impact of domain name drop catching on business security
play

impact of domain name drop-catching on business security Research - PowerPoint PPT Presentation

Mar 22, 2023 •367 likes •1k views

impact of domain name drop-catching on business security Research carried out by: Kirils Solovjovs Mrti Rozenbergs Toms Liepjnieks relevance When was the last time your non-IT friend typed something like this

  1. impact of domain name drop-catching on business security Research carried out by: ● Kirils Solovjovs ● Mārtiņš Rozenbergs ● Toms Liepājnieks

  2. relevance ● When was the last time your non-IT friend typed something – like this 172.217.18.78 ? – or this 2a00:1450:4016:809::200e ? ● Yep, 100%- ε of non-malicious connections start with a DNS request #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  3. domain expiration ● Most domains aren’t free ● Negligence: ● Abandonment: – forgot to renew – project is over domain – company merger – credit card expired – court order #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  4. research scope ● What attack vectors can be observed in real life? ● mid-2018 ● quantitative and ● .lv ccTLD qualitative methods ● ftp, ssh, telnet, smtp, – including IDN ● no phishing dns, http, pop3, imap, ● no active attacks https, rdp, vnc #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  5. literature review ● C. Healey. Domain tasting is taking over the internet as a result of ICANN’s “Add Grace Period”, 2007 ● S. Hao, M. Thomas, V. Paxson, N. Feamster, C. Kreibich, C. Grier, S. Hollenbeck. Understanding the domain registration behavior of spammers, 2013 ● G. Szathmari. Hacking law fjrms with abandoned domain names, 2018 #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  6. terminology ● Drop-catching re-registering a freshly expired domain name ● Domain back-orders – many registrar ofger a service to catch the domain – some registries (.ru, .pl, ...) cooperate on that service ● Domain tasting – registering a domain name for the add-grace period #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  7. gTLD life-cycle #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  8. .lv ccTLD life-cycle #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  9. enough theory; let’s dig in! #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  10. challanges ● 180 domains on 1 IP ● Lots of scanners and other bad guys ● Bots vs humans #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  11. tools ● custom DNS server ● netfjlter ● apache based on twisted ● a bunch of honeypots: – custom PHP honeypot – mailoney, netwatch, ● acme.sh imap-honey, malbait, + custom dns api RDPY, vnclowpot ● custom .sh & .py #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  12. methodology/setup ● Register recently expired domains that: – have search engine presence – relate to an existing company/person – are typos of popular domains ● Request SSL certifjcate for those domains ASAP #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  13. methodology/analysis ● Link DNS request logs with other request logs – heuristics: timing + AS ● Detect bots (web) ● Detect network scanners and bruteforcers ● Look at the remaining data in detail – qualitative analysis on e-mails and web requests – quantitative analysis on other protocols #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  14. yeah, yeah, yeah, but have you got any data? #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  15. domains registered #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  16. dns/requests (weighted) #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  17. dns/record_types #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  18. dns/subdomains #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  19. dns/subdomains/record_types #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  20. dns/avg_req_by_length (weighted) #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  21. dns/countries #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  22. ftp/top10 Username: Password: 1) ** lol :p ** 1) 1q2w3e4r 2) changeme 2) test 3) webmaster 3) admin 4) admin 4) 123456 5) root 5) 1q2w3e 6) test 6) 12345 7) clearvision 7) test123 8) ubuntu 8) qwerty 9) nagios 9) q1w2e3 10) ftpuser 10) 1234 #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  23. ssh/top10 Username: Password: 1) root 1) 123456 2) admin 2) password 3) test 3) 12345 4) user 4) 1234 5) support 5) 123 6) ubnt 6) admin 7) oracle 7) test 8) ubuntu 8) wubao 9) postgres 9) 1 10) adm 10) root #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  24. telnet/top10 Username: Password: 1) root 1) 1234 2) admin 2) admin 3) guest 3) 12345 4) supervisor 4) password 5) default 5) 123456 6) support 6) 7ujMko0admin 7) user 7) 5up 8) ubnt 8) 888888 9) Administrator 9) aquario 10) 888888 10) 54321 #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  25. mail/open_relay_attempts #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  26. web/requests #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  27. enough of looking at bad guys; from now on — only legit data #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  28. web/protocols #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  29. web/methods #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  30. web/referrers #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  31. web/cookies lrn2cookie plz #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  32. web/subdomains #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  33. web/countries #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  34. mail/sender_domains/attachments #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  35. mail/attachment_types #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  36. mail/sender_domains/attachment_types #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  37. I think it’s about enough of this; let’s look at some qualitative data #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  38. a torrent tracker #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  39. cron requests from abandoned wordpress instances #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  40. embedded HTML elements from .gov.lv #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  41. inter-connector of e-government systems #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  42. notifications from a social network #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  43. notification from a latvian social network #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  44. notification from a belgian social network #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  45. group reservation for a hotel #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  46. e-mail from a lawyer #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  47. message from state revenue service #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  48. flight reservation #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  49. bill with a lot of private data #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  50. telecommunications bill #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  51. electronically signed letter from the government #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  52. officially binding electronically signed government decision #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  53. GPS tracking alert on a car #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  54. full bank statement #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  55. sensitive health documents (encrypted) #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  56. occupational health check-up sheet #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  57. damn, that was intense! let’s wrap up & chill out #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  58. abandoner risks ● Previous owner endangers: – their clients and business partners – employees who’ve used e-mails for personal accounts ● via password reset – banking, insurance and sensitive health information #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  59. attacker benefits ● Attackers may gain control over: – commercial secrets – old installations of your website – government systems – information about passwords of the users ● via breach notifjcation sites – SSL certifjcates for the future website #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  60. what can you do ● Use 2FA ● Pay for your damn domains ● If not, then: – notify everybody — partners, employees, and third parties using your API – remove old e-mail addresses from online accounts ● Check for suspicious behavior of mail servers; blacklist them #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  61. further work ● Gather a larger, more representative data set ● Practically verify the following attack scenarios: – Use AGP to request SSL certifjcates valid for as long as possible ● mitm connection to the domain after it’s been re-registered ● write an advisory, if needed – Locate and access the old server by looking at cron-like requests – Register breach notifjcation alerts for a domain and wait #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  62. impact of domain name drop-catching on business security visit for more goodies #BalCCon2k18 http://kirils.org @KirilsSolovjovs

