In February, KrebsOnSecurity told the story of a citizen who auctioned off the dangerous domain corp.com for the starting price of $ 1.7 million. Experts in the field have called corp.com dangerous because years of testing have shown that anyone who wields it would have access to an endless stream of passwords, emails and other sensitive data from hundreds of thousands of Microsoft Windows PCs in large companies around the world. This week, Microsoft Corp. agreed to purchase the estate in order to keep it out of the hands of those who might abuse its impressive power.
Native of Wisconsin Mike O’Connor, who bought corp.com 26 years ago but has done very little since, said he hoped Microsoft would buy it because hundreds of thousands of confused Windows PCs are constantly trying to share sensitive data with corp .com. In addition, early versions of Windows actually encouraged the adoption of insecure settings that made it more likely that Windows computers could try to share sensitive data with corp.com.
Extract from the February play:
The problem is a problem known as “namespace collision”, a situation where domain names intended to be used exclusively on an internal corporate network end up overlapping with domains that can resolve themselves normally on the Internet open.
Windows computers on an internal corporate network validate other things on that network using a Microsoft innovation called Active Directory, which is the generic term for a wide range of identity-related services in environments Windows. An essential part of how these things are found involves a Windows feature called “DNS name devolution”, which is a kind of network shortcut that makes it easy to find other computers or servers without having to specify a fully qualified domain name and legitimate for these resources.
For example, if a company manages an internal network with the name internalnetwork.example.com and an employee of that network wants to access a shared drive called “drive1”, it is not necessary to type “drive1.internalnetwork. example.com ”in Windows Explorer; typing “\ drive1 ” alone will suffice, and Windows will do the rest.
But things can get a lot trickier with an internal Windows domain that doesn’t correspond to a second-level domain that the organization actually owns and controls. And unfortunately, in early versions of Windows that supported Active Directory – Windows 2000 Server, for example – the default path or example of Active Directory was listed as “corp”, and many companies apparently adopted this setting without modify it to include a domain they controlled. .
To make matters worse, some companies then built (and / or assimilated) vast networks of networks in addition to this flawed framework.
Now none of this was a security concern when it was impossible for employees to carry around their bulky desktops and monitors outside the corporate network. But what happens when an employee at a company with an Active Directory network path called “corp” brings a corporate laptop to the local Starbucks?
Chances are that at least some resources on the employee’s laptop are still trying to access this internal “corp” domain. And because of the way DNS name devolution works on Windows, this Starbucks wireless online business laptop is likely to be looking for those same resources on “corp.com”.
In concrete terms, this means that anyone who controls corp.com can passively intercept the private communications of hundreds of thousands of computers which end up being removed from a corporate environment which uses this designation “corp” for their Active Directory domain.
The story went on to describe how years of testing – some of which were subsidized by grants US Department of Homeland Security – showed that hundreds of thousands of Windows computers were constantly trying to send information to this domain that it had no activity to receive, including attempts to connect to internal corporate networks and to access specific file shares on these networks.
O’Connor told me that he was selling the estate after doing practically nothing for 26 years because he had been doing it for years and did not want his children to inherit this mess. When he put the estate up for sale, I asked if he would let me know if and when he sold it.
Monday night, he wrote to say that Microsoft had agreed to buy it. O’Connor said he could not discuss the terms of the agreement, or make any other comments beyond acknowledging the sale of corp.com to Microsoft.
In a written statement, Microsoft said it acquired the domain to protect its customers.
“To help protect systems, we encourage customers to adopt secure security habits when planning internal domain and network names,” the statement said. “We released a security advisory in June 2009 and a security update that helps keep customers safe. In our continued commitment to customer safety, we have also acquired the Corp.com domain. “
Over the years, Microsoft has released several software updates to help reduce the likelihood of namespace collisions that could create a security concern for businesses that still depend on Active Directory domains that do not map to a domain. that they control.
However, experts say that virtually no vulnerable organization has deployed these fixes for two reasons. First of all, this requires that the organization simultaneously delete its entire Active Directory network for a certain period.
Second, according to Microsoft, the application of the patch (s) will likely cause an interruption or at least a slowdown in the number of applications on which the organization concerned relies for its daily operations. When faced with one or both of these scenarios, most of the companies involved have probably decided that the real risk of not applying these updates is relatively low.
It should be noted that even if Microsoft’s purchase of corp.com will protect companies that have built Active Directory infrastructure over “corp” or “corp.com”, any company that has linked its internal Active Directory network to an area it doesn’t control opens up to a potential security nightmare.
Reduce the risk of collisions with DNS namespaces (PDF)
DEFCON 21 – The DNS can be dangerous for your health (Robert Stucke)
Mitigate the risk of middle man attacks based on name collisions (PDF)
Tags: Active Directory, corp.com, microsoft, Mike O’Connor
This entry was posted on Tuesday April 7th, 2020 at 8:34 am and is filed under A Little Sunshine.
You can follow the comments of this entry via the RSS 2.0 feed.
You can go to the end and leave a comment. Ping is currently not allowed.