A dangerous domain – corp.com – is being sold after 26 years of ownership. This domain would allow whoever wields it to have access to an unending stream of passwords, email and other data belonging to systems at hundreds of thousands of major companies worldwide.
The current domain owner, Mike O’Connor, hopes that it will be purchased by Microsoft Corp, though there is concern that it could be bought by a hacking group or organized cyber criminals.
The reason that O’Connor is hoping Microsoft will buy it is the unique way that Windows handles resolving domain names on a local network. The vast majority of computers trying to share sensitive information with corp.com are confused Windows PCs. Earlier versions of Windows were actually encouraged to adopt insecure settings that made it more likely Windows computers would share sensitive data with corp.com.
The issue is known as “namespace collision”. Basically, if a company runs an internal network with the name internalnetwork.example.com, and an employee on that network wants to access a shared drive called “drive1”, there’s no need to type “drive1.internalnetwork.example.com” into Windows Explorer, typing “\\drive1\” is enough, and Windows takes care of the rest. The default Active Directory path was given as “corp” in many early versions of Windows, a setting many companies didn’t modify. Some even went on to build networks of networks on top of this default path, meaning that these companies internal domains do not resolve to a domain they control or own.
This wasn’t such a concern back in the day because employees weren’t carrying around their bulky work computers. Now that people are able to work outside of the office with laptops, it puts company data at risk.
Say, for instance, an employee takes their work laptop to a coffee shop. Chances are good that some resources still try to access the internal “corp” domain. The laptop, on a public wireless connection, is then likely to seek those resources at corp.com. Whoever owns corp.com could passively intercept private communications from hundreds of thousands of computers taken outside of a corporate environment.
During an eight month analysis experts found that 375 000 Windows PCs were trying to send sensitive information to the domain, including attempts to access specific file shares and log in to internal corporate networks. They found that they received over 12 million emails in an hour. When experts configured corp.com to accept connections that mimicked the way local Windows networks handle logins and file-sharing attempts, they noted it was ‘terrifying’ and ‘raining credentials’.
Whoever ends up controlling corp.com could have an instant botnet of well-connected enterprise machines. They would have an instant foothold into about 30 of the world’s largest companies.
Read more information about corp.com here.
Proofpoint, Inc., a leading cybersecurity and compliance company, released its annual Human Factor report this month. We’ve gone through it to see what key takeaways