How Abandoned Domain Names Pose a Major Cyber Risk to Your Business

Many businesses don’t realize that abandoning their previous domain names that they no longer use can pose a huge security threat. A domain name is a name you can register to identify your business on the internet. For Canadian businesses, this is typically a domain name ending in .com or .ca such as example.com.ca. This is a typical example of a domain name. The problem with domain names are that they usually hold onto a decent amount of information about the company and they are left to be managed by lower leveled technician people or outsourced IT support providers to renew these domains. Domain renewals are often seen as a waste of money to many companies due to circumstances such as a change of branding name, reconstructing of the company, or abandoning the domain as a whole. The issue of the abandoned domain name occurs when the domain is no longer paid for and it is out of service so it is then available for anyone to claim after a certain grace period. After this grace period is over and the domain is available up for grabs, this means that even attackers can claim the domain name that was left behind with no proof of identity or ownership regarding the domain. After the domain is snatched by a new owner the domain can then be setup to do a “catch-all” email service which means emails meant for the previous owner will be rerouted to the new owner of the domain which can then end up in the hands of an attacker. As stated by the article “online services often only rely on an email address as a single factor for password resets meaning online services once held by staff of the previous owner can be hijacked.” This is an example of how hijacking an old domain can be devastating towards a business.

 This is an image from the article that shows researchers were able to access documents intended for the former clients. (Source: blog.gaborszathmari.me)

Often times even if business have joined other businesses to merge into one, there is still sensitive information to be leaked through emails between clients, colleagues, vendors, suppliers, and service providers.

Research found by Gabor Szathmari and Jereimah Cruz that they were able to:

  • access confidential documents of former clients;
  • access confidential email correspondence;
  • access personal information of former clients;
  • hijack personal user accounts (LinkedIn, Facebook, etc.) of former staff working in their new jobs; and
  • hijack professional user accounts (Commonwealth Courts Portal, LEAP, etc.) of former staff by re-registering abandoned domain names belonging to former businesses.

Active LinkedIn accounts belonging to former staff can be hijacked via abandoned internet domains (Source: blog.gaborszathmari.me)

There are many steps one can take to protect their data from abandoned domains. According to the Australian Cyber Security Centre these following steps should be taken to minimize risks for businesses:

  • Keep renewing your old domain name indefinitely and do not let them expire and be abandoned, especially if the domain name was once used for email.
  • Close cloud-based user accounts that were registered with the old domain email address (this can be difficult to do for domains with a large number of email addresses).
  • Unsubscribe the email notifications which may feature sensitive data such as Text-to-email services and banking notifications.
  • Advise clients to update their address book.
  • Enable two-factor authentication, where the feature is supported for online services.
  • Use unique and complex passwords.

– Rusaf Talukder

Sources:

https://securityboulevard.com/2018/09/how-abandoned-domain-names-pose-a-major-cyber-risk-to-your-business/

https://cyber.gov.au/individual/news/domain-names/

https://www.csoonline.com/article/3300164/hacking/dont-abandon-that-domain-name.html

https://blog.gaborszathmari.me/2018/09/18/abandoned-domain-names-are-risk-to-businesses/

New Eurpoean Privacy Standards Comming into Effect

Two years ago the European Union passed the General Data Protection Regulation (GDPR), on May 25th these regulations become enforceable. The GDPR aims to increase the number of privacy controls users have on the web through new privacy standards. Although the regulations were specifically passed by the EU, due to the international nature of the web many people from all over the world will feel its impacts.

These regulations aim to increase user privacy through expanding the scope of consent that sites are required to request. First, consent has to be explicitly given for each specific use of data provided by a customer – meaning web services must implement gradual permission systems. The user must be told exactly what the data is being used for and has a right to access all the information the company has on the user. Companies must also have the ability to prove that consent was given for a particular use of data. Second, a user must be able to withdraw their consent at any time. Lastly, all users have the right to be forgotten. This final provision means that a user can request that any data associated with them to be permanently erased from a companies database.

