GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services

Fraudsters redirected email and web traffic destined for several cryptocurrency trading platforms over the past week. The attacks were facilitated by scams targeting employees at GoDaddy, the world’s largest domain name registrar, KrebsOnSecurity has learned.

The incident is the latest incursion at GoDaddy that relied on tricking employees into transferring ownership and/or control over targeted domains to fraudsters. In March, a voice phishing scam targeting GoDaddy support employees allowed attackers to assume control over at least a half-dozen domain names, including transaction brokering site escrow.com.

And in May of this year, GoDaddy disclosed that 28,000 of its customers’ web hosting accounts were compromised following a security incident in Oct. 2019 that wasn’t discovered until April 2020.

This latest campaign appears to have begun on or around Nov. 13, with an attack on cryptocurrency trading platform liquid.com.

“A domain hosting provider ‘GoDaddy’ that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor,” Liquid CEO Mike Kayamori said in a blog post. “This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts. In due course, the malicious actor was able to partially compromise our infrastructure, and gain access to document storage.”

In the early morning hours of Nov. 18 Central European Time (CET), cyptocurrency mining service NiceHash disccovered that some of the settings for its domain registration records at GoDaddy were changed without authorization, briefly redirecting email and web traffic for the site. NiceHash froze all customer funds for roughly 24 hours until it was able to verify that its domain settings had been changed back to their original settings.

“At this moment in time, it looks like no emails, passwords, or any personal data were accessed, but we do suggest resetting your password and activate 2FA security,” the company wrote in a blog post.

NiceHash founder Matjaz Skorjanc said the unauthorized changes were made from an Internet address at GoDaddy, and that the attackers tried to use their access to its incoming NiceHash emails to perform password resets on various third-party services, including Slack and Github. But he said GoDaddy was impossible to reach at the time because it was undergoing a widespread system outage in which phone and email systems were unresponsive.

“We detected this almost immediately [and] started to mitigate [the] attack,” Skorjanc said in an email to this author. “Luckily, we fought them off well and they did not gain access to any important service. Nothing was stolen.”

Skorjanc said NiceHash’s email service was redirected to privateemail.com, an email platform run by Namecheap Inc., another large domain name registrar. Using Farsight Security, a service which maps changes to domain name records over time, KrebsOnSecurity instructed the service to show all domains registered at GoDaddy that had alterations to their email records in the past week which pointed them to privateemail.com. Those results were then indexed against the top one million most popular websites according to Alexa.com.

The result shows that several other cryptocurrency platforms also may have been targeted by the same group, including Bibox.com, Celsius.network, and Wirex.app. None of these companies responded to requests for comment.

In response to questions from KrebsOnSecurity, GoDaddy acknowledged that “a small number” of customer domain names had been modified after a “limited” number of GoDaddy employees fell for a social engineering scam. GoDaddy said the outage between 7:00 p.m. and 11:00 p.m. PST on Nov. 17 was not related to a security incident, but rather a technical issue that materialized during planned network maintenance.

“Separately, and unrelated to the outage, a routine audit of account activity identified potential unauthorized changes to a small number of customer domains and/or account information,” GoDaddy spokesperson Dan Race said. “Our security team investigated and confirmed threat actor activity, including social engineering of a limited number of GoDaddy employees.

“We immediately locked down the accounts involved in this incident, reverted any changes that took place to accounts, and assisted affected customers with regaining access to their accounts,” GoDaddy’s statement continued. “As threat actors become increasingly sophisticated and aggressive in their attacks, we are constantly educating employees about new tactics that might be used against them and adopting new security measures to prevent future attacks.”

Race declined to specify how its employees were tricked into making the unauthorized changes, saying the matter was still under investigation. But in the attacks earlier this year that affected escrow.com and several other GoDaddy customer domains, the assailants targeted employees over the phone, and were able to read internal notes that GoDaddy employees had left on customer accounts.

What’s more, the attack on escrow.com redirected the site to an Internet address in Malaysia that hosted fewer than a dozen other domains, including the phishing website servicenow-godaddy.com. This suggests the attackers behind the March incident — and possibly this latest one — succeeded by calling GoDaddy employees and convincing them to use their employee credentials at a fraudulent GoDaddy login page.

