How Abandoned Domain Names Pose a Major Cyber Risk to Your Business

Many businesses don’t realize that abandoning their previous domain names that they no longer use can pose a huge security threat. A domain name is a name you can register to identify your business on the internet. For Canadian businesses, this is typically a domain name ending in .com or .ca such as example.com.ca. This is a typical example of a domain name. The problem with domain names are that they usually hold onto a decent amount of information about the company and they are left to be managed by lower leveled technician people or outsourced IT support providers to renew these domains. Domain renewals are often seen as a waste of money to many companies due to circumstances such as a change of branding name, reconstructing of the company, or abandoning the domain as a whole. The issue of the abandoned domain name occurs when the domain is no longer paid for and it is out of service so it is then available for anyone to claim after a certain grace period. After this grace period is over and the domain is available up for grabs, this means that even attackers can claim the domain name that was left behind with no proof of identity or ownership regarding the domain. After the domain is snatched by a new owner the domain can then be setup to do a “catch-all” email service which means emails meant for the previous owner will be rerouted to the new owner of the domain which can then end up in the hands of an attacker. As stated by the article “online services often only rely on an email address as a single factor for password resets meaning online services once held by staff of the previous owner can be hijacked.” This is an example of how hijacking an old domain can be devastating towards a business.

 This is an image from the article that shows researchers were able to access documents intended for the former clients. (Source: blog.gaborszathmari.me)

Often times even if business have joined other businesses to merge into one, there is still sensitive information to be leaked through emails between clients, colleagues, vendors, suppliers, and service providers.

Research found by Gabor Szathmari and Jereimah Cruz that they were able to:

  • access confidential documents of former clients;
  • access confidential email correspondence;
  • access personal information of former clients;
  • hijack personal user accounts (LinkedIn, Facebook, etc.) of former staff working in their new jobs; and
  • hijack professional user accounts (Commonwealth Courts Portal, LEAP, etc.) of former staff by re-registering abandoned domain names belonging to former businesses.

Active LinkedIn accounts belonging to former staff can be hijacked via abandoned internet domains (Source: blog.gaborszathmari.me)

There are many steps one can take to protect their data from abandoned domains. According to the Australian Cyber Security Centre these following steps should be taken to minimize risks for businesses:

  • Keep renewing your old domain name indefinitely and do not let them expire and be abandoned, especially if the domain name was once used for email.
  • Close cloud-based user accounts that were registered with the old domain email address (this can be difficult to do for domains with a large number of email addresses).
  • Unsubscribe the email notifications which may feature sensitive data such as Text-to-email services and banking notifications.
  • Advise clients to update their address book.
  • Enable two-factor authentication, where the feature is supported for online services.
  • Use unique and complex passwords.

– Rusaf Talukder

Sources:

https://securityboulevard.com/2018/09/how-abandoned-domain-names-pose-a-major-cyber-risk-to-your-business/

https://cyber.gov.au/individual/news/domain-names/

https://www.csoonline.com/article/3300164/hacking/dont-abandon-that-domain-name.html

https://blog.gaborszathmari.me/2018/09/18/abandoned-domain-names-are-risk-to-businesses/

Connections with the Lazarus group and North Korea

Just as of recent, Park Jin Hyok was indicted by the United States. Hyok was indicted with charges of Conspiracy and Conspiracy to Commit Wire Fraud. While his sole indictment was nothing more than identifying a person who was partly responsible in some major cyber attacks around the world since 2014, it helped to start to draw a line between the Lazarus Group and the government of North Korea. Furthermore, his capture itself can lead to exposure of other members of the Larazus Group. To give a little background in what the Lazarus Group is capable of, it takes a bit of history into the atrocities they have committed. In 2014, there was a hack on Sony because of the controversial movie “The Interview”. Next, in 2016, there was a hack on the Bangladesh bank for $81 million. In 2017, the WannaCry which affected well over 250,000 hospitals, corporations, and government agencies in 150 countries within 3 days.

connection

But how could this one hacker from this group lead to the revelation of the sophisticated hacker group? While a huge email infrastructure is good for phishing and the perceived idea that things can be kept secret separate, it was a big reason that the US government were able to identify the vast email infrastructure. Well that and they got lucky because a purported supervisor sent a resume and sent how the “company was doing”, the company being Chosun Expo Joint Venture. Since revealing all the Gmail accounts, Eric Chien from Symantec Corp. has it on good authority that attacks from the Lazarus Group will undoubtedly come to a pause. While this is hardly anything close to being a closed case or bringing down an organization, it’s a spark that can light up the room of the shady Lazarus Group. vast_email_infrastructure

– Andres Orbe

Sources:

New Eurpoean Privacy Standards Comming into Effect

Two years ago the European Union passed the General Data Protection Regulation (GDPR), on May 25th these regulations become enforceable. The GDPR aims to increase the number of privacy controls users have on the web through new privacy standards. Although the regulations were specifically passed by the EU, due to the international nature of the web many people from all over the world will feel its impacts.

