once in the enterprise,” he said. “Want an instant foothold into about 30 of the world’s largest companies according to the Forbes Global 2000? Control corp.com.”


Schmidt’s findings closely mirror what O’Connor discovered in the few years corp.com was live on the Internet after he initially registered it back in 1994. O’Connor said early versions of a now-defunct Web site building tool called Microsoft FrontPage suggested corporation.com (another domain registered early on by O’Connor) as an example domain in its setup wizard.

That experience, portions of which are still indexed by the indispensable Internet Archive, saw O’Connor briefly redirecting queries for the domain to the Web site of a local adult sex toy shop as a joke. He soon got angry emails from confused people who’d also CC’d Microsoft co-founder Bill Gates.


Archive.org’s index of corp.com from 1997, when its owner Mike O’Connor briefly enabled a Web site mainly to shame Microsoft for the default settings of its software.

O’Connor said he also briefly enabled an email server on corp.com, mainly out of morbid curiosity to see what would happen next.

“Right away I started getting sensitive emails, including pre-releases of corporate financial filings with The U.S. Securities and Exchange Commission, human resources reports and all kinds of scary things,” O’Connor recalled in an interview with KrebsOnSecurity. “For a while, I would try to correspond back to corporations that were making these mistakes, but most of them didn’t know what to do with that. So I finally just turned it off.”


Microsoft declined to answer specific questions in response to Schmidt’s findings on the wayward corp.com traffic. But a spokesperson for the company shared a written statement acknowledging that “we sometimes reference ‘corp’ as a label in our naming documentation.”

“We recommend customers own second level domains to prevent being routed to the internet,” the statement reads, linking to this Microsoft Technet article on best practices for setting up domains in Active Directory.

Over the years, Microsoft has shipped several software updates to help decrease the likelihood of namespace collisions that could create a security problem for companies that still rely on Active Directory domains that do not map to a domain they control.

But both O’Connor and Schmidt say hardly any vulnerable organizations have deployed these fixes for two reasons. First, doing so requires the organization to take down its entire Active Directory network simultaneously for some period of time. Second, according to Microsoft applying the patch(es) will likely break or at least slow down a number of applications that the affected organization relies upon for day-to-day operations.

Faced with either or both of these scenarios, most affected companies probably decided the actual risk of not applying these updates was comparatively low, O’Connor said.

“The problem is that when you read the instructions for doing the repair, you realize that what they’re saying is, ‘Okay Megacorp, in order to apply this patch and for everything to work right, you have to take down all of your Active Directory services network-wide, and when you bring them back up after you applied the patch, a lot of your servers may not work properly’,” O’Connor said.

Curiously, Schmidt shared slides from a report submitted to a working group on namespace collisions suggesting that at least some of the queries corp.com received while he was monitoring it may have come from Microsoft’s own internal networks.


Image: JAS Global Advisors

“The reason I believe this is Microsoft’s issue to solve is that someone that followed Microsoft’s recommendations when establishing an active directory several years back now has a problem,” Schmidt said.

“Even if all patches are applied and updated to Windows 10,” he continued. “And the problem will persist while there are active directories named ‘corp’ – which is forever. More practically, if corp.com falls into bad hands, the impact will be on Microsoft enterprise clients – and at large scale – paying, Microsoft clients they should protect.”

Asked why he didn’t just give corp.com to Microsoft as an altruistic gesture, O’Connor said the software giant ought to be accountable for its products and mistakes.

“It seems to me that Microsoft should stand up and shoulder the burden of the mistake they made,” he said. “But they’ve shown no real interest in doing that, and so I’ve shown no interest in giving it to them. I don’t really need the money. I’m basically auctioning off a chemical waste dump because I don’t want to pass it on to my kids and burden them with it. My frustration here is the good guys don’t care and the bad guys probably don’t know about it. But I expect the bad guys would like it.”

Further reading:

Mitigating the Risk of DNS Namespace Collisions (PDF)

DEFCON 21 – DNS May Be Hazardous to your Health (Robert Stucke)

Mitigating the Risk of Name Collision-Based Man-in-the-Middle Attacks (PDF)

Tags: Active Directory, corp.com, DNS name devolution, JAS Global Advisors, Jeff Schmidt, Microsoft Corp., Microsoft Windows, Mike O’Connor, namespace collision, U.S. Department of Homeland Security

The source of this story comes from click here!

The post Dangerous Domain Corp.com Goes Up for Sale — Krebs on Security appeared first on National Cyber Security.

View full post on National Cyber Security

#deepweb | Laredo College goes into the darkside of the web

Source: National Cyber Security – Produced By Gregory Evans

LAREDO, TX (KGNS) – Our local college is shedding light on the dangers of modern-day technology.

Laredo College is joining forces with MileOne, UISD, and local authorities to host a discussion on cybersecurity to educate the community on the dangers of the internet.

Experts will share impactful information such as the importance of cybersecurity and all the dangerous material that can be found on the dark web.

The first session at the South Texas Cybersecurity Series will be at 10 a.m. and the second will be at 6 p.m. at MileOne located at 1312 Houston Street.

Organizers invite all local businesses, and students to take part in the conference.

