There was a story posted on NakedSecurity.Sophos.com about how the new gtld program has made it easier for cyber criminals to infiltrate and hack entire organizations. The vulnerability lies with WPAD, Web Proxy Autodiscovery Protocol, a system that makes it easy for organisations to configure the many web browsers inside their network. It is important to note that poorly configured networks are partially to blame for this as well.
Tip of the cap to Kate from Namepros for bringing the article to attention.
From the article:
A combination of poorly configured networks and new rules on internet domain names are giving cybercriminals a new and easy way to attack entire organisations, according to research out of the University of Michigan.
The vulnerability, described by US-CERT (the United States Computer Emergency Readiness Team) in alert TA16-144A issued 23 May 2016, affects computers that are using WPAD.
WPAD is short for Web Proxy Autodiscovery Protocol, a system that makes it easy for organisations to configure the many web browsers inside their network.
WPAD is supposed to find its browser configuration files on the internal network, but wily attackers may be able to trick WPAD into downloading booby-trapped versions of those configuration files from the public internet instead.
Worse still, if you use a work computer at home, and WPAD is enabled, you may very well end up searching for your browser configuration on the open internet every time, simply because your work network isn’t visible.
The article goes on to explain how the new gtlds are making things worse.
Thanks for posting this, technically a bit over my head but interesting nonetheless.
Another reason why the new gtlds needed more planning and for a lesser amount to be released. Thx Mike.
The issue is related to the bad practice by network administrators to invent their own domains for what should otherwise be a closed network (intranet.) Imagine calling your network corporation.global as an example. It was outside of the realm of registrability, but now it can be registered. It will cost you $2500.
The issue of name collisions retained many keywords off the available gTLD domains. Each gTLD is examined individually before those lists are released. AFAIK, Donuts has released most of the initially reserved domains, along with Uniregistry.
More info on the domain name collision process by ICANN: https://www.icann.org/resources/pages/name-collision-2013-12-06-en
I think Acro nailed it – I’d like to also say that this issue is not isolated to new TLDs. The same problem would exist in a .com or other legacy TLD where a corporation fails to renew and the name drops and is picked up by someone who sets up a wildcard DNS and points it at a web server to find any wpad hits.
It is actually far more likely that a corporation might fail to renew and have that happen- which has orders of magnitude more likelihood in a TLD with over, say 120 million domains registered.
Yet another convenient hook for someone to hang a new TLD hater hat on, for those who miss no opportunity, though.
There is no evidence of this particular exploit being used by anyone. While the report and this post target new TLDs, NxD DNS results occur in .COM far more than all new TLDs combined. Regrettably, this looks more like scare tactics and slanted research, ultimately designed to dissuade competition in the domain name industry. The absence of demonstrable harm in new TLDs, coupled with the explosive growth in their registrations, indicates that new TLD namespace is in fact extremely secure and reliable.
That sounds cute but the University of Michigan has no vested interest in the domain space. So I don’t think it’s a slanted piece. You work for Donuts what else would you say ?
The paper was authored, as is clearly stated, by Verisign Labs. Eric Osterweil and Matthew Thomas are employed by Verisign. Morley Mao and the University of Michigan received a grant from Verisign.
Mason, et al. the US-CERT technical alert (TA16-144A: https://www.us-cert.gov/ncas/alerts/TA16-144A ) and IEEE Security and Privacy publication are independent (and in the latter case, scientific peer reviewed) reports. These publications constitute corroboration of the published results. US-CERT is a mainstay of cybersecurity outreach by the US Government, and IEEE Security and Privacy (S&P) is a top-tier research venue whose scientific reputation is (with all due respect) beyond reproach. Your objection to their publications is tantamount to saying you don’t believe these organizations are impartial and/or qualified and that your personal view is more informed. I have trouble seeing your justification for this.
