U.S. Department of Homeland Security

Trump Fires Security Chief Christopher Krebs

President Trump on Tuesday fired his top election security official Christopher Krebs (no relation). The dismissal came via Twitter two weeks to the day after Trump lost an election he baselessly claims was stolen by widespread voting fraud.

Chris Krebs. Image: CISA.

Krebs, 43, is a former Microsoft executive appointed by Trump to head the Cybersecurity and Infrastructure Security Agency (CISA), a division of the U.S. Department of Homeland Security. As part of that role, Krebs organized federal and state efforts to improve election security, and to dispel disinformation about the integrity of the voting process.

Krebs’ dismissal was hardly unexpected. Last week, in the face of repeated statements by Trump that the president was robbed of re-election by buggy voting machines and millions of fraudulently cast ballots, Krebs’ agency rejected the claims as “unfounded,” asserting that “the November 3rd election was the most secure in American history.”

In a statement on Nov. 12, CISA declared “there is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.”

But in a tweet Tuesday evening, Trump called that assessment “highly inaccurate,” alleging there were “massive improprieties and fraud — including dead people voting, Poll watchers not allowed into polling locations, ‘glitches’ in the voting machines that changed votes from Trump to Biden, late voting, and many more.”

Twitter, as it has done with a remarkable number of the president’s tweets lately, flagged the statements as disputed.

By most accounts, Krebs was one of the more competent and transparent leaders in the Trump administration. But that same transparency may have cost him his job: Krebs’ agency earlier this year launched “Rumor Control,” a blog that sought to address many of the conspiracy theories the president has perpetuated in recent days.

Sen. Richard Burr, a Republican from North Carolina, said Krebs had done “a remarkable job during a challenging time,” and that the “creative and innovative campaign CISA developed to promote cybersecurity should serve as a model for other government agencies.”

Sen. Angus King, an Independent from Maine and co-chair of a commission to improve the nation’s cyber defense posture, called Krebs “an incredibly bright, high-performing, and dedicated public servant who has helped build up new cyber capabilities in the face of swiftly-evolving dangers.”

“By firing Mr. Krebs for simply doing his job, President Trump is inflicting severe damage on all Americans – who rely on CISA’s defenses, even if they don’t know it,” King said in a written statement. “If there’s any silver lining in this unjust decision, it’s this: I hope that President-elect Biden will recognize Chris’s contributions, and consult with him as the Biden administration charts the future of this critically important agency.”

KrebsOnSecurity has received more than a few messages these past two weeks from readers who wondered why the much-anticipated threat from Russian or other state-sponsored hackers never appeared to materialize in this election cycle.

That seems a bit like asking why the year 2000 came to pass with very few meaningful disruptions from the Y2K computer date rollover problem. After all, in advance of the new millennium, the federal government organized a series of task forces that helped coordinate readiness for the changeover, and to minimize the impact of any disruptions.

But the question also ignores a key goal of previous foreign election interference attempts leading up to the 2016 U.S. presidential and 2018 mid-term elections. Namely, to sow fear, uncertainty, doubt, distrust and animosity among the electorate about the democratic process and its outcomes.

To that end, it’s difficult to see how anyone has done more to advance that agenda than President Trump himself, who has yet to concede the race and continues to challenge the result in state courts and in his public statements.

U.S. Govt. Makes it Harder to Get .Gov Domains

The federal agency in charge of issuing .gov domain names is enacting new requirements for validating the identity of people requesting them. The additional measures come less than four months after KrebsOnSecurity published research suggesting it was relatively easy for just about anyone to get their very own .gov domain.

In November’s piece It’s Way Too Easy to Get a .gov Domain Name, an anonymous source detailed how he obtained one by impersonating an official at a small town in Rhode Island that didn’t already have its own .gov.

“I had to [fill out] ‘an official authorization form,’ which basically just lists your admin, tech guy, and billing guy,” the source said. “Also, it needs to be printed on ‘official letterhead,’ which of course can be easily forged just by Googling a document from said municipality. Then you either mail or fax it in. After that, they send account creation links to all the contacts.”

While what my source did was technically wire fraud (obtaining something of value via the Internet through false pretenses), cybercriminals bent on using fake .gov domains to hoodwink Americans likely would not be deterred by such concerns.

“I never said it was legal, just that it was easy,” the source told KrebsOnSecurity. “I assumed there would be at least ID verification. The deepest research I needed to do was Yellow Pages records.”

Now, Uncle Sam says in a few days all new .gov domain applications will include an additional authorization step.

