txting 101 finding security issues in the long tail of
play

TXTing 101: Finding Security Issues in the Long Tail of DNS TXT - PowerPoint PPT Presentation

Jul 02, 2023 •513 likes •1.04k views

TXTing 101: Finding Security Issues in the Long Tail of DNS TXT Records O. van der Toorn 1 R. van Rijswijk-Deij 1 T. Fiebig 2 M. Lindorfer 3 A. Sperotto 1 2020-08-21 1 University of Twente, 2 TU Delft, and 3 TU Wien DNS TXT Records 1 DNS TXT

  1. TXTing 101: Finding Security Issues in the Long Tail of DNS TXT Records O. van der Toorn 1 R. van Rijswijk-Deij 1 T. Fiebig 2 M. Lindorfer 3 A. Sperotto 1 2020-08-21 1 University of Twente, 2 TU Delft, and 3 TU Wien

  2. DNS TXT Records 1

  3. DNS TXT Records 2 dig -t TXT 1.adventure.splode.com Contact details tide-project.nl o.i.vandertoorn@utwente.nl

  4. Outline Background Evolution of TXT records Undefjned Purpose Mistakes with a Security Implication Malicious Use Cases Takeaways 3

  5. Background

  6. Background: DNS TXT records • Allows for a subtle way to add functionality. • RFC1464 tries to add structure by defjning a key-value store. • RFC5507 discouraged TXT for new expansions. • Common uses of TXT records are: SPF, DKIM and DMARC. 4

  7. Background: DNS TXT records • Allows for a subtle way to add functionality. • RFC1464 tries to add structure by defjning a key-value store. • RFC5507 discouraged TXT for new expansions. • Common uses of TXT records are: SPF, DKIM and DMARC. 4

  8. Background: DNS TXT records • Allows for a subtle way to add functionality. • RFC1464 tries to add structure by defjning a key-value store. • RFC5507 discouraged TXT for new expansions. • Common uses of TXT records are: SPF, DKIM and DMARC. 4

  9. Background: DNS TXT records • Allows for a subtle way to add functionality. • RFC1464 tries to add structure by defjning a key-value store. • RFC5507 discouraged TXT for new expansions. • Common uses of TXT records are: SPF, DKIM and DMARC. 4

  10. 10 11 records). Dataset: OpenINTEL OpenINTEL an active DNS measurement platform. • 236 millon domains measured on a daily basis. • TXT records between 2015 and 2018 (1 2 5

  11. 10 11 records). Dataset: OpenINTEL OpenINTEL an active DNS measurement platform. • 236 millon domains measured on a daily basis. • TXT records between 2015 and 2018 (1 2 5

  12. Dataset: OpenINTEL OpenINTEL an active DNS measurement platform. • 236 millon domains measured on a daily basis. 5 • TXT records between 2015 and 2018 (1 . 2 × 10 11 records).

  13. Evolution of TXT records

  14. 6 Growth 200% Growth (%) 150% 100% 2015-07 2016-01 2016-07 2017-01 2017-07 2018-01 2018-07 Date Domains

  15. Growth 6 200% Growth (%) 150% 100% 2015-07 2016-01 2016-07 2017-01 2017-07 2018-01 2018-07 Date TXT records Domains

  16. TXT Records 7 80 M TXT records Number of 60 M 40 M 20 M 2015-07 2016-01 2016-07 2017-01 2017-07 2018-01 2018-07 Date Email Miscellaneous Patterns Verification Encoded Other

  17. Other TXT Records 8 1 M TXT records Number of 500 k 0 2015-07 2016-01 2016-07 2017-01 2017-07 2018-01 2018-07 Date Malicious Unclassified Undefined Purpose Mistakes

  18. Undefjned Purpose

  19. • Single Character TXT records Undefjned Purpose Type of records in this category: • Base 64 Encoded MX Records • Empty, or executable references 9

  20. • Single Character TXT records Undefjned Purpose Type of records in this category: • Base 64 Encoded MX Records • Empty, or executable references 9

