Good Evening,
Week 5 slides can be found here: Week 05
CIS Windows 10: Windows_10
CIS Windows Server: Windows 2012
In the News:
- Microsoft Patch Tuesday, February 2018 Edition
- Microsoft Outlook; SANS Internet Storm Center
- Domain Theft Strands Thousands of Web Sites
- A Web services conglomerate that operates more than 100,000 business Web sites
- SANS Internet Storm Center
Fred Zajac says
Here is a link that may help everyone on assignment 2 and 3. You will be able to see more information on the left side if you follow the tree. Also, you can search previous versions of windows group policy information for a step-by-step guide. The one I like is for Windows 2000. Keep in mind, the Windows 2000 guide is like version 1 of the series. The below link builds on the ideas outlined in version 1. If you get confused reading the information in the link below, you may want to skim through the Windows 2000 guide to group policy for a better explanation.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831791(v%3dws.11)
Satwika Balakrishnan says
Article: Domain Theft Strands Thousands of Web Sites
https://krebsonsecurity.com/2018/02/domain-theft-strands-thousands-of-web-sites/
Three domains belonging to Newtek Business Services Corp. [NASDAQ:NEWT], a Web services conglomerate that operates more than 100,000 business web sites were hijacked by a Vietnamese hacker. The login page used by the customers was replaced with a live web chat service, and those of Newtek’s customers who sought assistance via this chat service about the issue in their web site ended up chatting with the hacker!
One thing that bothered me here was that Newtek was not forthright with their customers and instead of mentioning any critical breach, they just sent out an email saying the company was changing domains to “increase security”. Even the company’s homepage never displayed even an alert for the customers. It was only in a later warning that they informed their customers about the presence of a third party attempting to chat and steal sensitive data.
An interesting twist in the story is that the hijacker claimed that he had notified Newtek about a security hole in the online operations of the company, although this doesn’t give him the privilege to attack and steal data. Moreover, primary verification of the hijacker’s profile showed that he himself was a customer of Newtek. So, if he is telling the truth about notifying the company about the vulnerability he found then it clearly indicates that the company has not taken proper interest in looking into its security measures.
Jason A Lindsley says
This article was disturbing to me as well Satwika. The article explained that the company eventually sent e-mails to the customers, but this was not an adequate response because many customers lost e-mail access based on the attack.
I also found it disturbing that Newtek also performs many other outsourced functions beyond domain hosting. They also are responsible for critical business functions such as HR and Payroll. If I used this company for any of these services, I would be very concerned that they are not applying strong security practices to protect my employee and customer data.
When will companies learn that the most important response to a security incident is transparency and strong communication to stakeholder?. After the Equifax disaster and other major breaches, you would think that companies would start applying better practices for breach notification.
Fred Zajac says
Hey all,
I was also a bit disturbed, but honestly not shocked at all. As Jason mentioned, if I were to make a guess, Newtek didn’t include this type of Breach or have a Breach Policy in their Incident Response Plan, which is what makes me “disturbed” because how can you not include an intruder taking over one, two, three, or more of your systems? Anyway…
If they did have this type of situation in their IR plan, didn’t conduct the proper training (Table Top Exercises) to outline the proper steps if something like this were to happen.
Here is my take:
They were notified of a vulnerability. They had their technical team look at the vulnerability and decided to review possible options over a few days. They also notified their legal council about the vulnerability and how they were going to contain / respond to the issue. The legal team may or may not know what to do, so the legal team starts to gather information about responding to a “whitehat hacker’s” information and reviews different cases with similar situations. This can take days to complete.
All in the mean time, this guy who thinks he is a hero by finding a vulnerability feels belittled because he doesn’t believe the legal team is acting quick enough by responding to his message, and possibly messages over an entire 5 days. Really?
He may also believe he is entitled to a “bounty” of some sort, which is known in the technology community as finding a security flaw and being rewarded for your efforts. He is probably checking his emails every few minutes to see if he gets the “You Da Man” email, but nothing.
He thinks on:
Day 1: They are busy
Day 2: Guess they are fixing it
Day 3: Must be fixing it, let me check… Nope. That’s odd?
Day 4: Probably can’t figure it out. Why won’t they just get back to me????
Day 5: Still not fixed and this is taking way too long. They aren’t getting back to me so they must not care.
He gets even more frustrated with the lack of communication and takes matters into his own hands.