In August 2020, KrebsOnSecurity warned about a marked increase in large corporations being targeted in sophisticated voice phishing or “vishing” scams. Experts say the success of these scams has been aided greatly by many employees working remotely thanks to the ongoing Coronavirus pandemic.

A typical vishing scam begins with a series of phone calls to employees working remotely at a targeted organization. The phishers often will explain that they’re calling from the employer’s IT department to help troubleshoot issues with the company’s email or virtual private networking (VPN) technology.

The goal is to convince the target either to divulge their credentials over the phone or to input them manually at a website set up by the attackers that mimics the organization’s corporate email or VPN portal.

On July 15, a number of high-profile Twitter accounts were used to tweet out a bitcoin scam that earned more than $100,000 in a few hours. According to Twitter, that attack succeeded because the perpetrators were able to social engineer several Twitter employees over the phone into giving away access to internal Twitter tools.

An alert issued jointly by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) says the perpetrators of these vishing attacks compile dossiers on employees at their targeted companies using mass scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research.

The FBI/CISA advisory includes a number of suggestions that companies can implement to help mitigate the threat from vishing attacks, including:

• Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN.

• Restrict VPN access hours, where applicable, to mitigate access outside of allowed times.

• Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains.

• Actively scan and monitor web applications for unauthorized access, modification, and anomalous activities.

• Employ the principle of least privilege and implement software restriction policies or other controls; monitor authorized user accesses and usage.

• Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to
authenticate the phone call before sensitive information can be discussed.

• Improve 2FA and OTP messaging to reduce confusion about employee authentication attempts.

• Verify web links do not have misspellings or contain the wrong domain.

• Bookmark the correct corporate VPN URL and do not visit alternative URLs on the sole basis of an inbound phone call.

• Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information. If possible, try to verify the caller’s identity directly with the company.

• If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement.

• Limit the amount of personal information you post on social networking sites. The internet is a public resource; only post information you are comfortable with anyone seeing.

• Evaluate your settings: sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate.

Farsight DNSDB and Cortex XSOAR help gain context for all connected DNS-related digital artifacts

Farsight Security announced that Farsight DNSDB, a DNS intelligence database, is now integrated with Palo Alto Networks Cortex XSOAR, an extended security orchestration, automation and response platform that empowers security teams by simplifying and harmonizing security operations across their enterprise.

Through this integration, Farsight DNSDB and Cortex XSOAR enable security analysts to uncover and gain context for all connected DNS-related digital artifacts, from domain names and IP addresses to nameservers and MX records, in seconds.

Farsight Security is offering a free content pack entitled “DNSDB” in the Cortex XSOAR integrations marketplace. The DNSDB content pack contains three playbooks that integrate into existing automation processes to automatically contextualize and correlate all DNS-related assets.

For example, while responding to a reported malicious domain, users can uncover the associated domains and IP addresses to reveal the attacker’s infrastructure which may have already been used or may be used in the future for an attack.

Using the playbooks, security practitioners can retrieve:

  • All hostnames seen for a given IP around the time of observation.
  • All IPs seen for a given hostname around the time of observation.
  • A limited number of other hostnames seen on the same IPs as the target hostname.

“A broad and open ecosystem is vital to the successful adoption of any XSOAR platform,” said Rishi Bhargava, vice president of product strategy, Cortex XSOAR at Palo Alto Networks.

“We are proud to welcome Farsight Security to the Cortex XSOAR ecosystem, which has partner-owned integrations that enable customers to streamline security processes, connect disparate security tools and technologies, and maintain the right balance of machine-powered security automation and human intervention.”

“Every online transaction, good or bad, begins with a DNS lookup. Yet domain names and IP addresses can be used and discarded by criminals in minutes or even seconds. Farsight DNSDB enables users to map malicious infrastructure – even when the website has disappeared or the IP address or nameserver for the suspicious DNS asset has changed.

“Farsight Security is proud to be part of the Cortex XSOAR marketplace and these playbooks will measurably improve the speed and accuracy of our joint customer investigations,” said Farsight Security CEO Dr. Paul Vixie.

Cortex XSOAR is an extended security orchestration, automation and response platform that unifies case management, automation, real-time collaboration and threat intel management to transform every stage of the incident lifecycle.