  21. Undefjned Purpose Type of records in this category: • Base 64 Encoded MX Records • Empty, or executable references • Single Character TXT records 9

  22. Single Character Records wtmc@localhost:~$ dig -t TXT single_char.example.org single_char.example.org. 3600 IN TXT "@" 10

  23. Single Character Records 11 "~" "0" "@" records (log) Number of 1 M 1 k 1 2015-07 2016-01 2016-07 2017-01 2017-07 2018-01 2018-07

  24. Origin Tilde Character Records 12 40034 19905 13335 records (log) Number of 1 M 1 k 1 2015-10 2016-03 2016-08 2017-01 2017-06 2017-11 2018-04 2018-09

  25. Single Character Records • Might be used to identify domains • Does not have a security impact 13

  26. Single Character Records • Might be used to identify domains • Does not have a security impact 13

  27. Mistakes with a Security Implication

  28. • Public and Private Keys Mistakes with a Security Implication Type of records in this category: • Certifjcates 14

  29. Mistakes with a Security Implication Type of records in this category: • Certifjcates 14 • Public and Private Keys

  30. Public and Private Keys wtmc@localhost:~$ dig -t TXT key.example.org key.example.org. 3600 IN TXT "-----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqGKukO1De7zhZj6+ H0qtjTkVxwTCpvKe4eCZ0FPqri0cb2JZfXJ/DgYSF6vUpwmJG8wVQZK jeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/3j+skZ6UtW+5u 09lHNsj6tQ51s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIDAQAB -----END PUBLIC KEY-----" 15

  31. Public and Private Keys 16 total public 120 private Number of records 100 80 60 40 20 0 2015-07 2016-01 2016-07 2017-01 2017-07 2018-01 2018-07

  32. Public and Private Keys At 2018-12-31 there were 89 domains exposing keys: • 54 exposed a single key • 55.6% expose a private key • 35 exposed two keys • 94.3% expose a matching key pair 17

  33. Public and Private Keys At 2018-12-31 there were 89 domains exposing keys: • 54 exposed a single key • 55.6% expose a private key • 35 exposed two keys • 94.3% expose a matching key pair 17

  34. Public and Private Keys At 2018-12-31 there were 89 domains exposing keys: • 54 exposed a single key • 55.6% expose a private key • 35 exposed two keys • 94.3% expose a matching key pair 17

  35. Public and Private Keys At 2018-12-31 there were 89 domains exposing keys: • 54 exposed a single key • 55.6% expose a private key • 35 exposed two keys • 94.3% expose a matching key pair 17

  36. Public and Private Keys At 2018-12-31 there were 89 domains exposing keys: • 54 exposed a single key • 55.6% expose a private key • 35 exposed two keys • 94.3% expose a matching key pair 17

  37. Public and Private Keys • May invalidate security measures like DKIM • Shows a misunderstanding of the security technology 18

  38. Public and Private Keys • May invalidate security measures like DKIM • Shows a misunderstanding of the security technology 18

  39. Malicious Use Cases

  40. • PowerShell Malicious Use Cases Type of records in this category: • Commands • JavaScript 19

  41. • PowerShell Malicious Use Cases Type of records in this category: • Commands • JavaScript 19

  42. Malicious Use Cases Type of records in this category: • Commands • JavaScript 19 • PowerShell

  43. PowerShell wtmc@localhost:~$ dig -t TXT powershell.example.org powershell.example.org. 3600 IN TXT ... 20

  44. Powershell } rm $g sleep 180; }; start $g } ren $c t.exe; catch {$a.DownloadFile(\'https://files.fm/down.php?i=<CODE D>\', $c); start $g } ren $c t.exe; try {$a.DownloadFile(\'https://filebin.ca/<CODE C>\', $c); else { ren $c t.exe; start $g } $a=(new-object net.webclient); catch {$a.DownloadFile(\'https://files.fm/down.php?i=<CODE B>\', $c); start $g } ren $c t.exe; try {$a.DownloadFile(\'https://filebin.ca/<CODE A>\', $c); if (gci -Path $p | where {$_.Name -like \'v4*\'}) { $p=$w+\'//Microsoft.NET//Framework\'; $g=$b+\'//t.exe\'; $c=$b+\'//t.txt\'; $w=$Env:WINDIR; $b=$Env:APPDATA; 21

