[HN Gopher] Expired web domains help criminal hackers unlock ent...
___________________________________________________________________
Expired web domains help criminal hackers unlock enterprise
defenses
Author : bhartzer
Score : 36 points
Date : 2021-12-16 18:04 UTC (4 hours ago)
(HTM) web link (portswigger.net)
(TXT) w3m dump (portswigger.net)
| onphonenow wrote:
| A while ago a major country health system (think millions of
| folks) REQUIRED that every provider install this horrendous java
| system which only worked with IE, and only an OLD version of
| Java. This "electronic health record" system was beyond
| frustrating to use. Getting an account setup took weeks. You had
| a VPN to connect with (SSL) which had to be (slowly) provisioned
| for the user, then had to get user credentials. Think passwords
| that expire every 30 days with insane complexity.
|
| BUT! - The app default loaded an expired .org domain in internet
| explorer (I think it was intended for announcements).
|
| So two things were true:
|
| Because of system requirements the computers were running OLD
| windows and OLD java (we all hated the java upgrade nag). So huge
| security holes that had to be left unpatched! We had to have
| special machines for this craptastic stuff.
|
| AND they default loaded a website that anyone could have
| registered!
|
| After a frustrating day dealing with this expensive stupidity, I
| was tempted to register the domain with a message that said -
| this system is a waste of money. :)
| fencepost wrote:
| Much safer to contact a white hat you know in another country,
| or someone like Brian Krebs.
| throw0101a wrote:
| One of the details of iSCSI is that the iSCSI Qualified Name
| (IQN) has date stamp. So if you own the domain _example.com_ , in
| your connection string you would have:
|
| * "iqn"
|
| * date (yyyy-mm) that the naming authority took ownership of the
| domain
|
| * reversed domain name of the authority, e.g., "com.example"
|
| See:
|
| * https://en.wikipedia.org/wiki/ISCSI#Addressing
|
| * https://datatracker.ietf.org/doc/html/rfc3720#section-3.2.6....
|
| This way if the 'naming authority' (example.com) changes hands,
| the old connection handle is invalidated.
| morpheuskafka wrote:
| One time I created a virtual machine on some cloud platform and
| after checking the traffic logs, found out that Coke had some
| random disused subdomain pointing to my new IP that was still
| getting traffic daily.
|
| Does anyone here have an idea of how common this kind of mistake
| is? Would it be a viable strategy for an attacker to just iterate
| through VMs on a common service like AWS until one happens to get
| traffic on an interesting domain?
| rhtgrg wrote:
| I recall seeing something similar happening with subdomains and
| S3 [0] not too long ago, albeit that issue didn't involve DNS.
|
| [0] https://news.ycombinator.com/item?id=28351432
| [deleted]
| kingcharles wrote:
| Also, don't let your mobile phone number expire and someone else
| get it.
|
| I can log in to the previous owner's TikTok account with just his
| number.
|
| I signed up for a food delivery service two days ago and it
| autofilled all the details with his full name and address for me.
|
| How many other sites let you log in with just a phone number?
| Asking for a friend...
| mrweasel wrote:
| > How many other sites let you log in with just a phone number?
| Asking for a friend...
|
| We considered it when I worked for an e-commerce site years
| ago. We opted not to because of the privacy issues.
|
| Well not logging in, but auto-filling the address.
| jhoelzel wrote:
| see this is why I own like 30 domains and do not get rid of them
| ;)
|
| The excuse that, somewhere there is a hacker group, who has a
| list of all social media accounts from various leaks aggregated,
| realises that my domain expires and executes automatic hacking
| attempts against my accounts, is now my new favourite bedtime
| story to scare kids ;)
|
| But really what would the alternative be? Sell them only to
| people "I trust"? That can't be healthy.
|
| I guess the only right thing to do here is to extend your domain,
| host a page which clearly states "this page will be unavailable
| in the future" and when google traffic has dropped to 0, lets say
| a year later you can set it free?
|
| as for account claiming with expired domains: there are so many
| reason why that account should have a new email by then or be
| closed entirely.
| dgeiser13 wrote:
| "In the future no one will need more than 30 domain names." ~
| Bill Gates, 1993
| 1-6 wrote:
| In the future, you'll have a generation of computer
| illiterate adults who rely on the computer literate to
| survive.