“Effective on March 10, 2020, the DotGov Program will begin requiring notarized signatures on all authorization letters when submitting a request for a new .gov domain,” reads a notice published March 5 by the U.S. General Services Administration, which overseas the .gov space.

“This is a necessary security enhancement to prevent mail and wire fraud through signature forgery in obtaining a .gov domain,” the statement continues. “This step will help maintain the integrity of .gov and ensure that .gov domains continue to be issued only to official U.S. government organizations.”

The GSA didn’t say whether it was putting in place any other safeguards, such as more manual verification of .gov domain applications. It certainly hadn’t followed up on the fraudulent application from my source before granting him the .gov domain name he sought (exeterri[.]gov). The GSA only did that four days after I asked them for comment, and approximately 10 days after they’d already granted the phony domain request.

“GSA is working with the appropriate authorities and has already implemented additional fraud prevention controls,” the agency said in a written statement at the time, without elaborating on what those additional controls might be.

But I’m left to wonder: If I’m a bad guy who’s willing to forge someone’s signature and letterhead in a fraudulent application for a .gov domain, why wouldn’t I also be willing to fake a notarization? Especially when there are plenty of services in the cybercrime underground that specialize in spoofing these phony attestations for a small fee.

“This is a classic case of ‘we must do something’ and this is certainly something,” said John Levine, a domain name expert, consultant and author of the book The Internet for Dummies.

Levine said it would not be terribly difficult for the GSA to do a slightly more thorough job of validating .gov domain requests, but that some manual verification probably would be required. Still, he said, it’s not clear how big a threat fake .gov domains really are.

“As far as we know, only one person tried to fake a .gov,” Levine said. “Maybe this is good enough?”

The Cybersecurity and Infrastructure Security Agency, a division of the U.S. Department of Homeland Security, has argued that more needs to be done to secure the .gov domain space, and is making a play to wrest control over the process from the GSA.

The DOTGOV bill, introduced in October 2019, would “ensure that only authorized users obtain a .gov domain, and proactively validate existing .gov holders,” according to a statement CISA shared with this author last year.

Dangerous Domain Corp.com Goes Up for Sale

As an early domain name investor, Mike O’Connor had by 1994 snatched up several choice online destinations, including bar.com, cafes.com, grill.com, place.com, pub.com and television.com. Some he sold over the years, but for the past 26 years O’Connor refused to auction perhaps the most sensitive domain in his stable — corp.com. It is sensitive because years of testing shows whoever wields it would have access to an unending stream of passwords, email and other proprietary data belonging to hundreds of thousands of systems at major companies around the globe.

Now, facing 70 and seeking to simplify his estate, O’Connor is finally selling corp.com. The asking price — $1.7 million — is hardly outlandish for a 4-letter domain with such strong commercial appeal. O’Connor said he hopes Microsoft Corp. will buy it, but fears they won’t and instead it will get snatched up by someone working with organized cybercriminals or state-funded hacking groups bent on undermining the interests of Western corporations.

One reason O’Connor hopes Microsoft will buy it is that by virtue of the unique way Windows handles resolving domain names on a local network, virtually all of the computers trying to share sensitive data with corp.com are somewhat confused Windows PCs. More importantly, early versions of Windows actually encouraged the adoption of insecure settings that made it more likely Windows computers might try to share sensitive data with corp.com.

At issue is a problem known as “namespace collision,” a situation where domain names intended to be used exclusively on an internal company network end up overlapping with domains that can resolve normally on the open Internet.

Windows computers on an internal corporate network validate other things on that network using a Microsoft innovation called Active Directory, which is the umbrella term for a broad range of identity-related services in Windows environments. A core part of the way these things find each other involves a Windows feature called “DNS name devolution,” which is a kind of network shorthand that makes it easier to find other computers or servers without having to specify a full, legitimate domain name for those resources.

For instance, if a company runs an internal network with the name internalnetwork.example.com, and an employee on that network wishes to access a shared drive called “drive1,” there’s no need to type “drive1.internalnetwork.example.com” into Windows Explorer; typing “drive1” alone will suffice, and Windows takes care of the rest.

But things can get far trickier with an internal Windows domain that does not map back to a second-level domain the organization actually owns and controls. And unfortunately, in early versions of Windows that supported Active Directory — Windows 2000 Server, for example — the default or example Active Directory path was given as “corp,” and many companies apparently adopted this setting without modifying it to include a domain they controlled.

Compounding things further, some companies then went on to build (and/or assimilate) vast networks of networks on top of this erroneous setting.