  45. Bonus: Zoom verifjcation tokens 22 Adoption of Zoom verification tokens 14 k "regular" growth 2.19x more records WHO publishes news on the virus 12 k Many countries start to enforce WFH 500 .top domains adding Zoom tokens TXT record count Number of records 10 k 8 k 6 k 4 k 2 k 0 2019-01 2019-03 2019-05 2019-07 2019-09 2019-11 2020-01 2020-03 2020-05 2020-07 Date

  46. Takeaways

  47. Takeaways • The majority of DNS TXT use is well defjned. • We classify 99.54% of the TXT records in our dataset. 23

  48. Takeaways • The majority of DNS TXT use is well defjned. • We classify 99.54% of the TXT records in our dataset. 23

  49. Takeaways • The majority of DNS TXT use is well defjned. • We classify 99.54% of the TXT records in our dataset. 23

  50. Takeaways Analyzing the tail of the TXT records is not only a needle in the haystack problem, but also becomes a human intelligence problem. 24

  51. Takeaways Analyzing the tail of the TXT records is not only a needle in the haystack problem, but also becomes a human intelligence problem. 24 Used regular expressions tide-project.nl/blog/wtmc2020 Project website tide-project.nl

Recommend

The Long Tail as a Pow g er Curve 120 100 80 60 40 40 20 0 1 1 11 11 21 21 31 31

The Long Tail as a Pow g er Curve 120 100 80 60 40 40 20 0 1 1 11 11 21 21 31 31

The Long Tail as a Pow g er Curve 120 100 80 60 40 40 20 0 1 1 11 11 21 21 31 31 41 41 W here the Long Tail Meets the Sneaky Exponential (Cum ulative V alue of Potential Intearctions) 10000 9000 8000 8000 7000 6000

651 views • 9 slides
Day 3 Long Tail SEO Google Analytics How Google Analytics can help with our Long Tail

Day 3 Long Tail SEO Google Analytics How Google Analytics can help with our Long Tail

Day 3 Long Tail SEO Google Analytics How Google Analytics can help with our Long Tail SEO Conversion Depending on your site, you have a goal in mind for your visitor. What are you looking for your visitor to do? What's a

922 views • 17 slides
Sharing is Caring in the Land of The Long Tail Samy Bengio Real life setting Real problems

Sharing is Caring in the Land of The Long Tail Samy Bengio Real life setting Real problems

Sharing is Caring in the Land of The Long Tail Samy Bengio Real life setting Real problems rarely come packaged as 1M images uniformly belonging to a set of 1000 classes 2 The long tail Well known phenomena where a small number

894 views • 41 slides
Race Condition Shared Data: 4 5 6 1 8 5 6 20 9 ? Synchronization and Deadlocks tail

Race Condition Shared Data: 4 5 6 1 8 5 6 20 9 ? Synchronization and Deadlocks tail

Race Condition Shared Data: 4 5 6 1 8 5 6 20 9 ? Synchronization and Deadlocks tail A[] (or The Dangers of Threading) Enqueue(): A[tail] = 20; A[tail] = 9; Jonathan Misurda tail++; tail++; thread jmisurda@cs.pitt.edu switch

282 views • 3 slides
The Long Tail(s) of the Law: An exploratory study Graham Greenleaf, Philip Chung &amp; Andrew

The Long Tail(s) of the Law: An exploratory study Graham Greenleaf, Philip Chung &amp; Andrew

The Long Tail(s) of the Law: An exploratory study Graham Greenleaf, Philip Chung &amp; Andrew Mowbray, AustLII Law via the Internet 2011 Conference, Hong Kong First rule of cross-examination Never ask a question if you dont know the

1.18k views • 28 slides
IAIR T TDS V VI: D Deali ling wit ith Long T Tail il Cla laim ims October 12, 2018