Teams can manage alerts across all sources, standardize processes with playbooks, take action on threat intel and automate response for any security use case — resulting in significantly faster responses that require less manual review.

New infosec products of the week: August 7, 2020

Radiflow launches CIARA, a ROI-driven risk assessment and management platform for industrial organizations

CIARA is a fully automated tool for assets data collection, data-driven analysis and transparent risk metrics calculation including risk scoring per zone and business process based on business impact. The new platform is a response to the growing digitization of the production floor that has led to rising tide of cyber threats.

infosec products August 2020

Fortinet unveiled the FortiGate 4400F, a firewall capable of securing 5G networks

The FortiGate 4400F is a hyperscale firewall, setting new milestones for Security Compute Ratings to deliver performance, scalability and security in a single appliance. It’s powered by Fortinet’s latest seventh generation network processor (NP7) to offer hardware-acceleration, making it the only network firewall that is fast enough to secure hyperscale data centers and 5G networks.

infosec products August 2020

DNSDB 2.0 transforms threat feeds into relevant threat intel in real time

Farsight Security introduced DNSDB 2.0, which enables security professionals to identify and map domain names and IP addresses associated with bad actors or used in malicious infrastructures, brand infringement campaigns, phishing schemes, ransomware and other cybercrime.

infosec products August 2020

BluBracket updates Code Security Suite, adds stolen and leaked code detection

BluBracket introduced significant new functionality to its Code Security Suite, allowing companies for the first time to find stolen and copied source code in public repositories. BluBracket scans both public and private repos. It uses the list of contributors to a company’s repos to identify the public repos to which they have added code. This means that if your code has made its way to open source projects, or to a developer or contractor’s non-company accounts, you can find and remediate the issue.

infosec products August 2020

Modshield SB application firewall now available in the AWS Marketplace

StrongBox IT released its flagship application firewall – Modshield SB, now available in the AWS Marketplace on a cloud subscription model and a BYOL model. Modshield SB is designed to provide protection against all major attack vectors. It supports multiple domains and applications using a single instance with no additional license costs.

infosec products August 2020

DNSDB 2.0 transforms threat feeds into relevant threat intel in real time

Farsight Security introduced DNSDB 2.0, which enables security professionals to identify and map domain names and IP addresses associated with bad actors or used in malicious infrastructures, brand infringement campaigns, phishing schemes, ransomware and other cybercrime. “My team and I set out in 2008 to build the biggest and most diverse surveillance-free observational network, and, in 2010, to build the highest fidelity and highest performing passive DNS database – and we have. We launched Farsight … More

The post DNSDB 2.0 transforms threat feeds into relevant threat intel in real time appeared first on Help Net Security.

Who’s Behind the ‘Web Listings’ Mail Scam?

In December 2018, KrebsOnSecurity looked at how dozens of U.S. political campaigns, cities and towns had paid a shady company called Web Listings Inc. after receiving what looked like a bill for search engine optimization (SEO) services rendered on behalf of their domain names. The story concluded that this dubious service had been scamming people and companies for more than a decade, and promised a Part II to explore who was behind Web Listings. What follows are some clues that point to a very convincing answer to that question.

Since at least 2007, Web Listings Inc. has been sending snail mail letters to domain registrants around the world. The missives appear to be an $85 bill for an “annual search engine listing” service. The notice does disclose that it is in fact a solicitation and not a bill, but wording of the notice asserts the recipient has already received the services in question.

Image: Better Business Bureau.

The mailer references the domain name web-listings.net, one of several similarly-named domains registered sometime in 2007 or later to a “James Madison,” who lists his address variously as a university in New Britain, Connecticut or a UPS Store mailbox in Niagara Falls, New York.

Some others include: weblistingservices.com, webservicescorp.net, websiteservicescorp.com, web-listingsinc.com, weblistingsinc.net, and weblistingsreports.net. At some point, each of these domains changes the owner’s name from James Madison to “Mark Carter.” As we’ll see, Mark is a name that comes up quite a bit in this investigation.

Image: Better Business Bureau.

A Twitter account for Web Listings Inc. has posts dating back to 2010, and points to even more Web Listings domains, including weblistingsinc.orgCached versions of weblistingsinc.org at archive.org show logos similar to the one featured on the Web Listings mailer, and early versions of the site reference a number of “business partners” in India that also perform SEO services.