Now, none of this was much of a security concern back in the day when it was impractical for employees to lug their bulky desktop computers and monitors outside of the corporate network. But what happens when an employee working at a company with an Active Directory network path called “corp” takes a company laptop to the local Starbucks?

Chances are good that at least some resources on the employee’s laptop will still try to access that internal “corp” domain. And because of the way DNS name devolution works on Windows, that company laptop online via the Starbucks wireless connection is likely to then seek those same resources at “corp.com.”

In practical terms, this means that whoever controls corp.com can passively intercept private communications from hundreds of thousands of computers that end up being taken outside of a corporate environment which uses this “corp” designation for its Active Directory domain.

INSTANT CORPORATE BOTNET, ANYONE?

That’s according to Jeff Schmidt, a security expert who conducted a lengthy study on DNS namespace collisions funded in part by grants from the U.S. Department of Homeland Security. As part of that analysis, Schmidt convinced O’Connor to hold off selling corp.com so he and others could better understand and document the volume and types of traffic flowing to it each day.

During an eight month analysis of wayward internal corporate traffic destined for corp.com in 2019, Schmidt found more than 375,000 Windows PCs were trying to send this domain information it had no business receiving — including attempts to log in to internal corporate networks and access specific file shares on those networks.

For a brief period during that testing, Schmidt’s company JAS Global Advisors accepted connections at corp.com that mimicked the way local Windows networks handle logins and file-sharing attempts.

“It was terrifying,” Schmidt said. “We discontinued the experiment after 15 minutes and destroyed the data. A well-known offensive tester that consulted with JAS on this remarked that during the experiment it was ‘raining credentials’ and that he’d never seen anything like it.”

Likewise, JAS temporarily configured corp.com to accept incoming email.

“After about an hour we received in excess of 12 million emails and discontinued the experiment,” Schmidt said. “While the vast majority of the emails were of an automated nature, we found some of the emails to be sensitive and thus destroyed the entire corpus without further analysis.”

Schmidt said he and others concluded that whoever ends up controlling corp.com could have an instant botnet of well-connected enterprise machines.

“Hundreds of thousands of machines directly exploitable and countless more exploitable via lateral movement once in the enterprise,” he said. “Want an instant foothold into about 30 of the world’s largest companies according to the Forbes Global 2000? Control corp.com.”

THE EARLY ADVENTURES OF CORP.COM

Schmidt’s findings closely mirror what O’Connor discovered in the few years corp.com was live on the Internet after he initially registered it back in 1994. O’Connor said early versions of a now-defunct Web site building tool called Microsoft FrontPage suggested corporation.com (another domain registered early on by O’Connor) as an example domain in its setup wizard.

That experience, portions of which are still indexed by the indispensable Internet Archive, saw O’Connor briefly redirecting queries for the domain to the Web site of a local adult sex toy shop as a joke. He soon got angry emails from confused people who’d also CC’d Microsoft co-founder Bill Gates.

Archive.org’s index of corp.com from 1997, when its owner Mike O’Connor briefly enabled a Web site mainly to shame Microsoft for the default settings of its software.

O’Connor said he also briefly enabled an email server on corp.com, mainly out of morbid curiosity to see what would happen next.

“Right away I started getting sensitive emails, including pre-releases of corporate financial filings with The U.S. Securities and Exchange Commission, human resources reports and all kinds of scary things,” O’Connor recalled in an interview with KrebsOnSecurity. “For a while, I would try to correspond back to corporations that were making these mistakes, but most of them didn’t know what to do with that. So I finally just turned it off.”

TOXIC WASTE CLEANUP IS HARD

Microsoft declined to answer specific questions in response to Schmidt’s findings on the wayward corp.com traffic. But a spokesperson for the company shared a written statement acknowledging that “we sometimes reference ‘corp’ as a label in our naming documentation.”

“We recommend customers own second level domains to prevent being routed to the internet,” the statement reads, linking to this Microsoft Technet article on best practices for setting up domains in Active Directory.

Over the years, Microsoft has shipped several software updates to help decrease the likelihood of namespace collisions that could create a security problem for companies that still rely on Active Directory domains that do not map to a domain they control.

But both O’Connor and Schmidt say hardly any vulnerable organizations have deployed these fixes for two reasons. First, doing so requires the organization to take down its entire Active Directory network simultaneously for some period of time. Second, according to Microsoft applying the patch(es) will likely break or at least slow down a number of applications that the affected organization relies upon for day-to-day operations.

Faced with either or both of these scenarios, most affected companies probably decided the actual risk of not applying these updates was comparatively low, O’Connor said.