Now, I am speculating this but my point is that it wasn’t a breach until he took the matters into his own hands. It was a vulnerability that could’ve been exploited but it wasn’t. This guy should’ve of never done this and maybe practiced a little patience.
With that said, I do believe Newtek should probably include this type of Breach policy to include “how to handle a whitehat hackers tip”.
Vince Kelly says
Guys,
I totally agree! it is outrageous what these companies get away with. To Jason’s (rhetorical) question “When will companies learn that the most important response to a security incident is transparency and strong communication to stakeholder?”
That’ll happen on the day that it becomes too hard, expensive or too embarrassing not to learn that lesson. It’s infuriating that there is such a low level of accountability.! But unfortunately. I think it’ll be a cold day in H*ll before that happens.
Take the Equifax breach for example – you’d think that potentially ruining the lives of 145 MILLION Americans would cost the company everything. But actually the OPPOSITE is true – Equifax stands to make *millions* off of their own negligence!
According to;
http://time.com/money/4969163/equifax-hearing-elizabeth-warren-richard-smith/
It’s estimated that Equifax stands to make an additional $200 MILLION in credit monitoring revenue as a result of the breach, Do the math – 7.5 million people signed up for the firee monitoring after the breach. But that service is only free for a year. At $17 per month, its estimated that if even 1 million of those people keep the service after the free period ends then Equifax stands to make $204 * 1,000,000 = $204 Million in additional revenue. They will make almost ONE BILLION DOLLARS if half of those people stay with the service.
Equifax is also profiting from this disaster in another way as well. It turns out that LifeLock, a company that is Equifax’s COMPETITOR, actually buys credit monitoring services from Equifax! So Equifax gets paid at least TWICE for monitoring a potential problem that was caused by their own incompetence!
What’s really, REALLY sickening is the unbelievable hubris of the company. Richard Smith, former CEO of Equifax made the following statement;
“Fraud is a huge opportunity for us—it’s a massive, growing business for us,”
He made this statement last August – AFTER the breach!
Satwika Balakrishnan says
Yes, companies often forget that communication is the most important factor in risk management. Proactive communication from Newtek’s end would have at least allowed their stakeholders to adopt protective measures and reduce the impact on their business operations. Perhaps maintaining their image was more important than containing the risk that was posed. They could have maintained an emergency kit (with contact details of POCs) for their stakeholders that could be used during such IT outages.
Patrick DeStefano (tuc50677) says
It’s really frustrating when this kind of thing happens as a customer perspective. I know if I was a client of Newtek’s, I would expect transparency for things like this breach. Even if they didn’t know what was going on or how to fix it, I would appreciate an email or message stating that there is an incident and that they are looking into it. Transparency and good communication is extremely underrated by many companies and often can make or break them when things get tough.
From a business perspective, I would always advise companies to disclose accurate and complete information to their stakeholders without giving away proprietary information. That being said, you need to ensure you are transparent enough that you retain your customers trust and confidence.
Donald Hoxhaj says
Hi Satwika,
Great points. I do agree to your point that the company failed to take appropriate steps in resolving the issue. There is however no point in beating the bush after the attacks happened. On the other hand, the company should be quite grateful to the hijacker for at least giving them an indication of the imminent threat. Organizations should have proper plans in place, especially security communication, to its customers.
Jason A Lindsley says
New EU Privacy Law May Weaken Security
https://krebsonsecurity.com/2018/02/new-eu-privacy-law-may-weaken-security/
The European Union’s General Data Protection Regulation (GDPR) as a hot topic for many organizations, including the one I work for. The regulation provides EU citizen’s the “right to be forgotten” and also allows them to request all of the personal information a company currently has on file. The regulation will go into effect on May 25, 2018.
This article discusses a security challenge that the Internet Corporation for Assigned Names and Numbers (ICANN) is facing right now as a result of this regulation. This organization maintains the WHOIS database for domain registration. I learned in the Intro to Ethical Hacking and Advanced Penetration Testing courses that this information is key in performing reconnaissance on a target (for ethical or unethical purposes). With the information in the WHOIS database, you can use this to find out important information about a website domain owner that can be used for social engineering or additional reconnaissance.
In the article, Krebs states that many security experts argue that “there are endless examples of people involved in spam, phishing, malware attacks and other forms of cybercrime who include details in WHOIS records that are extremely useful for tracking down the perpetrators, disrupting their operations, or building reputation-based systems (such as anti-spam and anti-malware services) that seek to filter or block such activity.” The article also states that many of these cyber attacks are conducted on compromised domains and information in the WHOIS database helps to identify and contact the victims to assist with remediation activities. Brian Krebs himself contends that the public information on the WHOIS database is one of his most critical resources for identifying victims of cybercrime and notifying them.