It is unknown at this time how willing the EU will be to enforce these provisions. However, breaking any of these cars large penalties on per-violation bases. These rules could potentially change the global playfield as many advertising, social media, and other businesses that rely heavily on data collection will be massively affected.

https://www.theverge.com/2018/3/28/17172548/gdpr-compliance-requirements-privacy-notice

https://www.cnbc.com/2018/03/30/gdpr-everything-you-need-to-know.html

https://www.huntonprivacyblog.com/2017/12/15/article-29-working-party-publishes-guidance-on-consent-under-the-gdpr/

2020 Online Census

In two years the United States will be conducting the census like they do every 10 years. This time though will be different. The United States will be doing a primarily online census. This could be a giant security risk.

Back in 2016, Australia decided to try an online census. As soon as the survey was posted hackers performed a giant denial-of -service attack that caused the system to go down for 2 days. Though no information was breached it still was an embarrassment for the country and proved that they weren’t ready.

The United States has been toying around with the idea of doing an online census since 2000 but it wasn’t used in 2010 do to a lack of trust in data collection effectiveness and security. It seems that the lack of trust hasn’t gone away but the pressure to move digital has caused this change.

Problems are already popping up in this census. The bureau is rushing it out which has prevented thorough testing of the security. In the tests that were conducted the data had issues being transmitted and received.

Not receiving the data could be the least of our worries though. Hackers could flood the census with phony data or breach data and release it. Both of these outcome won’t look good on our government and will further a distrust people already have since the election. Maybe it is best to wait another 10 years until our platform is more secure and trustworthy.

—- Bailey Pearson

Sources:

https://www.motherjones.com/politics/2018/03/the-2020-census-is-a-cybersecurity-fiasco-waiting-to-happen/

Recently Found Glitch in iOS 11.2.6

In Apple’s latest iOS version, there’s a major security breach involving Siri.

To protect user’s privacy, users can set their notification contents to hidden, requiring them to unlock their phone in order to see the messages. However, if the user asks Siri to read the notifications, Siri will read the contents of the message. This is a pretty big issue, as anyone could access those messages when they were supposed to be secured.

Apparently the bug only works with third party apps such as Facebook Messenger, Skype, WhatsApp, Telegram, and Signal. The only app not affected is Apple’s own SMS texts and iMessage.

Email information can also be read directly off the lock screen. Details such as sender, subject, and message content are accessible.

According to Apple, the issue will be resolved in a future update.

iphone-x-lock-screen-notifications

-Jessica Prost

Sources:

https://threatpost.com/apple-to-fix-glitch-allowing-siri-to-read-hidden-messages-out-loud/130721/

https://mashable.com/2018/03/21/siri-iphone-lock-screen-bug-exposes-messages/#rRWd0iW6Saqa

AMD Acknowledges new exploits in new processors

Earlier this month, a lab based in Israel was able to find 13 critical exploits in AMDs new line of processors that would allow hackers to install persistent malware and access sensitive information.

Although the labs have not publicly stated how the exploits are to be done, people are still criticizing them for publicly stating that there are exploits in general because when exploits are found, the researchers usually give the company a 30-60 day grace period to find out how to fix the hole. However, the CTO of the labs believes that it is important to notify the public immediately because there is a history of companies notifying their customers of the potential risks to their machines.

The CTO of the CTS labs believes that their approach of notifying both the company and public gives more reason for the company to work on a patch because there is now public pressure to create a patch to their exploits. He also believes that it poses no threat to the consumers because they never actually publicly release the technical aspects of the exploit. Going public on Day 0 also allows for third parties to start to try and work on a fix for the exploit as well.

For these specific set of exploits on the new line of processors, a hacker would need administrative privileges to even use these exploits. AMD stated that even without these exploits, a hacker would have a wide range of attacks they could do on your machine if they administrative access and that there are bigger worries than their processor exploits if someone managed to gain administrative access to your computer. However, these new exploits could stop preventative measures put into place like Windows Credential Guard which is supposed to stop even administrative level access from getting to certain information.

AMD has since then been working on creating firmware patches to roll out to the general public, which they said would not affect performance at all.

Ryan Lei

 

Sources:

https://thehackernews.com/2018/03/amd-processor-hacking.html

https://www.theinquirer.net/inquirer/news/3028922/amd-says-security-flaws-do-exist-in-ryzen-and-epyc-cpus-but-updates-are-incoming