IAIR T TDS V VI: D Deali ling wit ith Long T Tail il Cla laim ims October 12, 2018

www.pwc.com IAIR T TDS V VI: D Deali ling wit ith Long T Tail il Cla laim ims October 12, 2018 Moderator: Barb Murray - Director, PwC Panelists: William Barbagallo, Managing Director, PwC Thomas Cunningham - Partner, Sidley Austin

503 views • 3 slides
Finding Bugs Last time Run-time reordering transformations Today Program Analysis for

Finding Bugs Last time Run-time reordering transformations Today Program Analysis for

Finding Bugs Last time Run-time reordering transformations Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues CS553 Lecture Finding Bugs 2

461 views • 8 slides
Non-Cumulation Clauses and Long-Tail Claims in CGL Policies: Latest Developments Allocating

Non-Cumulation Clauses and Long-Tail Claims in CGL Policies: Latest Developments Allocating

Presenting a live 90-minute webinar with interactive Q&amp;A Non-Cumulation Clauses and Long-Tail Claims in CGL Policies: Latest Developments Allocating Liability Among Multiple Policies Triggered by Multi-Year Loss TUESDAY, MAY 7, 2013 1pm

1.12k views • 89 slides
Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Session 15: Crime and Protection Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh Singanamalla, Esther Han Beol Jang Richard Anderson, Tadayoshi Kohno, Kurtis Heimerl University of Washington

525 views • 18 slides
Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Session 15: Crime and Protection Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh Singanamalla, Esther Han Beol Jang Richard Anderson, Tadayoshi Kohno, Kurtis Heimerl University of Washington Presented

504 views • 29 slides
Moving Down the Long Tail of Word Sense Disambiguation with Gloss Informed Bi-encoders Terra

Moving Down the Long Tail of Word Sense Disambiguation with Gloss Informed Bi-encoders Terra

Moving Down the Long Tail of Word Sense Disambiguation with Gloss Informed Bi-encoders Terra Blevins and Luke Zettlemoyer The plant sprouted a new leaf. (n) (botany) a (n) buildings for (v) to put or set living organism... carrying on (a

450 views • 41 slides
Economics of Information Storage: The Value in Storing the Long Tail James Hughes 1975 History

Economics of Information Storage: The Value in Storing the Long Tail James Hughes 1975 History

Economics of Information Storage: The Value in Storing the Long Tail James Hughes 1975 History Density has grown 36%/yr: 1956: 2 kb/in 2 2005: 100 gb/in 2 Efficiency (B/$) grew 51%/yr: 1974: 200 MB disk drive price $450 k 1

723 views • 27 slides
The Intersection of Smart Grid Technology and Intellectual Property Issues Finding the Keys to

The Intersection of Smart Grid Technology and Intellectual Property Issues Finding the Keys to

The Intersection of Smart Grid Technology and Intellectual Property Issues Finding the Keys to the Smart Grid Ken Van Meter Principal, Energy and Cyber Services Lockheed Martin The Smart Grid is, and must be, a national priority Security

333 views • 9 slides
Race Condition Shared Data: 5 6 4 1 8 5 6 20 9 ? InterProcess Communication tail A[]

Race Condition Shared Data: 5 6 4 1 8 5 6 20 9 ? InterProcess Communication tail A[]

Race Condition Shared Data: 5 6 4 1 8 5 6 20 9 ? InterProcess Communication tail A[] Enqueue(): A[tail] = 20; A[tail] = 9; tail++; tail++; process switch Process A Process B Critical Regions Goals No two processes (threads)

265 views • 4 slides
Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh

Qualifying Evaluation Accept the Risk and Continue: Measuring the Long Tail of Government https Adoption Sudheesh Singanamalla University of Washington Understanding Web Communication Browse to www.cutepuppies.ext (

806 views • 42 slides
Bringing Long-Tail Microscopy &amp; Characterisation Data into the Light RAiD service

Bringing Long-Tail Microscopy &amp; Characterisation Data into the Light RAiD service

Bringing Long-Tail Microscopy &amp; Characterisation Data into the Light RAiD service Characterisation: Process of User Dataset Project ID probing and measuring the Projects Instrument ID * Native data structures and properties