There are a few proposed models that ICANN has submitted for consideration to comply with GDPR. In the most likely model, the WHOIS database will continue to publicly display all current data with the exception of 1.) e-mail address and phone number of registrant, and 2.) name and postal address of admin and tech contacts. The non-public information could still be accessed by individuals that self-certify that the information will be used only for “legitimate interests” of the requester.
Krebs closes the article that by raising his concern that cybercriminals may end up benefiting the most from the GDPR regulation because of issues like this that will make it difficult to identify and apprehend cyber criminals.
In my opinion, compliance does not equal security and privacy. There is so much effort and investment in compliance with complex regulations, that security professionals can be distracted from the ultimate goal of information security and privacy. I understand the need for these important regulations, however we need to flip the switch so that demonstration of strong security and privacy (using a defense in depth approach) equals compliance.
Sev Shirozian says
Last week we talked about some top applications that should be avoided if possible on your system due to the high volume of vulnerabilities with them. Here’s the post from adobe announcing that adobe flash is will be end-of-life by 2020.
https://theblog.adobe.com/adobe-flash-update/
Sev Shirozian says
Article: Microsoft Patch Tuesday, February 2018 Edition
https://krebsonsecurity.com/2018/02/microsoft-patch-tuesday-february-2018-edition/
This article on Kreb’s talks about how February’s patch Tuesday addresses at least 55 security issues in Windows, Internet Explorer/Edge, Microsoft Office and Adobe Flash Player, I really like how the SANS Internet Storm Center lists each of these vulnerabilities with their associated CVE, if the vulnerability has been disclosed, if it’s been exploited and most importantly their recommendation of severity including ones that should be patched ASAP. This is a great resource for folks running a vulnerability management program to help them assess the severity of each of these and the priority it should take with their operations teams to patch. Vulnerability management tools also will have severity of a vulnerability but this is another good data point to validate the severity of the vulnerability. After all, getting down to zero vulnerabilities on your network is impossible. However your vulnerability management program should use tools like this to reduce attack vectors by addressing the critical and high vulnerabilities first, especially in the DMZ or public facing servers.
The other thing this article talks about is the end-of-life of adobe flash. Adobe announced last year they will end-of-life flash by 2020. Some think that’s a dream, others think Adobe will stick to their plan. I left a link to their announcement in a post above.. I personally am optimistic and believe it will happen!
– Sev Shirozian
Jason A Lindsley says
The article also mentions that updates were released for individuals running Adobe Reader or Acrobat that address at least 39 vulnerabilities. Typically these products are installed on workstations, but quite frequently in my career I’ve seen these products installed on servers and showing up on vulnerability scans. This is usually because a developer installed it for some troubleshooting and then never removed the product and it doesn’t get updated with each release. The easiest fix is to uninstall it entirely.
The article and a few of the comments recommends using Sumatra PDF as a good, lightweight alternative to Reader/Acrobat. I’ll have to check that out. For many of my builds, I just use a web browser for reading PDFs, but Sumatra sounds like a good alternative.
Patrick DeStefano (tuc50677) says
Here is the link to the SANS portion: https://isc.sans.edu/forums/diary/February+2018+Microsoft+and+Adobe+Patch+Tuesday/23341/
I too, like how they list the update out. Its quite concerning that these are such serious security flaws/bugs which are getting patched. It’s really making me rethink whether I want Auto-update on for my applications or not. On one hand, the applications could auto-download security patches, on the other hand they could be downloading new versions of my apps which may include bigger security holes than the current versions.
Fred Zajac says
Patrick,
You should try Nessus Home scanner, it is free and includes scanner for all applications installed on a machine. You can take a look at the list and see which ones you want and uninstall the ones you want.
Then, most applications have an auto-update, as well as an ask me first update option. Just select the ask me option. Microsoft also allows you to manage updates with group policy manager, but the best way is to run a machine application audit tool. I believe OpenVAS has a plug-in as well, but haven’t used that one, only Nessus. You can check you entire home network to see if someone installed something that may be “hidden”.