Source link

The post #deepweb | <p> Laredo College goes into the darkside of the web <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | New Anti-Robocall Law Goes To President For Signatory Approval

Source: National Cyber Security – Produced By Gregory Evans via Kieren McCarthy – writing at El Reg – comes a bit of good news on a Wednesday in the glorious Pacific Northwest: Congress – just this morning, mind you – has passed the esteemed body’s new Anti-Robocall Act monikered the TRACED Act, and along with […] View full post on AmIHackerProof.com

#deepweb | In new world of data breaches and dark web deals, identity theft goes mainstream: JPSO | Crime/Police

Source: National Cyber Security – Produced By Gregory Evans Identity theft used to be a more complicated, hands-on racket that included mail theft, dumpster diving, scam telephone calls and emailed offers. But hackers, aided by improvements in computer technology and internet accessibility, have introduced an illicit efficiency to the crime, stealing the personal information of […] View full post on AmIHackerProof.com

#deepweb | Massive cache of Indian card data goes up for sale on dark web

Source: National Cyber Security – Produced By Gregory Evans The details of more than 1.3 million credit and debit cards – most of them from India – have been put up for sale on an underground forum. The database, which has been on the Joker’s Stash carding forum since 28 October, was spotted by […] View full post on AmIHackerProof.com

#deepweb | Dark Web Drug Seller Sinmed Goes Down—Thanks to ATM Withdrawals

Source: National Cyber Security – Produced By Gregory Evans

Until a few weeks ago, sinmed was one of the largest drug vendors at Dream Market, the foremost dark web bazaar. It took in millions of dollars shipping fentanyl-laced heroin, methamphetamines, and hundreds of thousands of counterfeit Xanax tablets across the US—until the New York district attorney’s office shut it down, and arrested the three men who allegedly ran it.

Dark web takedowns happen all the time. But sinmed was a power player, among Dream Market’s top 3 percent of vendors in terms of sheer transactions. And its rise and fall, as detailed by Manhattan DA Cyrus Vance and a recently unsealed indictment, shows not only how dark web storefronts operate, but also how law enforcement at every level has become increasingly savvy at tracking them down.

Act Local

When you read about dark web takedowns, they typically involve sweeping actions by federal agencies. The Joint Criminal Opioid and Darknet Enforcement team—made up of agents from the FBI, DEA, CBP, and more—announced in March that it had made 61 arrests and shuttered 50 accounts related to dark web activity as part of Operation SaboTor, a crackdown months in the making.

“It is definitely a significant arrest.”

Nicolas Christin, Carnegie Mellon University

But while the sinmed case involved cooperation from the Secret Service, US Postal Inspection Service, and Homeland Security Investigations, it originated—unusually—with the Manhattan DA. More precisely, with a tip the DA’s office received in 2017 about good old-fashioned suspicious ATM withdrawals.

“For time immemorial we have been saying that in cases of economic crime, it’s really all about following the money,” Manhattan district attorney Cy Vance said at a press conference Tuesday announcing the charges. “Pulling the thread and following the money in 2019 today is about knowing where to look on the internet and in cyberspace.”

Sinmed Inc.

In late March 2016, the unsealed indictment alleges, 51-year-old Ronald MacCarty ordered 10 kilograms of microcrystalline cellulose from an unspecified vendor. It was the first of at least nine such orders he and Chester Arthur would place over the following two years; by May 2018, the size had grown to 500 kilograms.

On its own, MCC is harmless, mostly used as a binding agent. You can buy it on Amazon. But you can also use it to make pills. According to court documents, Anderson and MacCarty methodically worked their way up to doing just that. In July 2016, the two incorporated a company called Next Level Research and Development. From there, they attempted to buy a kilogram of alprazolam—sold commercially as Xanax—as well as a vial filling and capping machine, a powder mixer, a tablet press machine, and Xanax punch dies. Everything you need, as the indictment says, “to manufacture and sell tablets containing controlled substances.”

Over the course of their operation, according to the Manhattan district attorney’s office, Anderson and MacCarty—along with Jarrette Codd—shipped more than 1,000 packages to buyers in 43 states, laundering $2.3 million in cryptocurrency along the way. At the time of the trio’s arrest on April 4, investigators seized 420,000 to 620,000 alprazolam tablets, 500 glassines of fentanyl-laced heroin, and assorted other drugs. All three men have pleaded not guilty.

Law enforcement seized hundreds of thousands of counterfeit Xanax pills this month as part of the sinmed takedown.Manhattan District Attorney

Source link

The post #deepweb | <p> Dark Web Drug Seller Sinmed Goes Down—Thanks to ATM Withdrawals <p> appeared first on National Cyber Security.

View full post on National Cyber Security

New Social Media Screening for U.S. Visitors Goes Into Effect

Source: National Cyber Security – Produced By Gregory Evans

New Social Media Screening for U.S. Visitors Goes Into Effect

The Trump Administration, which vowed to implement “extreme vetting” at the borders, has implemented part of a controversial plan requiring some U.S. visa applicants to disclose their social media history before entering the country. The plan, which requires applicants to disclose user names for social media platforms they’ve used in…

The post New Social Media Screening for U.S. Visitors Goes Into Effect appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

EBR 063: When Texting Goes WRONG With Your Ex…

When it comes to getting an ex boyfriend back one of the most asked questions that we get is, How do I text him? And if you are pretty familiar with our site you would know that I have put together quite a few guides over the years detailing exactly what to do. Read More….

The post EBR 063: When Texting Goes WRONG With Your Ex… appeared first on Dating Scams 101.

View full post on Dating Scams 101

Donald Trump Goes After Grieving Mother Of Killed American Soldier

Donald Trump responded to the moving speeches of the father of an American hero at the Democratic National Convention by questioning why his wife stood at his side but did not speak. 

The remarks were clearly intended to question whether the couple’s Islamic faith precluded her from speaking so publicly.

Khizr Khan, whose son, Army Capt. Humayun S.M. Khan was killed in Iraq in 2004, gave one of the most stirring speeches of the convention when he questioned what sacrifices Trump had made for his country.

Read More

The post Donald Trump Goes After Grieving Mother Of Killed American Soldier appeared first on Parent Security Online.

View full post on Parent Security Online