Searching the Internet for some of these Web listing domains mentioned in the company’s Twitter account brings up a series of press releases once issued on behalf of the company. One from May 2011 at onlineprnews.com sings the praises of Weblistingsinc.info, weblistingsinc.org and web-listings.net in the same release, and lists the point of contact simply as “Mark.”

Historic WHOIS registration records from Domaintools [an advertiser on this blog] say Weblistingsinc.org was registered in Nov. 2010 to a Mark Scott in Blairgowrie, Scotland, using the email address [email protected].

Reputationmanagementfor.com bills itself as an online service for “fighting negative and incorrect content on the internet,” which is especially interesting for reasons that should become clearer in a few paragraphs. The site says Mark Scott, 46, is an employee of Reputationmanagementfor.com, and that he is also involved with two other companies:

-GoBananas, a business that sets up group outings, with a focus on bachelor and bachelorette parties;

-HelpMeGo.to, an entity in Scotland that did online marketing and travel tourism both in Scotland (via sites like Scotland.org.uk and marketinghotelsonline.co.uk) and on India’s coastal Kerala state where HelpMeGo.to employed a number of people involved in the SEO business. Helpmego.to now simply redirects to GoBananas.

According to Farsight Security, a company that keeps historic records of which Web sites were hosted at which Internet addresses, Weblistingsinc.org was for a while hosted at the IP address 68.169.45.65 with just six other domains, including travelingalberta.com, which was a blog about traveling and living in Alberta, Canada registered to Mark Scott and the email address [email protected]. Cached versions of this site from 2011 show it naming Web Listings Inc. as a business partner.

That same [email protected] email address is tied to the WHOIS records for markscottblog.com, gobananas.co.uk, gobananas.com. Cached copies of markscottblog.com from 2010 at Archive.org show his profile page on blogger.com links to another blog with much the same content, images and links called internetmadness.blogspot.com.

Among the 2011 entries from the Internetmadness blog is a post promoting the wonders of benefits of Web Listings Inc.

A cached copy of Mark Scott’s blog Internet Madness from 2011 promotes Web Listings Inc.

THE COBRA/APPCO GROUP

Aha! But wait, there’s more. You see, for years Weblistingsinc.org was hosted on the same servers along with a handful of other domains that all switched Internet addresses at the same times, including gobananas.com, gobananasworld.com and the IP addresses 107.20.142.166 (17 hosts), 54.85.65.241 (6 hosts).

Most of the other domains at these IPs historically have been tied to other domains connected to Mark Scott and his various companies and business partners, including chrisniarchos.net, redwoodsadvance.net, gdsinternationalus.com, staghensscotlands.com, cobra-group.blogspot.comthe-cobra-group.com, appcogroup.co.uk, and reputationmanagementfor.com.

I found a similar pattern with domains stemming from a Crunchbase company profile on Web Listings Inc., which says the firm is based in Toronto, Canada, with the Web site webtechnologiesinc.net, and email address [email protected]. Historic WHOIS data from Domaintools.com says Webtechnologiesinc.net was registered in 2013 to a Marcus Ruskov in Toronto.

Information about who registered Webtechnologiesletter.com is completely hidden behind privacy protection services. But Farsight says the domain was in 2015 hosted at the Internet address 54.77.128.87, along with just 70 other domains, including the same list of domains mentioned above, chrisniarchos.net, redwoodsadvance.net, gdsinternationalus.com, et cetera.

What do all of these domains have in common? They are tied to companies for which Mark Scott was listed as a key contact. For example, this press release from 2o11 says Mark Scott is the contact person for a company called Appco Group UK which bills itself as a market leader in face-to-face marketing and sales.

“Worldwide, Appco Group has raised hundreds of millions of pounds for some of the world’s biggest charities, delivered pay-TV and broadband services, financial services, security and many other successful marketing solutions on a diverse range of products,” the press release enthuses.

The Appco Group is the re-branded name of a family of marketing and sales companies originally created under the name The Cobra Group, whose Wikipedia page states that it is a door-to-door selling and marketing company headquartered in Hong Kong. It says investigations by the media have found the company promises much larger compensation rates that employees actually receive.