259 views • 4 slides
Catalog Classification at the Long Tail using IR and ML Neel Sundaresan (nsundaresan@ebay.com)

Catalog Classification at the Long Tail using IR and ML Neel Sundaresan (nsundaresan@ebay.com)

Catalog Classification at the Long Tail using IR and ML Neel Sundaresan (nsundaresan@ebay.com) Team: Badrul Sarwar, Khash Rohanimanesh, JD R Ruvini, Karin Mauge, Dan Shen ini Karin Ma ge Dan Shen Then There was One When asked if he

771 views • 41 slides
VIP A Virtual Imaging Platform for the Long Tail of Science Sorina POP, Tristan GLATARD

VIP A Virtual Imaging Platform for the Long Tail of Science Sorina POP, Tristan GLATARD

VIP A Virtual Imaging Platform for the Long Tail of Science Sorina POP, Tristan GLATARD University of Lyon, CNRS, INSERM, CREATIS, France. EGI Community Forum, 11/11/2015 https://vip.creatis.insa-lyon.fr Web portal Infrastructure

555 views • 10 slides
LightKV: A Cross Media Key Value Store with Persistent Memory to Cut Long Tail Latency Shukai

LightKV: A Cross Media Key Value Store with Persistent Memory to Cut Long Tail Latency Shukai

MSST '20 October 29-30, 2020 LightKV: A Cross Media Key Value Store with Persistent Memory to Cut Long Tail Latency Shukai Han, Dejun Jiang, Jin Xiong Institute of Computing Technology, Chinese Academy of Sciences University of Chinese Academy

934 views • 31 slides
improving recommendation for long-tail queries via templates Idan Szpektor Aristides Gionis

improving recommendation for long-tail queries via templates Idan Szpektor Aristides Gionis

improving recommendation for long-tail queries via templates Idan Szpektor Aristides Gionis Yoelle Maarek Yahoo! Research, Haifa and Barcelona query templates www 2011 motivation goal: improve coverage of query-recommendation systems most

501 views • 32 slides
THE FUTURE OF MASS-TORT LONG-TAIL LITIGATION Stephen Hoke, Hoke LLC (Chair) Claudia Temple,

THE FUTURE OF MASS-TORT LONG-TAIL LITIGATION Stephen Hoke, Hoke LLC (Chair) Claudia Temple,

THE FUTURE OF MASS-TORT LONG-TAIL LITIGATION Stephen Hoke, Hoke LLC (Chair) Claudia Temple, Temple Consulting (Moderator) Armando Carlo, The Boeing Company Jim Dorion, Willis Towers Watson Ronald Fiesta, Brunswick Corporation W W W . C H I C

838 views • 68 slides
1 Finding a source of help: Finding a source of help: When excitement wanes When excitement

1 Finding a source of help: Finding a source of help: When excitement wanes When excitement

Finding the calm in the storm: Finding the calm in the storm: The context The context Addressing retention issues Addressing retention issues regional Australian university through an understanding of first through an understanding of

324 views • 4 slides
Tales of the Tail Hardware, OS, and Application-level Sources of Tail Latency Jialin Li, Naveen

Tales of the Tail Hardware, OS, and Application-level Sources of Tail Latency Jialin Li, Naveen

Tales of the Tail Hardware, OS, and Application-level Sources of Tail Latency Jialin Li, Naveen Kr. Sharma , Dan R. K. Ports and Steven D. Gribble February 2, 2015 1 Introduction What is Tail Latency? What is Tail Latency? 2 Introduction

1.01k views • 73 slides
Synthesis and characterization of new tail-to-tail dimers of bile acids with different spacers

Synthesis and characterization of new tail-to-tail dimers of bile acids with different spacers

[f007] Synthesis and characterization of new tail-to-tail dimers of bile acids with different spacers lvaro Antelo, Mercedes lvarez Alcalde, Aida Jover, Francisco Meijide, and Jos Vzquez Tato Departamento de Qumica Fsica, Facultad de

374 views • 10 slides

More recommend