Based in silicon valley, california, security brief is a blog by chris louie. his posts discuss current information security affairs

The Problem With Abandoned Domains

The Problem With Abandoned Domains

The very nature of today's internet allows for the mostly peaceful transfer of domains and IP addresses between organizations.  Unregistered and expired domains can be snapped up for the right price, often to much hilarity and high jinks.  The dynamic nature of internet domains also opens it up rife for abuse by bad actors.  Man in the Middle (MitM), domain hijacking, and Denial of Service (DoS) attacks are just a few common abuses of abandoned domains.  Legitimate organizations can do everything in their power to prevent such abuses, but the way domains are maintained and transferred will never allow this problem to go away.  For example, there may come a day when I will want or need to abandon my domain www.chrislouie.net.  I can responsibly post on my website and contact readers that I will no longer use this domain.  Unless I pay for the domain registration in perpetuity, there is nothing preventing someone else from registering the domain and impersonating me.  This was exactly the case for a company that created a Twitter add-on.

NewShareCounts[.]com (NSC) closed its doors and shut down this past summer.  NSC provided a third-party add-on to Twitter that allowed its users to see exactly how many times their webpages had been shared on Twitter.  In an age where the total number of social shares equates to credibility and legitimacy, it’s reasonable to think that website owners would embed code that easily allowed these statistics to be tracked.  Users of NSC simply added a code snippet which pointes to NSC’s AWS S3 bucket.  That code snippet called JavaScript from newsharecounts[.]com to perform and display the count of shares and perceived legitimacy.  After deciding to no longer continue offering this service, NSC responsibly notified all of its users and posted a notice to their website that their scripts would cease operating and should be removed.  At least 800 of NSC’s users and customers did not receive or ignored this memo and still have the code embedded on their webpages.

Earlier this month, the domain registration for newsharecounts[.]com expired and a clever attacker immediately registered it.  The attacker registered an Amazon S3 bucket with the same name as the original script, and replaced the legitimate script with malicious JavaScript used for malicious advertising (malvertising).  NSC’s former customers who did not remove the embedded code are still using the old code and are serving up malicious JavaScript to their users and visitors.  Loading third-party code/scripts on webpages carries the risk of that organization’s domain being abandoned, spoofed, or hijacked and opens an additional attack vector.

twitter count.png

There is a widespread disconnect between SSL certificate validity and domain registration.  I would be within my rights to purchase a three year SSL certificate for www.chrislouie.net from any trusted certificate authority.  They only require that I own the domain at the time of certificate purchase.  One year after purchasing the certificate, I could let the domain registration lapse and wait for someone else to register my former domain.  This presents a problem to the new owner since I will still hold a valid SSL certificate for their newly acquired domain.

Security researchers at DefCon presented their findings through the use of Certificate Transparency (CT) to find that over a quarter of valid registered domains that they examined (3 million domains and 7.7 million certificates) have existing SSL certificates from the domain’s previous registrant.  The first exploitable attack is a Man in the Middle attack, where the holder of a legitimate and valid, but previously registered SSL certificate can decrypt traffic to and from the new domain owner.  An attacker could replace the SSL certificate on the new website or redirect traffic to a rogue server using DNS hijacking or poisoning.  The end user would still see a legitimate SSL certificate and no alarms would be raised.

The second exploitable attack is a detail of service, when a new domain owner registers a previously revered domain in the Subject Alternative Name (SAN) field of the SSL certificate.  If the previous legitimate owner of the domain still holds a valid SSL certificate, it is possible to revoke the new SSL certificate that contains the domain in the SAN field.  Revoking the SSL certificate of a legitimate website could cause problems by creating certificate warnings and breaking applications that require SSL encrypted connections.  In industries where every minute of downtime could cost hundreds of thousands of dollars, a denial of service could be quite disastrous.  

SAN.png

There are rules to prevent SSL certificate overlap from occurring, where when a domain expires, the issuing certificate authority must revoke the SSL certificate within 24 hours.  Like OCSP, this system is terribly broken due to lack of standards and poor implementation.  Instead, it becomes to adapt a zero-trust approach where all web traffic is considered malicious, even if it comes from a reputable source.  Even after a reputable website becomes compromised, hijacked, or abandoned, zero-trust security solutions will continue scanning every byte of data to ensure nothing malicious gets into the organization.

Google Forces Android Device Manufacturers To Provide Security Updates

Google Forces Android Device Manufacturers To Provide Security Updates

I AM THE CURE: Vigilante Botnets

I AM THE CURE: Vigilante Botnets