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

One Exploit to Rule them All? On the Security of Drop-in Replacement and Counterfeit

One Exploit to Rule them All? On the Security of Drop-in Replacement and Counterfeit

Johannes Obermaier, Marc Schink, Kosma Moczek August 11, 2020 One Exploit to Rule them All? On the Security of Drop-in Replacement and Counterfeit Microcontrollers Outline - Research Scope - Optical Die Inspection - Security Concept -

936 views • 58 slides
impact of Security. I SPEAKER'S BIOGRAPHY The Speaker is the former Chairman, Technical Committee

impact of Security. I SPEAKER'S BIOGRAPHY The Speaker is the former Chairman, Technical Committee

GSX 1201s PRESENTATION TITLE: ORGANIZATIONAL SECURITY CULTURE:A NEW BUSINESS PARADIGM ABSTRACT "Security is everybody's Concern" is the most frequently expressed among the basic principles of Security; but how it's done is just as

223 views • 9 slides
Victorian Protective Data Security Framework Protective Marking Reforms & Business Impact

Victorian Protective Data Security Framework Protective Marking Reforms & Business Impact

Victorian Protective Data Security Framework Protective Marking Reforms & Business Impact Levels February 2019 Protective Marking Reforms & Business Impact Levels (BILs) Today Background to the reforms Protective Markings and

430 views • 29 slides
Deferred Retirement Option Plan - DROP October 2016 1 Deferred Retirement Option Plan - DROP

Deferred Retirement Option Plan - DROP October 2016 1 Deferred Retirement Option Plan - DROP

Deferred Retirement Option Plan - DROP October 2016 1 Deferred Retirement Option Plan - DROP History Major Provisions How DROP Works What makes a good" DROP Program? LAFPP DROP Statistics DROP Review

444 views • 20 slides
Catching the Future Before it f Catches You A 2010 .edu survey Catching the Future Before

Catching the Future Before it f Catches You A 2010 .edu survey Catching the Future Before