Another issue with updating applications automatically deals with Availability. Sure, updates will help protect the Confidentiality and Integrity, but let’s not forget about the “A” in the CIA Triad. When an application is set to update automatically, and let’s say that patch is will be pushed down to all systems, but not compatible with Windows 7. Now, all windows 7 users will have issues with the application that worked just fine before the update, or the update may possibly crash the application, making it useless. I really don’t like auto-updates for this main reason, but do it on most because of the other two reasons, the C & I parts.
Frederic D Rohrer says
I decided to try to host a Domain Controller in the cloud, using a public domain, so that the team can work on it anytime. This is a bad idea for many reasons, but I did not want to implement a VPN/routing service because that would have complicated things. Instead I looked at restricting all incoming connections using the built-in firewall. Powershell has a very powerful firewall configuration commandlet called advfirewall, found as a netsh submenu.
I used: netsh advfirewall set rule name=all dir=in new RemoteIP=”xxx.xxx.xxx.xxx,xxx.xxx.xxx.xxx”
This updates all firewall rules to only accept connections from the remote IPs specified. I used Temple’s main-campus IP range so that we can connect to it from school.
The netsh advfirewall commandlet has a lot more fidelity than the firewall GUI, I definitely recommend checking it out.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd734783(v%3dws.10)
Frederic D Rohrer says
I found out that a Cloud hosted Domain Controller is not possible unless a VPN is used.
Duy Nguyen says
https://krebsonsecurity.com/2018/02/domain-theft-strands-thousands-of-web-sites/
After reading this article, the way Newtek responded seems to be in line with the way other organizations did after getting hacked. Most organizations never info customers in event of hacking unless it’s something critical. Target and Equifax both did not clearly inform customers until the very end, fearing loss of business and reputation. The only shocking part was that the vulnerability was reported and they did nothing about it until hacked.
Patrick DeStefano (tuc50677) says
It’s really one of those “damned if you do, damned if you don’t” situations for businesses today. On one hand, if you have a minor security breach and are transparent about it, it’s quite possible that the media will pick it up and over-hype it and that will cause reputational harm that you were hacked, even if you fixed it and were transparent about it. On the other hand, if you have a minor breach and you aren’t transparent about it, you might be in the clear if no one finds out about it, HOWEVER, if people do find out about it, you will have an even larger reputational harm on your hands because you will have not only suffered a breach, but also tried to cover it up and hide it from the public eye. If you have a large breach, and still try to cover it up, then you’re just being stupid and negligent with your company in my opinion.
Scott Radaszkiewicz says
I agree with you Duy. Companies fear the outcome of releasing information that they were hacked. I think, unfortunately, that the government is going to have to step in and create laws around when/what/how a company informs clients of a data breach.
I work in K-12 education. There are laws in place already that I have to follow if we know that student data is breached. I think this is something you’re going to see becoming a topic as this becomes more and more prevalent.
Frederic D Rohrer says
https://krebsonsecurity.com/2018/02/domain-theft-strands-thousands-of-web-sites/
Domain Theft Strands Thousands of Web Sites | Brian Krebs
Newtek, a company that offers business payroll, HR and IT services, has had some of their core domains stolen. One of these domains is Webcontrolcenter.com which a lot of clients used to manage their hosted websites.
Newtek did not warn of the domain theft until 10 hours later, but only acknowledged a “dispute” plus that control of the domain had been lost and that the attacker is using a support chat to phish information.
The attacker says that he found a bug in Newtek’s online operations but has not heard back in 5 days. The “bug” apparently allowed the attacker to transfer the domain to his domain registrar. It is likely that Newtek forgot to renew the domain, or the attacker was simply able to transfer the domains because they were not locked and the attacker knew the EPP (Extensible Provisioning Protocol) code.
The way that Newtek handled the situation is not ideal. They did not accurately report the breach to customers, and did so only via email, not publicly.
This article (https://domainnamewire.com/2018/02/12/newtek-domain-theft-major-impact-customers/) reports that at least one domain was stolen a few weeks before, but this went unnoticed with Newtek.
Scott Radaszkiewicz says
Have I Been pwned?
https://haveibeenpwned.com/
This is a great site for personal or business use. This site collects hacked email addresses and passwords that have been made available through data breaches. You can search on your individual email, or your entire domain to see if your address is listed. You can even enter a password, to see if it appears in any leaked data that has been uploaded to the have i been pwned? Data stores.
You can also subscribe, for free, and get an email notification if your address or domain are added to the lists.