The NXDomain rates for WPAD queries in the root versus .com are actually slanted very heavily towards the root (that is, we see far greater rates of WPAD queries in the NXDomain traffic at the root than at .com), which helped motivate our analyses. In regards to registrations in .com, what we actually see in the data is a lot of proactive registration of domains that would otherwise be part of our Highly-Vulnerable Domain (HVD) set. That is, organizations seem to (measurably) be protecting their namespaces through registration in existing TLDs. In short, this actually supports our “Apples and Oranges” comment ( https://forum.icann.org/lists/comments-name-collision-05aug13/pdfgGgQZ2Oxuv.pdf ), and runs counter to your suspicion. Moreover, the evidence of exploit in the wild was posted just hours after the US-CERT’s technical alert, when someone posted a translation of a year-old Russian blog post ( https://translate.google.com/translate?sl=ru&tl=en&js=y&prev=_t&hl=ru&ie=UTF-8&u=https%3A%2F%2Fhabrahabr.ru%2Fcompany%2Fmailru%2Fblog%2F259521%2F&edit-text= ) that not only explained how to weaponize this technique with new gTLDs, but also admitted to having already done so (approximately a year ago).
All of this is actually quite a shame, because without approaches like Controlled Interruption (CI), these vulnerabilities could not only have been identified earlier, but perhaps even prevented. Our analysis, implicitly demonstrated that CI (and techniques like it) hide vulnerable end-systems from detection and essentially provide a gap for cybercriminals to register HVDs and exploit end-systems. Our measurements clearly showed that domains in the HVD set are being registered without hindrance and the attack windows on names under new gTLDs are rapidly opening.
Thanks for the return comment, Eric. A few points:
In terms of justification for our point of view, we’re not stating these organizations are not impartial; more to the issue, based on the aggravated rhetoric of the past few years on this matter, we question the impartiality of those who intentionally instigate portions of the debate. Our objection is that while part of this industry conversation may be authentically about collisions, much of the rest is a transparent attempt at overleveraging a technical issue to protect your threatened marketplace position.
Our further justification is the demonstrable fact that there are no known exploits of WPAD (though if there are, we are receptive to evidence). Assuming there were exploits, we believe you would agree the repair is an easy one: users simply should register the names they intend to use.
With regard to NXD rates for WPAD queries, the precise reason it may be happening in new TLDs is that some are not yet open to new registrations (e.g., in .CORP, .HOME, .MAIL, .INC, etc.). Were registrants able to put these to use, fewer collisions at the root would occur because users would register names that otherwise would have collided. Regardless, it’s a misnomer that such collisions don’t occur with frequency in .COM, where anyone can register a “collision name” at any time, and do so frequently.
We acknowledge the year-old Russian post and the gratuitous use of the term “weaponize.” The reasonable question, however, is this: After one year, why are there still no known WPAD exploits?
As the administrator of nearly 190 new TLDs, we can accurately report that a mere four name collisions have been reported to us over the history of our names existing in the root (none in 2016), and none were WPAD related. Zero.
What’s presented in your paper is opaque. For example, of the quoted 20 million queries that leak into the public namespace daily, are a significant section of these for a limited set of specific names (e.g., it could be that 19.9 million hits are for “at.home”)? We believe this is where subjectivity may come into play, but admittedly, the data is not transparent.
Security and stability of the Internet, being the common objective, requires an impartial analysis on all of the data, not just the subset that benefits your particular agenda. If the research’s motives are altruistic and in the interest of security, then we encourage you to release all the supporting data (thanks to your special access to the root) and methodology to allow independent third-party validation of your research. However, presuming this data is not forthcoming from you, the same set of data could be obtained from ICANN’s access to root servers—data we accordingly will ask for. The bottom line is that potentially hazardous collision activity is happening in .COM and other legacy TLDs as well, and it is misleading to portray that new TLDs are discretely fertile for “attack windows,” to borrow your term.
Collecting and selling NDX data, as you do, to anyone, exploits the same phenomenon you’re attempting to demonize. More troubling is the potential intention of the buyer, who could monetize collision names with traffic or use it for other disreputable practices—for example, this technique could be used to begin harvesting residual e-mail being delivered to easily recover passwords and gain access to data accounts or other sensitive information. A white paper on this topic would be illuminating—are you willing to produce one?
Name collision is a worthy subject for discussion. However, the community deserves a discussion that’s devoid of an approach that suggests self-interest. Thanks again for your post.