“It is also criticized for being a cult, a scam and a pyramid scheme,” the entry reads.

The Cobra Group and its multifariously named direct sales and marketing companies are probably best described as “multi-level marketing” schemes; that is, entities which often sell products and/or services of dubious quality, use high-pressure sales tactics and misleading if not deceptive advertising practices, and offer little to no employee payment for anything other than direct sales.

Even the most cursory amount of time spent searching the Internet for information on some of the companies named above (Appco Group, Cobra Group, Redwoods Advance, GDS International) reveals a mountain of bad press and horrible stories from former employees.

For example, Appco salespeople became known as “charity muggers” because they were trained to solicit donations on behalf of charities from random people on the street, and because media outlets later discovered that the people running Appco kept the majority of the millions of dollars they raised for the charities.

This exhaustive breakdown on the door-to-door sales industry traces Cobra and Appco Group back to a long line of companies that simply renamed and rebranded each time a scandal inevitably befell them.

Now it makes sense why Web Listings Inc. had so many confusingly-named domain names. And this might also explain the primary role of Mr. Scott’s business — the online reputation management company reputationmanagementfor.com — in relation to the Cobra Group/Appco’s efforts to burnish its reputation online.

A partial screenshot of a mind map I used to keep track of the myriad connections between various Web Listings domains and their owners. This map was created with MindNode Pro for Mac.

Mark Scott did not respond to multiple requests for comment sent to various email addresses and phone numbers tied to his name. However, KrebsOnSecurity did receive a response from Cobra Group founder Chris Niarchos, a Toronto native who said this was the first he’d heard of the Web Listings scam.

“Mark used to provide some services to us but my understanding was that stopped a long time ago,” Niarchos said. “He used to own a marketing company that we supplied but that contract ended maybe 12 years ago. That’s how we met. After that he did start some internet based businesses where he sold services to us as a customer at arms length. That also stopped many years ago again as we did it all in house. As far as I know he did this for many companies and we were simply a customer of his. In my dealings with him we got what we paid for but never did we have any closer relationship than that.”

USA CONNECTIONS

Two more small — possibly insignificant — but interesting things. First, if we go back and look at archived posts from markscottblog.com in 2010, we can see a number of entries where he defends the honor of Cobra Group, Appco, and other multi-level marketing programs he supports, saying they’re not scams. If we go back further to 2008 and look at Mark Scott’s profile on Blogger.com, we can see at the bottom of the page a link called “Enquiries and Emails.”

Visiting that link brings up what looks like a public shaming page of emails apparently sent to Mr. Scott from scammers trying to set him up for some kind of fake check scheme in connection with renting one of the U.K. properties listed by his various travel accommodations Web sites. Click the “Contact” tab at the top right of that page and you’ll see Travel Scotland has a U.S. phone number that potential customers here in the states can use to make reservations toll-free.

That number happens to be in Connecticut. Recall that the address listed in the ownership records for many of the Web Listings domains tied to the “James Madison/Mark Carter” identities were for an address in Connecticut.

Finally, I wanted to mention something that has stumped me (until very recently) since I began this investigation a couple of years ago. There are two unexpected domains returned when one performs a reverse search on a couple of different persistent data points in the WHOIS registration records for the Web Listings domains. See if you can spot the odd duck in this list produced by running a reverse search at Domaintools on [email protected] (the contact email address shown on the mailed letter above):

Domain Name Create Date Registrar
finzthegoose.com 2010-08-03 enom, inc.
web-listings.net 2007-04-24 ENOM, INC.,ENOM, LLC
web-listingsinc.com 2015-11-06 ENOM, INC.,ENOM, LLC
weblistingservices.com 2007-04-23 ENOM, INC.,ENOM, LLC
weblistingsinc.com 2014-06-21 GODADDY.COM, LLC
weblistingsinc.net 2016-02-09 ENOM, INC.,ENOM, LLC
weblistingsreports.net 2015-11-06 ENOM, INC.,ENOM, LLC
webservicescorp.net 2007-06-03 ENOM, INC.,ENOM, LLC
websiteservicescorp.com 2007-06-03 —

Ten points if you said “finzthegoose.com.” Now let’s run a search on the phone number for Mark Carter — the phony persona behind all the Web Listings domains registered to the Niagara Falls address — +1.716-285-3575. What stands out about this list?