| kingcharles wrote:
| An interesting one. Before I went (unexpectedly) to jail, I ran a
| successful mortgage web site.
|
| While I was in jail the domain lapsed. I browsed to the domain
| the other day to see who bought it (I'd been offered $80K for it
| just before I got locked up) and was shocked to find the site
| exactly as I'd left it.
|
| Whoever bought the domain also fished the whole site out of
| archive.org and carefully reconstructed it, leaving only one
| small error in the HTML.
| echelon wrote:
| That's a really interesting story. Can you elaborate more? Have
| you tried to reach out to the owner?
| Puts wrote:
| Companies should really stop collecting domains as Pokemon-cards.
| Not only are abandoned domains risking to be hijacked, either by
| the fact that the whole domain expires or that you have records
| pointing at servers no longer in your control. But also you are
| teaching your customers to click on phishing-links, because
| apparently the e-mails you send out to customers contain a new
| domain every time.
|
| Also, a general tip is to treat all domains and subdomains as
| information assets within your ISMS. Meaning they should have an
| explicitly assigned responsible owner within the organization.
| ryan29 wrote:
| > But also you are teaching your customers to click on
| phishing-links, because apparently the e-mails you send out to
| customers contain a new domain every time.
|
| I've noticed government departments have become bad for this in
| Canada. It's crazy. Who runs these sites?
| https://www.ehealthontario.ca
| https://ehealthontario.on.ca
|
| A long time ago everything used to be split provincially and
| you could register private domains under the `.on.ca` namespace
| [1], so there's not a _guarantee_ a `.on.ca` site is a
| government website AFAIK.
|
| I don't understand the aversion to subdomains. Assuming the
| government owns `canada.ca`, I'd rather see things like:
| ehealth.on.canada.ca ehealth.bc.canada.ca
|
| That makes it easier to determine if a website is government
| run or not by looking at the URL.
|
| Also, all the government websites use super expensive OV TLS
| certificates. I don't get that either.
|
| 1. https://en.wikipedia.org/wiki/.ca#Third-
| level_(provincial)_a...
| jcrawfordor wrote:
| This was a very popular concept in the early days of public
| DNS, and standardized to a degree in RFC 1480. E.g. in the US
| there were extensive "designated structures" under the .us
| ccTLD. For example, Portland's Franklin High School had been
| franklin.pps.k12.or.us, but now it's pps.net/franklin. Less
| common were the designated structure for state governments
| and agencies---it has always been newmexico.gov, not
| state.nm.us as Postel had once dictated, but more annoyingly
| santafecountynm.gov rather than co.santafe.nm.us (it is
| unclear, bureaucratically, how exactly this would interact
| with ci.santafe.nm.us which is also designated).
|
| Ultimately everyone hated those k12.<state>.us domains
| though. I've heard many people describe them as annoying,
| ugly, old fashioned, etc. The simple reality is that the
| _massive_ dominance of the .com gTLD basically established
| second-level domains as a prestige point if not a basic
| requirement for a modern website. This is the same effect
| that lead to a police department using the wonderfully '90s
| domain name "apdonline.com". You know a website's good when
| it tells you it's on the internet, in the name.
|
| The situation would perhaps be different if the federal
| government had ever made any serious moves towards using the
| proposed .fed.us instead of .gov. And perhaps also if "bare"
| second-level names had been less problematic and not lead to
| universal use of www, which lead many consumers to view "www"
| as some sort of universal prefix like http:// and not as an
| actual particle of the name which could adopt other values. A
| common practical problem with subdomains today is a tendency
| of users to stick www. on the beginning, even if it's a third
| or lower level name, which people with a deeper understanding
| of the system usually don't expect or account for. Both of
| these factors sort of discouraged any real understanding of
| DNS as hierarchical.
|
| But as is, consumers seem to strongly associate third-level
| and lower domain names as being some combination of sketchy
| and inconvenient.
|
| Probably part of it too is that as much as John Postel loved
| the two-letter abbreviations, I don't think anyone else
| really did... "ci" instead of "city" does not really seem
| like that worthwhile of an economy.
___________________________________________________________________
(page generated 2021-12-16 23:01 UTC)