There is a list of all the data breaches that are uploaded onto this site. https://haveibeenpwned.com/PwnedWebsites
While it does not cover every breach, it helps to know! And it’s amazing to see how many breaches are out there and how many accounts are vulnerable.
Scott Radaszkiewicz says
This is a follow up to my post about have i been pwned.
https://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/
This is a good article that discusses the value of email addresses to a hacker. There are actually monetary values on your account in the underground! an iTunes account is going for $8, groupon.com can get $5, and an active social media account for Facebook or Twitter can go for $2.50 each.
With an active market for accounts, it’s not wonder anyone with a computer and an IP address are trying to hack into systems. Money is to be made, and people will try to make it.
This makes you start to rethink how many sites your email account might be tied too. And how many of us use the same password for most, if not all of the sites you login to. This makes us vulnerable to theft on a large scale, if just one of those sites is compromised. Changing passwords is a pain, but a necessary component to keep safe. It also supports the need for different passwords for each system and the use of some sort of password vault to keep those passwords listed.
Matt Roberts says
https://globenewswire.com/news-release/2018/02/21/1372539/0/en/Cisco-2018-Annual-Cybersecurity-Report-Reveals-Security-Leaders-Rely-on-and-Invest-in-Automation-Machine-Learning-and-Artificial-Intelligence-to-Defend-Against-Threats.html
A recent survey has revealed that as cyber security needs keep growing and labor supply struggles to keep up, business leaders have been turning to machine learning and AI devices to help make up the gap. With the increasing use of encryption for a large portion of web traffic, the identification and classification of malicious threats has become more and more of a challenge to security personnel in all organizations. The use of machine learning has greatly enhanced security practices in light of this trend and is assisting security professionals in allowing for legitimate “normal” traffic and filter out potentially malicious data.
Jason A Lindsley says
I agree that machine learning technology is critical in identifying malicious activity on a network and stopping malware. This is a very saturated market right now and all security products are pushing to incorporate machine learning algorithms into their solutions.
It’s key to remember, however, that human action is still typically required to respond to an incident. While some of these technologies can prevent malicious traffic from entering the network and/or spreading, many machine learning technologies detect this incidents and provide an alert for someone to action. It’s critical that a company has processes in place to respond and action these alerts.
Vince Kelly says
Rogue sysadmins the target of Microsoft’s new ‘Shielded VM’ security
https://www.theregister.co.uk/2016/10/21/shielded_vms/
Great article about VM security, I won’t go too much into the article contents – this post is going to be more about; ‘Great article but how can we use it right *NOW* using PowerShell?’
Given that we’ve all built our own VMs for this class (and probably stored them on an external flash drive of some kind), there’s nothing stopping someone from gaining access to the USB containing the VMs and replacing the VM with an ‘evil VM twin’ that looks and feels exactly like the original.
Quick summary of the article:
The article describes a well-known Intel hardware mechanism in the physical world called ‘TPM’ (Trusted Platform Module). This is a *hardware* module on a system motherboard that cryptographically signs a workload – (e.g., a hypervisor, an operating system, etc.). This makes it very hard for someone to swap your good, baseline OS or Hypervisor image and replace it with an infected version. Again, this is a hardware module originally built for the physical world but THAT being said, I *THINK* that TPM can be emulated in the VM firmware as well.
VMWare has come out with their own version of TPM for VMs for EXSi
Microsoft has countered with something that’s essentially equivalent called ‘Shielded VMs’ for Hyper-V. Shielded VM’s won’t run unless they know the host is allowed to run them. They are also encrypted at rest and in motion and can boot from UEFI which the host/host VM can be verified as the VM starts up.
So how can we use this NOW?
I’ll preface this by saying that it would have been much easier to provide some screen shots but this blogging software doesn’t allow it – unfortunate. I’ll also point out that you can get all of the PowerShell Cmdlets (for what looks like pretty much everything including VMs) from the following URL:
https://docs.microsoft.com/en-us/powershell/module/hyper-v/get-vmmemory?view=win10-ps
Hyper-V vs ESXi Differences
Although I’m using Hyper-V I’m pretty sure that most of the PowerShell stuff can be used for VMW environments as well – but there are some hypervisor specific stuff that I need to point out.