“The problem is that when you read the instructions for doing the repair, you realize that what they’re saying is, ‘Okay Megacorp, in order to apply this patch and for everything to work right, you have to take down all of your Active Directory services network-wide, and when you bring them back up after you applied the patch, a lot of your servers may not work properly’,” O’Connor said.

Curiously, Schmidt shared slides from a report submitted to a working group on namespace collisions suggesting that at least some of the queries corp.com received while he was monitoring it may have come from Microsoft’s own internal networks.

Image: JAS Global Advisors

“The reason I believe this is Microsoft’s issue to solve is that someone that followed Microsoft’s recommendations when establishing an active directory several years back now has a problem,” Schmidt said.

“Even if all patches are applied and updated to Windows 10,” he continued. “And the problem will persist while there are active directories named ‘corp’ – which is forever. More practically, if corp.com falls into bad hands, the impact will be on Microsoft enterprise clients – and at large scale – paying, Microsoft clients they should protect.”

Asked why he didn’t just give corp.com to Microsoft as an altruistic gesture, O’Connor said Microsoft actually offered to buy the domain several years back for $20,000. He turned them down, saying that at the time he thought it was too low and didn’t reflect the market value of the domain.

O’Connor said he believes the software giant ought to be accountable for its products and mistakes.

“It seems to me that Microsoft should stand up and shoulder the burden of the mistake they made,” he said. “But they’ve shown no real interest in doing that, and so I’ve shown no interest in giving it to them. I don’t really need the money. I’m basically auctioning off a chemical waste dump because I don’t want to pass it on to my kids and burden them with it. My frustration here is the good guys don’t care and the bad guys probably don’t know about it. But I expect the bad guys would like it.”

Further reading:

Mitigating the Risk of DNS Namespace Collisions (PDF)

DEFCON 21 – DNS May Be Hazardous to your Health (Robert Stucke)

Mitigating the Risk of Name Collision-Based Man-in-the-Middle Attacks (PDF)

Update, 6:22 p.m. ET: Added the bit at the end about the $20,000 offer a few years back from Microsoft, a detail that I somehow omitted from the original story.

It’s Way Too Easy to Get a .gov Domain Name

Technical Security Assessment

Lorem ipsum dolor sit amet

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam elit enim, lacinia at eleifend vitae, mattis vitae arcu. Maecenas faucibus, neque sit amet venenatis malesuada, libero elit consectetur dolor, ut tempus ligula urna vel ligula. Maecenas nulla elit, aliquam quis sollicitudin dignissim, ullamcorper consectetur arcu. Aenean ornare sem urna, vel aliquet lacus hendrerit non. Mauris cursus lectus nec dui fringilla viverra. Phasellus molestie erat non risus blandit, eu tincidunt felis aliquet. Pellentesque enim massa, vulputate eu quam in, interdum pellentesque leo. Aliquam non scelerisque dui, quis semper turpis. Nam eget semper dolor.

Lorem ipsum

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Lorem ipsum

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Lorem ipsum

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Lorem ipsum

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Lorem ipsum dolor sit amet

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam elit enim, lacinia at eleifend vitae, mattis vitae arcu. Maecenas faucibus, neque sit amet venenatis malesuada, libero elit consectetur dolor, ut tempus ligula urna vel ligula. Maecenas nulla elit, aliquam quis sollicitudin dignissim, ullamcorper consectetur arcu. Aenean ornare sem urna, vel aliquet lacus hendrerit non. Mauris cursus lectus nec dui fringilla viverra. Phasellus molestie erat non risus blandit, eu tincidunt felis aliquet. Pellentesque enim massa, vulputate eu quam in, interdum pellentesque leo. Aliquam non scelerisque dui, quis semper turpis. Nam eget semper dolor.

technical security assessment

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nullam elit enim, lacinia at eleifend vitae, mattis vitae arcu. Maecenas faucibus, neque sit amet venenatis malesuada, libero elit consectetur dolor, ut tempus ligula urna vel ligula. Maecenas nulla elit, aliquam quis sollicitudin dignissim, ullamcorper consectetur arcu.

A solution for every business need

We offer a wide range of services within this category. Please contact us today to further explore the areas in which you can improve your IAM systems.

About

IT Security.org are based in the UK, offering a range of IT security solutions ranging from compliance and risk management to testing, training and much more.

Follow Us

Contact Us

© Copyright ITSecurity.Org Ltd 2015-2019 All Rights Reserved. Company Registration Number:11208508. Registered office address: 27 Old Gloucester Street, Holborn, London, United Kingdom, WC1N 3AX. VAT Reg.299747227