Domain Name Create Date Registrar
aquariumofniagara.org 2001-01-11 GODADDY.COM, LLC
web-listings.net 2007-04-24 ENOM, INC.,ENOM, LLC
web-listingsinc.com 2015-11-06 ENOM, INC.,ENOM, LLC
weblistingservices.com 2007-04-23 ENOM, INC.,ENOM, LLC
weblistingsinc.com 2014-06-21 GODADDY.COM, LLC
weblistingsinc.net 2016-02-09 ENOM, INC.,ENOM, LLC
weblistingsreports.net 2015-11-06 ENOM, INC.,ENOM, LLC
webservicescorp.net 2007-06-03 ENOM, INC.,ENOM, LLC
websiteservicescorp.com 2007-06-03 —

If you’re picking up an aquatic and marine life theme here, you’re two for two. That is actually the real phone number for the Aquarium of Niagara; the Web-Listings people just for some reason decided to list it in their WHOIS records as theirs.

It appears that a Scotsman named Robert Paul Graham Scott — perhaps Mark’s older brother — was in the same line of work (SEO and advertising) and pimping the exact same companies as Mark. According to a listing at Companies House, the official ledger of corporations in the United Kingdom, Paul Scott was for four years until Sept. 2019 a director in HMGT Services Ltd. (HMGT stands for the aforementioned HelpMeGo.To business).

Paul Scott’s own Internet presence says he lives in Perth — a short distance from Mark’s hometown in Blairgowrie, Scotland. Like Mark, Paul Scott did not respond to requests for comment. But Paul Scott’s Twitter profile — @scubadog_uk — shows him tweeting out messages supporting many of the same companies and causes as Mark over the past decade.

More to the point, Paul’s Website — scubadog.co.uk — says he has an abiding interest in underwater photography, scuba diving, and all things marine-related.

New infosec products of the week: February 14, 2020

RSA Archer SaaS: An integrated approach to managing risk

RSA Archer SaaS can help reduce the time and resources dedicated to on-premise platform upgrades, patches, and maintenance activities, as well as enable customers to focus on maturing and expanding their integrated risk management programs.

infosec products February 2020

Farsight Security enhances its Security Information Exchange data-sharing platform

Farsight Security announced enhancements to its Security Information Exchange data-sharing platform to help security professionals measurably improve the prevention, detection and response of the latest cyberattacks.

infosec products February 2020

Tufin SecureCloud: Providing unified security policy management for the hybrid cloud

Tufin SecureCloud is a security policy automation service for enterprises needing to gain visibility and control of the security posture of their cloud-native and hybrid cloud environments.

infosec products February 2020

ZeroFOX launches AI-powered Advanced Email Protection for Google and Microsoft platforms

The ZeroFOX Advanced Email Protection suite includes capabilities that address Business Email Compromise Protection for Google’s G Suite and Microsoft’s Office 365 platforms, which identifies impersonation-based attacks targeting employees.

infosec products February 2020

Devo Security Operations: Transforming the SOC and scaling security analyst effectiveness

Devo Security Operations is the first security operations solution to combine critical security capabilities together with auto enrichment, threat intelligence community collaboration, a central evidence locker, and a streamlined analyst workflow.

infosec products February 2020

esCLOUD extends managed detection and response to cloud platforms

esCLOUD constantly monitors customer cloud environments to detect improper configurations and vulnerabilities that could lead to data loss and compromise. Automated policy enforcement, combined with response and remediation from eSentire’s expert security analysts, ensures that customers can operate in the cloud with confidence.

infosec products February 2020

Farsight Security enhances its Security Information Exchange data-sharing platform

Farsight Security announced enhancements to its flagship, Security Information Exchange (SIE) data-sharing platform to help security professionals measurably improve the prevention, detection and response of the latest cyberattacks.

Security Information Exchange

Newly active domains: The industry’s first real-time DNS Intelligence data feed that reports domains as they resume activity on the Internet after a period of inactivity (10 days or more). This data is very useful to detect, block, and investigate domains used by threat actors who acquire and reuse expired domains with previously good reputations or by patiently waiting to establish a harmless reputation for their domain before utilizing it.