Hyper-V specific stuff: When creating a new VM, you have two choices for the VM. Define the VM as a Gen1 VM or as a Gen2 VM. You would use Gen1 when you have ‘legacy’ hardware dependencies (like floppy disks, COM ports for modems, IDE disk controllers, etc.). Gen2 VMs provide ‘modern’ hardware options,(like SSD drives, etc.). Microsoft VM Shielding only works for Gen2 VMs – (I’ll see if I can find out how VMW handles it later).
Both Microsoft and VMWare have a tool that allows running VMs to ‘move’ to less congested hosts when needed – VMWare calls this ‘vMotion’ Microsoft calls it ‘Live Migration’. Shielding also encrypts this process
How to Enable Shielding on a Hyper-V VM
First, how do we tell if a particular VM has Shielding or TPM or other security related features like encryption enabled?
– Start PowerShell as administrator, from PS> command line enter the following:
– Get-vm # this lists all your VMs (note: the ‘#’ is a comment)
– Get-vmsecurity VM-name # get the security settings for the VM called ‘VM-name’
This cmdlet will display if TPM and Shield is enabled along with encryption status, machine name – something like the following:
TpmEnabled: False
KsdEnabled: False
Shielded: False
EncryptStateAndVmMigrationTraffic: False
VirtualizationBasedSecurityOptOut: False
ComputerName: xxxxxx
IsDeleted: False
To enable shielding, go to Hyper-V Manager and create a VM – (see previous posts on how to create a VM for Hyper-V)
MAKE SURE TO SELECT GEN2 RADIO BUTTON WHEN THE PANEL POPS UP
Once the Gen2 VM is created,
– Right click on the new VM
– Select ‘Security’ from the Hardware panel on the left side of the settings screen
This screen provides checkbox options for turning on secure boot (UEFI), TPM and Shielding
– Check TPM and Enable Shielding checkboxes (just checking Shielding will grey out everything else)
– Click Apply
–
And Voila! that’s it!
Now go back into Powershell and enter the get-vmsecurity command – you should see the security features enabled – something like the following:
TpmEnabled: True
KsdEnabled: False
Shielded: True
EncryptStateAndVmMigrationTraffic: True
VirtualizationBasedSecurityOptOut: False
ComputerName: xxxxxx
IsDeleted: False
I haven’t looked at what the performance hit is for a Shielded VM vs a non-Shielded VM more on that later.
Hope this helps
Patrick DeStefano (tuc50677) says
Domain Theft Strands Thousands of Web Sites
https://krebsonsecurity.com/2018/02/domain-theft-strands-thousands-of-web-sites/
Newtek Business Services Corp had several of it’s domains stolen/hacked recently. Newtek is an online domain hosting company which also offers a range of other online services for companies. Several of their domains were brought down and their main web service page was replaced with a live chat with the hacker. The perpetrator noted that he had discovered a bug in Newtek’s systems and notified them of it several days earlier with no response. Once things were mostly back under control, Newtek seemed to dig in and go into virtual media blackout mode by not communicating much of all what happened to their customers.
This really frustrates me when companies, as well as people, are poor at communicating when you have a stake in what is going on. It’s bad from a business perspective and can even leave you in hot water with regulators and lawsuits. I suspect that the way Newtek handled this situation and their lack of communication will cost them many customers. Those who don’t leave, will likely have very little trust left in the company.
On another note, it was noted in the article that they did not freeze or force reset passwords for users even after the site was compromised. There should have been a control in place to do this immediately so to prevent any further breach of customers accounts.
Mustafa Aydin says
Article: Domain Theft Strands Thousands of Web Sites
After I read this article I searched some related keywords from Google. I found a report which was published by ICANN Security and Stability Advisory Committee. In general, this report is describing domain hijacking. You all can find some useful information regarding following:
– Risk and threats associated with domain hijacking
– Vulnerabilities observed from domain hijackings
– Recovery mechanism
– Security measures to protect domain names
In addition, some incidents are being analyzed in this report. I hope you all have time to look at this report. At least you can download and save to look later.
Mustafa Aydin says
DOMAIN NAME HIJACKING: INCIDENTS, THREATS, RISKS, AND REMEDIAL ACTIONS
http://archive.icann.org/en/announcements/hijacking-report-12jul05.pdf
Zirui You says
“Cryptojacking Attacks Hit Enterprises’ Cloud Servers”
http://searchsecurity.techtarget.com/news/252435506/Cryptojacking-attacks-hit-enterprises-cloud-servers
Cybersecurity software firm, RedLock indicated that hackers had exploited an insecure Kubernetes console, and gained the access to several enterprise cloud environments in order to mine cryptocurrencies. According to the RedLock post, the organizations’ public cloud environments are vulnerable to mining hacks, and became the ideal target due to the lack of effective cloud threat defense programs.
