Microsoft Buys Corp.com So Bad Guys Can't (krebsonsecurity.com) 76
Brian Krebs: In February, KrebsOnSecurity told the story of a private citizen auctioning off the dangerous domain corp.com for the starting price of $1.7 million. Domain experts called corp.com dangerous because years of testing showed whoever wields it would have access to an unending stream of passwords, email and other sensitive data from hundreds of thousands of Microsoft Windows PCs at major companies around the globe. This week, Microsoft agreed to buy the domain in a bid to keep it out of the hands of those who might abuse its awesome power.
Re: (Score:3, Insightful)
Re: (Score:1)
"The domain only has 'awesome power' if you're a criminal seeking to exploit the active directory passwords for nefarious purposes. "
Come now you need to be creative.. There are quasi legal government interests with three letter names here and there which might be willing to pay for such backdoors. Also this information was handed over willingly, it could be sold to other parties who want to do more in depth and nefarious types of data collection as well while still saying Microsoft does nothing of the sort
Any 4-letter domain name has awesome power (Score:2)
Re: (Score:3)
Microsoft already has most of our work passwords. With Office 360 and ADFS so much of our passwords are going over to Microsoft anyways.
Unfortunately we can only Hope Microsoft is not recording it. Which they probably aren't. However I have more trust in Microsoft, Google and Apple compared to the likes of some random dude. Or from some 3rd party vendor making a crappy product where their passwords only encrypted in the narrowist of terms.
Re: (Score:3)
Microsoft already has most of our work passwords.
So? They can also execute any code they like on any Windows PCs in the world (or all of them at once if they feel like it...)
Having some passwords via. Office 360 should be the least of our worries.
Re: (Score:2, Interesting)
rather than Microsoft who will only use the data in an appropriate way
Millions of idiots already mis-configured their networks to use this domain name long long ago.
Those networks are going to be sending their data to where the admins told it to.
That isn't going to change no matter who owns the domain.
If one didn't want this to happen, they wouldn't have use "corp" as their networks top-level in the first place.
Yet they did. So clearly they don't care their network sends data there.
So why do you care so much if the network owners don't?
Re:ROFL (Score:5, Insightful)
rather than Microsoft who will only use the data in an appropriate way
Great conspiracy theory. Now to invalidate it: you're talking about a company which through the power of an update process has the ability to arbitrarily execute code on any user's machine. And you think they needed to buy a domain get "power" over you.
If you honestly believe that then there's really no helping you.
Re: (Score:2)
Yeah it's more fundamental than that. It's not a problem you can fix by an update since it would break a network. Think of it like MS issuing an update to one computer changing it's workgroup. Suddenly a whole lot of users can't see that computer in their network anymore.
Re: (Score:2)
Right. Which invalidates gp (thegarbz) argument.
Re:Odd solution though? (Score:4, Insightful)
Why not use the update system to fix the underlying issue - and not have the user's machines send passwords to corp.com?
Because the issue is a stupid user configuration error by someone who failed "how to setup an AD server with your remaining brain-cell 101". The thing is if MS issues an update that changes the configuration the end result is a completely broken internal corporate network.
This is no different than the guy who registered example.com and ran an email server that responded to all emails letting them know that their email server was misconfigured and still had a default from the documentation set.
Re: (Score:2)
Conspiracy between who? Microsoft and Microsoft?
"Now to invalidate it: you're talking about a company which through the power of an update process has the ability to arbitrarily execute code on any user's machine. And you think they needed to buy a domain get "power" over you."
For one it impacts hosts which don't get windows updates so YES. For another people can block and selectively apply windows updates and windows updates get a great deal of scrutiny. Last but not least what I'm talking about completely
Re: (Score:2)
I was thinking something similar. Because something that specific, literally one domain being the specific place all this sensitive information is floating toward...
Like, I can't even begin to imagine how difficult that would be to patch. =)
There would absolutely have to be something in it for them financially if they were willing to shell money out like that.
Re: (Score:1)
This is entirely because of inexperienced admins, and how they setup their active directories... In Microsoft's training guides for years, they used the .corp.com domain for examples, and made everybody painfully aware to insert your own domain name there.
Guess what? People who barely passed the tests, or just got the training guides didn't follow those instructions, and just put in .corp.com everywhere so it would work.
This is just like all the Cisco documentation having 1.1.1.1 as a fake IP address and
Re: (Score:2)
This is not trolling. Microsoft has a history of abusive behavior like this.
Just look at the ongoing updates pushing windows 10 users into having microsoft accounts and requiring backflips of creating and then removing an account to install windows so they can associate your "anonymous" telemetry with windows account details.
So now MS can abuse it instead? (Score:4, Funny)
Wow what will MS do with all this power I wonder?