SIE batch: A new easy-to-use and easy-to-integrate delivery method to access data from our powerful, proven real-time solutions – available via both API and a Web interface – including Newly Observed Domains, DNS Changes and the newly added, Newly Active Domains, as well as high-value third-party data feeds including Darknet, Spam, Phishing URLS and DDoS Events, all available via the company’s flagship Security Information Exchange platform.

“Farsight was founded on the idea of observational security, and the Security Information Exchange (SIE) is at the heart of our business. We are proud how much of the Internet can indirectly be observed through SIE, on both the DNS-related channels and the other less well-known channels. Some SIE users have told us that their use-cases value completeness of data over the timeliness of real-time SIE streaming. So, with SIE Batch, we now have a way to deliver SIE channel information using reliable file transfers, which can be delayed but not damaged by network outages,” said Farsight Security CEO Dr. Paul Vixie.

“Farsight will continue to innovate to put observations of Internet infrastructure and behaviour into the hands of responsible defenders, while continuing to avoid the collection of any PII (personally identifiable information). SIE Batch and Newly Active Domains are the next steps in that long journey.”

SIE Batch and Newly Active Domains will be available on February 24th, the first day of RSA Conference.

SIE Batch will be available to users who subscribe to one or more SIE Channels and can be purchased as either a standalone access method or as a complimentary access method to SIE Remote Access, SIE Lan and AXA-Rest. Newly Active Domains will be available as a separate channel.

The future of DNS security: From extremes to a new equilibrium

In anticipation of his keynote at HITB Security Conference 2020 in Amsterdam, we talked to internet pioneer Dr. Paul Vixie, Farsight Security Chairman and CEO.

Dr. Vixie was inducted into the internet Hall of Fame in 2014 for work related to DNS and anti-spam technologies. He is the author of open source internet software including BIND 8, and of many internet standards documents concerning DNS and DNSSEC.

future DNS security

You’ve worked in the DNS field for more than three decades, how have things changed since the late 1980s?

The internet is the biggest thing ever to happen to human society, but likewise commercialization and privatization was the biggest thing ever to happen to the internet. nothing about the internet’s technology or governance was ready for general exposure to humanity – it was built by academics for their own purposes.

Denial of Service attacks, spam and other fraudulent transactions, inappropriate monetization of public resources, and unnecessary centralization have all thrived along with the internet itself, because the people who designed and deployed the fundamental architecture and infrastructure of the internet did not know and could not have believed that nothing which can be abused won’t be. Well, now we know that, but it’s late.

We’re seeing a steady push to move access side DNS away from customer networks and towards companies like Cisco, Google, IBM, and Cloudflare. What are the risks and costs, and who pays them?

I’ve often said that if the internet was a territory, then the DNS is its map. That’s now broadly understood by the tech sector, and their response is to centralize DNS either for their own leverage or to prevent others from having such leverage.

Centralization is not and never was necessary or beneficial for DNS, and the costs of centralization will be more surveillance, more fragility, more complexity, and more security bypasses. I’ve left instructions in case I perish, so on my tombstone it will be written, “run your own recursive DNS”.

What’s your take on DNS over HTTP?

i think a lot of technologists were enraged by the Snowden disclosures of 2013, and they’re dedicated to creating a user-centric network without any possible controls or monitoring. they tell us, we can’t trust network operators, or our operating systems.

What I’ve told them in reply is, we can’t trust our apps which might be malware or infected, nor our users who might be intruders or malicious insiders, and “going dark” will limit good surveillance and controls (by private network operators, and endpoint security products) and empower new kinds of e-crime and e-abuse, in at least the same and probably greater magnitudes than whatever benefit we get by limiting nation-state surveillance efforts.

We needed a balance, but DNS over HTTP is a new extreme.

How do you envision DNS security evolving in the near future?

It’s all going to be encrypted, even the parts which are public information containing no personally identifiable information.

This will trigger a new arms race as to who gets to encrypt what against whom. Managed private network operators are going to have to figure out how to prevent DNS over HTTP from bypassing their enterprise and family security controls, and there will be hell to pay in the form of new complexities and collateral damage. It’s going to take years for a new equilibrium to evolve out of this mess.