SWITCH Security-Blog

SWITCH-CERT IT-Security Blog


Leave a comment

Breaking security controls using subdomain hijacking

Users obtain a domain name to establish a unique identity on the Internet. Domain names are not only used to serve names and addresses of computers and services but also to store security controls, such as SPF or CAA records. Many of the Internet protocols were designed at a time where built-in security was not a requirement. The IETF continues to standardize protocol extensions to address today’s security needs.

For some protocols security is added with controls stored in your domain names zone file. In order to have the desired effect, the pre-condition is of course that your domain name is secure. In other words, the security of your application that makes use of controls in DNS is only as secure as the security of your domain name.

Hijacking a domain name because of weak credentials at the registrar may get the job done but this is far from stealthy and will likely not last long. In many cases it is sufficient to hijack an abandoned subdomain. Taking over abandoned subdomains may be unnoticed by the owner for a very long period of time making it also very useful for targeted attacks.

Picture 1: update.ft.com has been hijacked and the content from the ft.com front page is mirrored with a fake article about subdomain hijacking. Note: the website is not online anymore, Financial Times has been notified to remove the abandoned record from their zone file. A Certificate Transparency (CT) log proves that a TLS certificate has been issued for this demo site.

Continue reading


Leave a comment

A new issue of our SWITCH Security Report is available!

Dear Reader!

A new issue of our bi-monthly SWITCH Security Report is available!

The topics covered in this report are:

  • Attack of the digital dolphins: hacking Alexa, Siri and their friends via ultrasound
  • The anti-antivirus programme: US government bans agencies from installing Kaspersky software on their computers
  • A hack of ‘epic proportions’ at Equifax
  • Science fiction 4.0 – how to hack a computer with a drop of saliva

The Security Report is available in both English and German.

»»  Download the english report.      »»  Download the german report.

Did you miss our previous Security Report? Click here to go to the archive.


A new issue of our SWITCH Security Report is available!

Dear Reader!

A new issue of our bi-monthly SWITCH Security Report is available!

The topics covered in this report are:

  • Family business: Petya and its derivatives sweep over half the world as a new wave of ransomware
  • Pay a ransom for your privacy: new «extortionware» exposes its victims
  • Positive use of metadata – Cisco can detect malware activity even in encrypted network traffic
  • Successful strike against the darknet drug and weapons trade – security services bust AlphaBay and Hansa

The Security Report is available in both English and German.

»»  Download the english report.      »»  Download the german report.

Did you miss our previous Security Report? Click here to go to the archive.


The December 2016 issue of our SWITCH Security Report is available!

Dear Reader!

A new issue of our monthly SWITCH Security Report has just been released.

The topics covered in this report are:

  • Power and cybercrime – massive quantities of user data stolen in two recent hacks
  • When supposed security add-ons actually spy on your browsing habits
  • Mirai part II – botnet knocks out 900,000 Telekom routers
  • It’s not all bad news – Avalanche botnet taken down

The Security Report is available in both English and German.

»»  Download the english report.      »»  Download the german report.

Did you miss our previous Security Report? Click here to go to the archive.


An attachment that wasn’t there

By Slavo Greminger and Oli Schacher

On a daily basis we collect tons of Spam emails, which we analyze for malicious content. Of course, this is not done manually by our thousands of minions, but automated using some Python-fu. Python is a programming language that comes with many libraries, making it easy for us to quickly perform such tasks.

Python’s email library deals with, well, emails. And it does it well. But on October 3rd, we encountered an attachment that wasn’t there – at least according to Python’s email library.

Mal-formatted email

Left: Outlook Web does not show the attachment          Right: Thunderbird does show the attachment

Now how could that happen?

Emails do have a certain structure, which is described nicely in RFC #822, RFC #2822, RFC #5322, RFC #2045, RFC #2046, RFC #2047, RFC #2049, RFC #2231, RFC #4288 and RFC #4289. Even though these RFC’s are clear in their own way, an illustration might help (we focus on multipart emails only) to understand why Python’s email library got fooled.

Continue reading


New SWITCH Security Report available

Dear Reader!

A new issue of our monthly SWITCH Security Report has just been released.

The topics covered in this report are

  • ICSI’s Haystack looking for Android needles – and beta testers for its field study
  • Staging a comeback with a blackout – macro-Trojans return and apparently cause Christmas power cut in western Ukraine 
  • Is it really smart? Many smart home solutions have security holes as big as a garage door
  • From Mad Men to Bad Boys – malware becoming harder to monitor due to malvertising

The Security Report is available in both English and German.

»»  Download the english report.      »»  Download the german report.


2 Comments

Attack of the killer Ads

By Daniel Stirnimann and Serge Droz

Recently I was quoted saying “… .ch and .li are the most secure (top-level) domains!”. In the same meeting, Security Rock Star Mikko Hyppönen claimed, “Surfing the Web with your laptop is the most dangerous thing you can do in the Internet.”  So what is true, what is false? Rather than speculate about obscure statistics I’d like to illustrate one of the big problems we face in .ch today, namely using ads as a back door to reach victims through reputable sites.

Ads: enter through the hallway

Malware distributors have one goal: spreading their stuff as widely as possible. This is achieved through different means. Malware was traditionally distributed – and still is – through e-mail attachments. This was the case, for example, with the Retefe malware. Alternatively, web pages can be hacked and used to spread malware by exploiting browser bugs. SWITCH has been very active, through its Safer Internet initiative, in working to reduce this infection vector. In fact, we’ve been so successful, that drive-by is very scarce in Switzerland, hence the statement that ” … .ch is one of the most secure ccTLDs”. Drive-by websites are always hacked, but in most cases they are not very popular websites, since popular websites are typically well protected. Many of the later ones offer a backdoor tough: ads! News sites in particular make most of their revenue by selling on line ads, which explains the “ad-war” arms race between ad-blockers an news agencies (see our Security Report on anti-anti-ad features). A very common way is malvertising, a term coined by William Salusky. Salusky found ads that were in fact carrying malicious payloads. Let’s look at a slightly different scenario, namely a legitimate but compromised ad server. While technically a different scenario it has the same effect on the end user.

Most people would think that visiting a website just serves you content from that site but this is not true for most of the large sites, in particular news sites. They import contents such as videos, trackers, counters, scripts and especially ads from third-party sites. These are not controlled by the original site, and often import content themselves from yet another site. Thus, a well maintained site with high security standards will often import stuff from sites with lower security. Think of it as sitting in a highly rated restaurant that has one bad food supplier.

The image below shows all the external sites involved whenever you visit three popular news sites.

 

Ohne Addon

The above example shows what happens when you visit three popular Swiss newspapers. Triangles denote third-party sites from which content is imported when you visit the respective news site. The visualisation was done using the Mozilla addon LightBeam

Continue reading