Re: (Score:2)
Embrace and extend!
Re:So now MS can abuse it instead? (Score:5, Insightful)
Wow what will MS do with all this power I wonder?
Nothing. You're talking about a vendor who can push nefarious code out to any computer they wish under the guise of a security update. They don't need some shitty domain to screw the entire world 100 times over.
So the answer is nothing. They literally bought the domain so nothing at all would happen.
Re: (Score:2)
Wow what will MS do with all this power I wonder?
Nothing. You're talking about a vendor who can push nefarious code out to any computer they wish under the guise of a security update. They don't need some shitty domain to screw the entire world 100 times over.
So the answer is nothing. They literally bought the domain so nothing at all would happen.
Exactly. They own the software supply chain from end to end. This just makes their lives easier than the alternative.
Re: (Score:2)
Are you implying that I couldn't do this on Linux?
Re: (Score:2)
Send my server an automated updated that took it over? Or register the default domain that all Linux systems and documentation use? The answer to both is no, because you don't own the trust chain that delivers updates to random computers, and a benevolent admin already registered example.com
He could do it, but instead he uses his powers to reply to emails telling people their configured their mail forwarder wrong.
Re: (Score:2, Interesting)
You're talking about a vendor who can push nefarious code out to *any* computer they wish under the guise of a security update.
I'd like to see them try that in my MS-free household.
Re: (Score:2)
Their only experience with Power is to make a Point.
Re: (Score:2)
Re: So now MS can abuse it instead? (Score:2)
Because they don't already have the power to be looking at all those password hashes anyway, what with Windows Telemetry, Office365, ADFS, etc.?
Take off the tinfoil hat - this is a cost that has been on the balance sheet for 20 years since publishing all that documentation and training materiel for Active Directory that used whatever.corp.com in every single example.
Other news (Score:1)
Sinaloa cartel buys North American distribution rights to keep it out of the hands of small timers.
Not good (Score:2)
Re:Not good (Score:5, Informative)
Microsoft employs the world's best programmers, right?
Yes, and quite a few of them too.
Re:Not good (Score:4, Interesting)
Well don't leave us hanging...what exactly are those programmers best at?
My guess is gardening and Yahtzee. Did I win?
Considering the sheer volume of attacks Windows is subjected to every day I'd say ensuring that Windows has not yet been obliterated as an OS ranks pretty high. That is also one of the major reasons that we are still waiting on the year Linux eclipses Windows and takes over the desktop market. Believe it or not (and I somehow suspect you won't, even if somebody presented you with irrefutable evidence) Microsoft hires a good proportion of the best developers and engineers that universities around the world produce every year.
Re:Not good (Score:5, Informative)
For once this isn't the programmer's fault. The problem is that the default domain used by old versions of Windows Server was corp.com. Lazy admins sometimes didn't change it.
So if you had a server like outlook.corp.com to handle mail in your corporate network and whoever owned corp.com created an outlook subdomain computers on your network might accidentally connect to a remote server not under your control. Often this went unnoticed because internal DNS would resolve to the local machine first, but if that machine went down or was retired or a laptop was taken offsite and used without a VPN...
In later versions they got rid of corp.com as the default.
Why not both? (Score:4, Interesting)
For once this isn't the programmer's fault. The problem is that the default domain used by old versions of Windows Server was corp.com.
But wait, who made the default a domain they don't control? I'm not saying admins neglecting to change it aren't also to blame, but you can't really say it's the fault of one person for not fixing it and not at all the fault of the people who shipped it out with a problem by default to begin with. It's both! And I'd wager MS had more people checking their work than most admins, and setting the default affected many more than any individual admin not fixing it.
I'm always a little surprised at how many people jump to defend corporations like Microsoft when they make a mistake, messing up doesn't make them a bad company or you a bad person for supporting them. It just means they made a mistake.
Re: (Score:1)
I blame the devs. Instead, .internal, .local, or maybe example.com. Don't put a domain in that is out of your control. What if the default was microsoft.com, slashdot.org, or whitehouse.gov? Totally the devs fault.
Re:Why not both? (Score:5, Insightful)
It wasn't even a default. It was in their training docs. People used the domain that was in the training guides, didn't understand the big-ass warning that they needed to use their own domains, and most things just pretty much worked. People who had no right doing network administration just used it.
That's why Microsoft has used contoso.com for the last 15 years in their training guides.... They at least owned that domain.
Re: (Score:2)
Yes, it is the devs fault or at least someone around that level. Somebody made the decision to have a default value in place instead of leaving it blank. By having the default value it led to this problem. If a blank value was used they would have forced to admin to enter a proper value for their situation . Then if the admin entered something that saw private information go to an outside party it would have been their fault.