Donald Hoxhaj says
https://krebsonsecurity.com/2018/02/domain-theft-strands-thousands-of-web-sites/
Domain Theft Strands Thousands of Web Sites
The article throws light on the recent network theft of Newtek Business Services Corp. The theft inflicted attacks of several hosted websites and shut off the systems for many customers of Newtek. The hacking was done by a Vietnamese hacker who fraudulently replaced the original login and chatting service and customers ended up talking to the hijacker instead than the company. 3 main domains were hijacked and the company informed its customers to be cautious while sharing information over the chat.
It’s surprising that the hijacker had actually informed the company 5 days back about a loop hole in the online operations of the company. It seems and is clear that the company failed to take responsibility and give adequate attention to the email. Another interesting thing is that the company failed to publish the information from the hijacker on public websites so that customers can be aware. I feel the mitigation steps were planned very badly. The company should have known that many people do not have access to emails all the time and that putting the information on the website would have made more sense.
Domain thefts have become common and this case is a pure case of negligence and inappropriate planning on the company’s end. The ultimate users to bear the cost were the company’s customers.
Shi Yu Dong says
Computer Security Firm “CrowdStrike” performed research and analysis of recent attacks (NotPetya, WannaCry) targeting U.S. organizations that caused million of dollars in losses. Especially, it has been found that U.S. administration as top intelligence group is most vulnerable as they can’t keep up with network security threats.
Next-Gen Firewalls with capabilities of Application layer inspection, SSL inspection, Identity Awareness, IDS/IPS, Application/URL Proxy functions play an important role in protecting not only perimeter of the organization but also internal resources by looking deep into malicious requests and traffic originated from either internal or external networks,
https://latesthackingnews.com/2018/02/18/united-states-vulnerable-cybersecurity-attacks-said-co-founder-computer-security-firm-crowdstrike/
Joseph Feldman says
Domain Theft Strands Thousands of Web Sites
Newtek Business Services Corp is a web services conglomerate that operates more than 100,000 business Web sites and 40,000 managed technology accounts. Over the past weekend they had several of their core domain names stolen and the theft shut off email and stranded websites for many of Newtek’s customers. Newtek initially sent out an email blast last Saturday evening, however, it made no mention of the breach or incident and stated that the company was changing domains due to “increased security”. What really happened was that three of their core domains were hijacked by a Vietnamese Hacker who replaced the login page of these domains with a live web chat service. Newtek customers used this chat service to seek answers as to why their web sites no longer resolved correctly, however, they were chatting with the hijacker and had no idea they were doing so. Newtek then sent a follow up email 10 hours later acknowledging the outage of the domains and warning customers about the live chat set up by the hacker. The hacker who hijacked these sites was reached via his web chat and he claimed responsibility for the hijack and also said he notified Newtek five days ago about a “bug” he found in the company’s online operations, but that he received no reply. Newtek also failed to make it clear that any data sent to any host under the domain could be recorded such as email passwords, web credentials, etc. by the attacker.
I’m surprised at how poorly Newtek handled this attack by initially misleading their customers and saying that they were changing domains due to increased security. They also had very poor communication with their customers throughout the whole process, sending another email out 10 hours later finally acknowledging the outage of the domains and warning customers about the fraudulent live chat. What surprises me even more is that the hacker was willing to give a statement in regard to his attack where he said he notified Newtek about the bug five day prior. I still think he had malicious intent as any data sent to these domains could be recorded, however the extent of his intents is unknown as it doesn’t appear that any information he may have obtained has been used in the time being at least. Domain hijacking has been a problem for years with this being one of the bigger cases of a successful attack and it will be interesting to hear how the domains were lost by Newtek. Did they not renew the registration, was the hacker able to transfer the domains away from the legitimate owner, or were other methods used.
https://krebsonsecurity.com/2018/02/domain-theft-strands-thousands-of-web-sites/
Donald Hoxhaj says
Joseph,
I agree with you that the network system was poorly handled. What is even more surprising is that Newtek played unethically here by informing the customers about a domain changing activity when the actual problem was something else. The smartest way would have been to inform the customers right away so that they could have taken the necessary precaution and informed others too. I think risk response strategies are very important in any organization and the staff should be trained to know how to respond to external threats, without causing panic.