4/13/2011 Catching the Future Before it f Catches You A 2010 .edu survey Catching the Future Before it Catches You 1. Extrapolation 2. Environmental scan 3. Scenarios 4. Futures market 5. Delphi 1 4/13/2011 Apprehending the futures

247 views • 12 slides
Business Impact Statement Clark County Business License Business Impact Statement Purpose

Business Impact Statement Clark County Business License Business Impact Statement Purpose

Jacqueline R. Holloway, Director Business Impact Statement Clark County Business License Business Impact Statement Purpose Allow for notification to a business during the early stages of a policy project Provides for the

567 views • 37 slides
Inter-Domain Routing Security Inter-Domain Routing Security ~ ~BGP BGP Route Hijacking~ Route

Inter-Domain Routing Security Inter-Domain Routing Security ~ ~BGP BGP Route Hijacking~ Route

Inter-Domain Routing Security Inter-Domain Routing Security ~ ~BGP BGP Route Hijacking~ Route Hijacking~ Mar 1 2007 in APRICOT 2007 NTT Communications Corp. Taka Mizuguchi Tomoya Yoshida What s BGP Route Hijacking? s BGP Route

583 views • 40 slides
Domain Name System (DNS) Learning Goal Foundations of DNS Security in DNS: Integrity

Domain Name System (DNS) Learning Goal Foundations of DNS Security in DNS: Integrity

IN3210 Network Security Domain Name System (DNS) Learning Goal Foundations of DNS Security in DNS: Integrity and Authenticity Confidentiality 2 Foundations of DNS 3 Domain Name System Directory services for name

727 views • 51 slides
Think not lightly of good, saying, It will not come to me. Drop by drop is the water pot

Think not lightly of good, saying, It will not come to me. Drop by drop is the water pot

Think not lightly of good, saying, It will not come to me. Drop by drop is the water pot filled. Likewise, the wise one, Gathering it little by little, Fills oneself with good. Dhammapada 9.122 Resilient Well-Being: Growing an

781 views • 59 slides
CS 557 Domain Name System Development of the Domain Name System Mockapetris and Dunlap, 1988

CS 557 Domain Name System Development of the Domain Name System Mockapetris and Dunlap, 1988

CS 557 Domain Name System Development of the Domain Name System Mockapetris and Dunlap, 1988 Impact of Configuration Errors on DNS Robustness V. Pappas, Z. Xu, S. Lu, D. Massey, A. Terzis, and L. Zhang, 2004 Spring 2013 The Story So Far .

481 views • 29 slides
Think not lightly of good, saying, "It will not come to me. Drop by drop is

Think not lightly of good, saying, "It will not come to me. Drop by drop is

Think not lightly of good, saying, "It will not come to me. Drop by drop is the water pot filled. Likewise, the wise one, gathering it little by little, fills oneself with good. Dhammapada 9.122 1

1.16k views • 88 slides
Think not lightly of good, saying, "It will not come to me. Drop by drop is

Think not lightly of good, saying, "It will not come to me. Drop by drop is

Think not lightly of good, saying, "It will not come to me. Drop by drop is the water pot filled. Likewise, the wise one, gathering it little by little, fills oneself with good. Dhammapada 9.122 1

934 views • 61 slides
CS 557 - Lecture 22 DNS Security DNS Security Introduction and Requirements, RFC 4033, 2005 Fall

CS 557 - Lecture 22 DNS Security DNS Security Introduction and Requirements, RFC 4033, 2005 Fall

CS 557 - Lecture 22 DNS Security DNS Security Introduction and Requirements, RFC 4033, 2005 Fall 2013 The Domain Name System Virtually every application uses Root the Domain Name System (DNS). DNS database maps: edu mil ru Name to

923 views • 47 slides
Think not lightly of good, saying, "It will not come to me. Drop by drop is the water pot

Think not lightly of good, saying, "It will not come to me. Drop by drop is the water pot

Think not lightly of good, saying, "It will not come to me. Drop by drop is the water pot filled. Likewise, the wise one, gathering it little by little, fills oneself with good. Dhammapada 9.122 1 Hardwiring Happiness: Weaving Love

988 views • 83 slides
Think not lightly of good, saying, "It will not come to me. Drop by drop is the water pot

Think not lightly of good, saying, "It will not come to me. Drop by drop is the water pot