Yes, some responsibility goes with the admin for not changing the value but the dev
Re: (Score:2)
If the user puts in a domain ending in .com it should probably just uninstall itself and order and Etch-A-Sketch off Amazon for them.
Re: (Score:2)
Yes, it is the devs fault or at least someone around that level. Somebody made the decision to have a default value in place instead of leaving it blank.
This is standard practice in all software. Linux uses example.com as a default. That also happens to be a domain owned by someone.
and if you believe that ... (Score:2)
There's a bridge down in San Diego with great cash flow. I can let you in, for a price.
My animosity to anything Microsoft goes clear back to CP/M-80 and their C (sort of) compiler. I was working on some SCSI adapter code for NT 4 and had a weird time trying to understand the logic of adding the adapters to the registry. Turns out that they had totally messed up that code and you had to enter all of the HBA parameters as a string to be parsed by the driver, instead of intelligently having attributes, such
Major blunder! (Score:5, Insightful)
Re:Major blunder! (Score:5, Insightful)
No blunder involved. AD was not meant to pretend to be a domain outside of a company's control. This is like system admin 101 level stuff.
Microsoft spends money again in an attempt to save stupid users from themselves.
Re: (Score:3, Interesting)
Re:Major blunder! (Score:4, Insightful)
You can't call people dull and then immediately declare that you should use .local. That's not just bad advice it actually causes problems.
The correct thing to do is use a domain you own, and control. If you own mydomain.com, your internal active directory domain should be corp.mydomain.com or ad.mydomain.com or something like that, either that or buy another domain just for internal use. Anything else is asking for trouble.
Here's an old article on why it was already considered bad idea to use .local nearly a decade ago.
http://www.mdmarra.com/2012/11... [mdmarra.com]
Re: (Score:1)
Personally I just use china.com locally. Like no condoms in Haiti, what fun is life if it's not an adventure?
Re: (Score:1)
Re: (Score:2)
"The point was the domain should be something that's not publicly resolvable."
And the ONLY way to know that, is to OWN the domain. Anything else may one day in the future become resolvable and is out of your control.
The trouble with using "fictional" TLDs is that they may no longer fictional. I know of at least two companies using a fake TLD that now actually exists and fortunately isn't causing too much trouble because of the relatively low adoption of most of the new TLDs, but still; now theircompanyname.ltd is a now valid domain name in the global address space; since .ltd was ad
Re: (Score:2)
Re: (Score:2)
Any sane person would use ".local"
.local wasn't reserved by the IETF until 2013. corp.com long predates this. Also using .local for AD breaks some mDNS setups.
You should see that sort of junk all the time. It's standard practice not just by Microsoft but by all software. Linux for example (pun intended) uses example.com. Fortunately the owner of example.com is benevolent, but the reality is the same. It's a resolvable FQDN used to make documentation easier and to not break networks.
Re: (Score:2)
Any sane person would use ".local"
It's standard practice not just by Microsoft but by all software. Linux for example (pun intended) uses example.com. Fortunately the owner of example.com is benevolent, but the reality is the same. It's a resolvable FQDN used to make documentation easier and to not break networks.
Yes, but example.com is reserved for documentaion in RFC 2606. Maybe a little late for Microsoft to use in W2K though.
Re: (Score:2)
And $1.7m is chump change.
Would you be so kind as to send some chump change to a fellow slashdotter?
Ahem... (Score:2)
...look who's talking.
Making a gardener out of the goat.
Longstanding vulnerability (Score:1)
So Microsoft OS's have an enourmous, longstanding security problem resulting in an massive number of computers sending passwords and other information to the open Internet and, instead of fixing the problem, MS bought a domain name to try and mitigate it.
Cool....
Re: (Score:3)
No, planet earth has a long standing issue with morons copy pasting examples verbatim out of the documentation and therefore misconfiguring their domains to point at "ChangeMe.com".
Re: (Score:2)
No way. If you're setting up an *intranet*, no request from that system should default to sending credentials to some random web site on the internet. No matter how badly you configure it. Particularly not if you're using a non-fully qualified address.
Re: (Score:2)
Yes, but what happens is that people take laptops home, and being ignorant of the way things work, attempt to connect to corp.com resources without VPNs.
So you have a stack of barely qualified button mashers configuring systems exactly as the training materials said 20 years ago, or ignoring the banners that say "DON'T USE THIS USE SOMETHING YOU OWN" and combine that with a stack of non-IT people who expect it "just works", and you get people attempting to connect to something.corp.com and sending an NTLM h
Re: (Score:2)
By your argument, *all* the vulnerabilities in any piece of software are the user's fault for not using an appropriate VPN and firewall.
