impact of domain name drop catching on business security
play

impact of domain name drop-catching on business security Research - PowerPoint PPT Presentation

impact of domain name drop-catching on business security Research carried out by: Kirils Solovjovs Mrti Rozenbergs Toms Liepjnieks relevance When was the last time your non-IT friend typed something like this


  1. impact of domain name drop-catching on business security Research carried out by: ● Kirils Solovjovs ● Mārtiņš Rozenbergs ● Toms Liepājnieks

  2. relevance ● When was the last time your non-IT friend typed something – like this 172.217.18.78 ? – or this 2a00:1450:4016:809::200e ? ● Yep, 100%- ε of non-malicious connections start with a DNS request #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  3. domain expiration ● Most domains aren’t free ● Negligence: ● Abandonment: – forgot to renew – project is over domain – company merger – credit card expired – court order #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  4. research scope ● What attack vectors can be observed in real life? ● mid-2018 ● quantitative and ● .lv ccTLD qualitative methods ● ftp, ssh, telnet, smtp, – including IDN ● no phishing dns, http, pop3, imap, ● no active attacks https, rdp, vnc #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  5. literature review ● C. Healey. Domain tasting is taking over the internet as a result of ICANN’s “Add Grace Period”, 2007 ● S. Hao, M. Thomas, V. Paxson, N. Feamster, C. Kreibich, C. Grier, S. Hollenbeck. Understanding the domain registration behavior of spammers, 2013 ● G. Szathmari. Hacking law fjrms with abandoned domain names, 2018 #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  6. terminology ● Drop-catching re-registering a freshly expired domain name ● Domain back-orders – many registrar ofger a service to catch the domain – some registries (.ru, .pl, ...) cooperate on that service ● Domain tasting – registering a domain name for the add-grace period #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  7. gTLD life-cycle #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  8. .lv ccTLD life-cycle #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  9. enough theory; let’s dig in! #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  10. challanges ● 180 domains on 1 IP ● Lots of scanners and other bad guys ● Bots vs humans #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  11. tools ● custom DNS server ● netfjlter ● apache based on twisted ● a bunch of honeypots: – custom PHP honeypot – mailoney, netwatch, ● acme.sh imap-honey, malbait, + custom dns api RDPY, vnclowpot ● custom .sh & .py #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  12. methodology/setup ● Register recently expired domains that: – have search engine presence – relate to an existing company/person – are typos of popular domains ● Request SSL certifjcate for those domains ASAP #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  13. methodology/analysis ● Link DNS request logs with other request logs – heuristics: timing + AS ● Detect bots (web) ● Detect network scanners and bruteforcers ● Look at the remaining data in detail – qualitative analysis on e-mails and web requests – quantitative analysis on other protocols #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  14. yeah, yeah, yeah, but have you got any data? #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  15. domains registered #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  16. dns/requests (weighted) #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  17. dns/record_types #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  18. dns/subdomains #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  19. dns/subdomains/record_types #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  20. dns/avg_req_by_length (weighted) #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  21. dns/countries #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  22. ftp/top10 Username: Password: 1) ** lol :p ** 1) 1q2w3e4r 2) changeme 2) test 3) webmaster 3) admin 4) admin 4) 123456 5) root 5) 1q2w3e 6) test 6) 12345 7) clearvision 7) test123 8) ubuntu 8) qwerty 9) nagios 9) q1w2e3 10) ftpuser 10) 1234 #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  23. ssh/top10 Username: Password: 1) root 1) 123456 2) admin 2) password 3) test 3) 12345 4) user 4) 1234 5) support 5) 123 6) ubnt 6) admin 7) oracle 7) test 8) ubuntu 8) wubao 9) postgres 9) 1 10) adm 10) root #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  24. telnet/top10 Username: Password: 1) root 1) 1234 2) admin 2) admin 3) guest 3) 12345 4) supervisor 4) password 5) default 5) 123456 6) support 6) 7ujMko0admin 7) user 7) 5up 8) ubnt 8) 888888 9) Administrator 9) aquario 10) 888888 10) 54321 #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  25. mail/open_relay_attempts #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  26. web/requests #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  27. enough of looking at bad guys; from now on — only legit data #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  28. web/protocols #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  29. web/methods #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  30. web/referrers #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  31. web/cookies lrn2cookie plz #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  32. web/subdomains #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  33. web/countries #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  34. mail/sender_domains/attachments #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  35. mail/attachment_types #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  36. mail/sender_domains/attachment_types #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  37. I think it’s about enough of this; let’s look at some qualitative data #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  38. a torrent tracker #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  39. cron requests from abandoned wordpress instances #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  40. embedded HTML elements from .gov.lv #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  41. inter-connector of e-government systems #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  42. notifications from a social network #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  43. notification from a latvian social network #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  44. notification from a belgian social network #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  45. group reservation for a hotel #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  46. e-mail from a lawyer #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  47. message from state revenue service #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  48. flight reservation #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  49. bill with a lot of private data #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  50. telecommunications bill #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  51. electronically signed letter from the government #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  52. officially binding electronically signed government decision #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  53. GPS tracking alert on a car #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  54. full bank statement #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  55. sensitive health documents (encrypted) #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  56. occupational health check-up sheet #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  57. damn, that was intense! let’s wrap up & chill out #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  58. abandoner risks ● Previous owner endangers: – their clients and business partners – employees who’ve used e-mails for personal accounts ● via password reset – banking, insurance and sensitive health information #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  59. attacker benefits ● Attackers may gain control over: – commercial secrets – old installations of your website – government systems – information about passwords of the users ● via breach notifjcation sites – SSL certifjcates for the future website #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  60. what can you do ● Use 2FA ● Pay for your damn domains ● If not, then: – notify everybody — partners, employees, and third parties using your API – remove old e-mail addresses from online accounts ● Check for suspicious behavior of mail servers; blacklist them #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  61. further work ● Gather a larger, more representative data set ● Practically verify the following attack scenarios: – Use AGP to request SSL certifjcates valid for as long as possible ● mitm connection to the domain after it’s been re-registered ● write an advisory, if needed – Locate and access the old server by looking at cron-like requests – Register breach notifjcation alerts for a domain and wait #BalCCon2k18 http://kirils.org @KirilsSolovjovs

  62. impact of domain name drop-catching on business security visit for more goodies #BalCCon2k18 http://kirils.org @KirilsSolovjovs

Recommend


More recommend