Think not lightly of good, saying, "It will not come to me. Drop by drop is the water pot filled. Likewise, the wise one, gathering it little by little, fills oneself with good. Dhammapada 9.122 1 Positive Neuroplasticity Training:

1.51k views • 128 slides
Think not lightly of good, saying, "It will not come to me. Drop by drop is the water pot

Think not lightly of good, saying, "It will not come to me. Drop by drop is the water pot

Think not lightly of good, saying, "It will not come to me. Drop by drop is the water pot filled. Likewise, the wise one, gathering it little by little, fills oneself with good. Dhammapada 9.122 1 Positive Neuroplasticity Training:

1.87k views • 131 slides
More on ENUM National Information Technology Center National Information Technology Center ENUM

More on ENUM National Information Technology Center National Information Technology Center ENUM

3/9/2010 More on ENUM National Information Technology Center National Information Technology Center ENUM Task Force ENUM Classifications 2 3/9/2010 1 3/9/2010 ENUM Types Public

1.02k views • 16 slides
DNS: THE INTERNET'S WHITE PAGES Christopher J. Wells Redfin Solutions, LLC cwells (d.o.) / sceo

DNS: THE INTERNET'S WHITE PAGES Christopher J. Wells Redfin Solutions, LLC cwells (d.o.) / sceo

DNS: THE INTERNET'S WHITE PAGES Christopher J. Wells Redfin Solutions, LLC cwells (d.o.) / sceo (t, irc) http://redfinsolutions.com DOMAIN NAMES, REGISTRARS, AND ICANN OH MY! google.com redfinsolutions.net nerdsummit.org rfsdev.tk THE

580 views • 18 slides
Configuring Your Website Neil Morrissey @morrisseycode www.neilmorrissey.net s h s Web

Configuring Your Website Neil Morrissey @morrisseycode www.neilmorrissey.net s h s Web

Configuring Your Website Neil Morrissey @morrisseycode www.neilmorrissey.net s h s Web servers have default documents when no page is specified Naming convention - Index.html - Index.htm - Default.html - Index.php - Index.aspx Can be

381 views • 10 slides
Communication Systems DNS University of Freiburg Computer Science Computer Networks and

Communication Systems DNS University of Freiburg Computer Science Computer Networks and

Communication Systems DNS University of Freiburg Computer Science Computer Networks and Telematics Prof. Christian Schindelhauer What is DNS? Imagine: Try to remember the telephone numbers of your friends instead of their names

588 views • 48 slides
ELEC / COMP 177 Fall 2011 Some slides from Kurose

ELEC / COMP 177 Fall 2011 Some slides from Kurose

ELEC / COMP 177 Fall 2011 Some slides from Kurose and Ross, Computer Networking , 5 th Edition Homework #1 Due Thursday Submit PDF

809 views • 58 slides
Deploying DNSSEC: From End-Customer To Content March 28, 2013 www.internetsociety.org Our Panel

Deploying DNSSEC: From End-Customer To Content March 28, 2013 www.internetsociety.org Our Panel

Deploying DNSSEC: From End-Customer To Content March 28, 2013 www.internetsociety.org Our Panel Moderator: Dan York, Senior Content Strategist, Internet Society Panelists: Sanjeev Gupta, Principal Technical Architect, DCS1 Pte

432 views • 40 slides
FluXOR: Detecting and Monitoring Fast-flux Service Networks Emanuele Passerini , Roberto Paleari,

FluXOR: Detecting and Monitoring Fast-flux Service Networks Emanuele Passerini , Roberto Paleari,

Universit` a degli Studi di Milano Facolt` a di Scienze Matematiche, Fisiche e Naturali Dipartimento di Informatica e Comunicazione FluXOR: Detecting and Monitoring Fast-flux Service Networks Emanuele Passerini , Roberto Paleari, Lorenzo

741 views • 35 slides
Internet Lab (iLab1) Domain Name Sytem Dominik Scholz ilab1@net.in.tum.de Chair of Network

Internet Lab (iLab1) Domain Name Sytem Dominik Scholz ilab1@net.in.tum.de Chair of Network

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Internet Lab (iLab1) Domain Name Sytem Dominik Scholz ilab1@net.in.tum.de Chair of Network Architectures and Services Department of

1.01k views • 54 slides

More recommend