A service that cannot resolve an internal host should not go "whelp, let's try the Internet!"
More elaboration needed. (Score:4, Insightful)
Re: (Score:2)
Re: (Score:2)
Even if your DNS is configured correctly it won't always save you. If a machine is taken to another site with a different DNS server, or if some app decides it is going to use its own DNS resolution for whatever reason...
Re:More elaboration needed. (Score:4, Informative)
"corp" was the example kerberos "DC" given in the documentation for active directory.
If used this would become "DC=corp,DC=com" after upgrading from a windows 2000 domain.
If you imagine "example.com" becoming active in the global DNS, you'll have an idea of the consequences of this, although limited to active directory.
The biggest difference being that example.com is explicitly listed in RFC as safe to use for documentation and examples, stating it will never become active for that reason.
Of course "corp" as a kerberos top level, and corp.com as a DNS zone, were never specified as safe for documentation let alone safe to be used.
Re: (Score:2)
If you imagine "example.com" becoming active in the global DNS, you'll have an idea of the consequences of this, although limited to active directory.
example.com is active in the global DNS.
QUESTION SECTION:
example.com. IN A
ANSWER SECTION:
example.com. 4731 IN A 93.184.216.34
Query time: 21 msec
SERVER: 1.1.1.1#53(1.1.1.1)
WHEN: Tue Apr 07 20:06:46 CEST 2020
MSG SIZE rcvd: 56
Re: (Score:2)
Sure enough it is.
But the fact it resolves is violating the RFC. I still couldn't blame anyone else for using example.com for documentation or example, expecting the RFC to be correct.
This one is completely the fault of IANA, unlike the corp.com example Microsoft used that was never specified as a special domain.
Re: (Score:2)
I did check, and it still defines reserved example domains to return nxdomain, and be registered in perpetuity to the IANA.
The only mention is at the end of item 7, saying IANA currently has it pointing to a web server to explain the purpose of the domain.
It doesn't say why, just that this is.
It also, at least for this section, doesn't mention why it was changed from the prior rfc. Not that this is required or anything, but when done tents to help explain the reasoning.
Re: (Score:3)
"Domain experts called corp.com dangerous because years of testing showed whoever wields it would have access to an unending stream of passwords, email and other sensitive data from hundreds of thousands of Microsoft Windows PCs at major companies around the globe."
What? Why? Are people misconfiguring their DNSs?
Whoever wrote this needs to elaborate a bit more on the reason owning corp.com is so dangerous.
I wondered that too, so found this article [krebsonsecurity.com] that explains more.
if a company runs an internal network with the name internalnetwork.example.com, and an employee on that network wishes to access a shared drive called “drive1,” there’s no need to type “drive1.internalnetwork.example.com” into Windows Explorer; typing “\\drive1\” alone will suffice, and Windows takes care of the rest.
But things can get far trickier with an internal Windows domain that does not map back to a second-level domain the organization actually owns and controls. And unfortunately, in early versions of Windows that supported Active Directory — Windows 2000 Server, for example — the default or example Active Directory path was given as “corp,” and many companies apparently adopted this setting without modifying it to include a domain they controlled.
Compounding things further, some companies then went on to build (and/or assimilate) vast networks of networks on top of this erroneous setting.
Now, none of this was much of a security concern back in the day when it was impractical for employees to lug their bulky desktop computers and monitors outside of the corporate network. But what happens when an employee working at a company with an Active Directory network path called “corp” takes a company laptop to the local Starbucks?
Chances are good that at least some resources on the employee’s laptop will still try to access that internal “corp” domain. And because of the way DNS name devolution works on Windows, that company laptop online via the Starbucks wireless connection is likely to then seek those same resources at “corp.com.”
In practical terms, this means that whoever controls corp.com can passively intercept private communications from hundreds of thousands of computers that end up being taken outside of a corporate environment which uses this “corp” designation for its Active Directory domain.
So Microsoft pretty much allowed a domain intended to be used as an example in documentation to be applied as the definitive value in a live setting.
Make Bed now lie in It (Score:2)
So Microsoft made a bed and now they have decided to lie in it. What is the news here?
Or rather is it merely a warning that one should not make the bed in a fashion that you would not lie in?
On what planet is MS *not* the Bad Guys? (Score:1)
Clueless kids writing stories again?
Next up: The "Unn" defeated Charlie Chaplin, riding a T-Rex.
That's a bit expensive (Score:2)
div by 0 (Score:2)
Checks URL... Wait what...?
Sorry, I'm having trouble parsing the headline, it's like the closest thing you can get to a semantic divide by zero.
Yeah I know, there's nothing bad they can do with it that they couldn't do without it. I'm still stuck with the div by nil.