These regulations aim to increase user privacy through expanding the scope of consent that sites are required to request. First, consent has to be explicitly given for each specific use of data provided by a customer – meaning web services must implement gradual permission systems. The user must be told exactly what the data is being used for and has a right to access all the information the company has on the user. Companies must also have the ability to prove that consent was given for a particular use of data. Second, a user must be able to withdraw their consent at any time. Lastly, all users have the right to be forgotten. This final provision means that a user can request that any data associated with them to be permanently erased from a companies database.

It is unknown at this time how willing the EU will be to enforce these provisions. However, breaking any of these cars large penalties on per-violation bases. These rules could potentially change the global playfield as many advertising, social media, and other businesses that rely heavily on data collection will be massively affected.

https://www.theverge.com/2018/3/28/17172548/gdpr-compliance-requirements-privacy-notice

https://www.cnbc.com/2018/03/30/gdpr-everything-you-need-to-know.html

https://www.huntonprivacyblog.com/2017/12/15/article-29-working-party-publishes-guidance-on-consent-under-the-gdpr/

Quantum Computing’s Impact on Cyber Security

With more and more technological advancements every day, our vision of quantum computing is turning more into a reality than a theory. Companies like IBM and Microsoft are accelerating forward and becoming closer than ever to build the first fully functioning quantum computer. Seemingly on the edge of an almost quantum revolution, it’s important to ask questions about how integral parts of our lives like cyber security will be affected by this change.

First, let’s understand what quantum computing is. Comparing it to modern computing, which relies on discrete values of a bit being either a 0 or a 1, quantum computing would allow both of these possibilities to exist simultaneously in something called qubits, and these values only truly form when they are observed. This allows quantum computers to handle operations and equations at speeds that are exponentially higher than what we are used to in modern computers and their energy costs are far less.

How does this effect today’s security? Many of today’s security systems rely on cryptography, this is because normal computers struggle at factoring large numbers. This means that cryptography based on factoring numbers would be a safe bet against our technology today, but with the introduction of quantum computing, these practices would be useless. This isn’t the end of cryptography though because there are some approaches in use today that will be safe against the power of a quantum computer. That doesn’t mean that important companies and governments are using them though, and if quantum computing is to take off faster than anticipated they could run into some trouble. Other security strategies that are used today, like two-factor authentication, will still be just as effective after the introduction of quantum computing, due to multiple steps being taken by the person to log into a system.

Tomorrow’s security will be something almost unfathomable with quantum-based security implementations. Techniques like theoretically unbreakable cryptography, encrypting data to stop working if anyone attempts to uncover them and guaranteeing a safe passage to send data no matter what attacks are being used against it can all be potentially achieved with quantum computing. It’s not all positive though because with the power to develop secure techniques comes the power to exploit older strategies. An almost quantum arms race has begun between intelligence agencies and this is because the first agency to gain access to quantum computing power will have an incredible edge over all other counties.

Although quantum computers may never be a household item, their impact in the world will definitely be historical. While many of their advancements will benefit society and the internet infrastructure as we know it, it is still important to make sure what the world is ready for a step this large.

-Jeremy McGrath

Sources:

https://www.technative.io/how-will-quantum-computing-impact-cyber-security/

https://www.nasdaq.com/article/quantum-computing-what-it-is-and-who-the-major-players-are-cm939998

 

Sanitize your strings, kiddos

Trusting user inputted strings has always been a problem in computing. Users will always find a way to break your application with some kind of weird character. Programmers have found clever ways to get around this, such as preparing SQL statements, escaping unknown characters, or just returning an error when coming across unknown text. However, with the rise of the internet and the availability of tools, hackers have gotten smarter at the way they attack inputs.

In the last month of so, Django found this out in their django.utils.text.Truncator class. This class had two methods, chars() and words() which would attempt to clean input.

Well, for some reason, users wanted a way to clean HTML with these methods, so Django added a html keyword argument to the methods, which would attempt to clean the text as if it were HTML. However, due to a catastrophic backtracking vulnerability in a regular expression in those functions, malicious users could input complicated HTML that would take a long time to process. This would result in a DoS attack on the web server, and bring down services to other users. Uh-oh.

So, looking at the CVE, you can see the security community ranked it a 5, the highest rating. Needless to say, Django quickly patched the issue and launched a hot fix.

The moral of the story is that security vulnerabilities can happen to anyone, and you should know what the framework you are using is doing, instead of just blatantly trusting that it will work. Be aware of security in your everyday life.

— Kyle Kaniecki