The first story is rather interesting. I work in web hosting and our company is not vulnerable. We work off 'domain references' whereby an account has authority over a domain. If someone comes along and tries to use such domain by adding it in their account under a web hosting package, they need to prove who they are usually by removing nameservers or adding a DNS record where necessary. I am surprised that more companies don't have such policies.
RE: the response to the "sitting duck attack", those companies may have a point that you shouldn't just leave a domain pointing somewhere you don't control, but at the same time they have a responsibility to make sure that their services aren't being used to distribute malware or conduct phishing scams.
@@orc001 Absolutely they have a point. It's web hosts that are ignoring the security concerns in their domain management feature. And it would be very simple for them to solve, by requiring some change to DNS records whenever the users add a domain, such as a unique id, which needs to be added as TXT record.
@@megaTiagoNunes1 if a domain is not delegated (or delegated incorrectly, to nowhere), there is no way to add any records (TXT including). Any workflow that would require a TXT record would be a mess. Best that could be done is to require a random security code added to whois info (I think there are comment fields or something), but it's a question whether domain registrars support that. And that's inconvenient too. It seems that asking to keep track of your domains and delegations is the a sane approach.
@@voidsp If there is an issue with the DNS management delegation, you can remove the NS record on the domain registrar platform, in which case you can add the TXT records all you want. If you check the Github issues, the solutions implemented involve requiring verification via TXT record (e.g. MediaTemple) or a new NS record be added every time (e.g. Cloudflare).
@@MoreBollocks-ui2zs haha No, not at all. But I do believe there are ‘levels’ of corruption. Like, pocketing a few hundred thousand, or million bucks, is less severe than say, willingly sacrificing lives, which is less severe than intentionally weakening and selling out the country to adversaries.
Theories something like this could’ve happened with FurAffinity is going on right now. It’s a very popular furry website (one of the only of its kind) that got hacked and compromised. They’ve copied the FA webface to grab user’s personal info, a lot of who are artists and thus often have their bank and other very close info tied to their accounts through email or name. It’s still an ongoing issue but it’s genuinely baffling how stuff like this isn’t caught when first discovered. So many people are gonna be impacted by this. I only hope that it’s only trolls trying to be mean to furries (even tho that’s already bad) rather than some larger and more malicious act :(
Trust white hats to come up with the cutest nicknames possible in stark contrast to the total edgelords black hats are. Black hats discover an exploit, they name it "SkvllCr4ck3r1337" White hats discover an exploit, they go, "Duck! Duck! Quack! Quack! Perfect name!" Its very clear which community has a larger intersection with the weeb community.
Well, a bit of mix tho... If we talked about Russia or edgy script kiddies TA, sure their username are edgy... But for "possible" non America enemies originated TA, many of their names or their association are either weebs and furries...
So no one thinks it's because they have to explain the exploit and work with non-IT folks to fix it? It's easier to use simpler plain English terms there.
DNS. Imagine you are a domain owner and you don't have full control over your registrar and DNS configuration 😱 Imagine being a hosting provider, knowingly supplying dns results to hosts in your network, that are potentially different from the same queries out on the public internet 😱
I’ve never understood how services that have you point your domain to their name-servers aren’t required by law to have some sort of verification process. I’ve considered this kind of attack before - but I figured there had to be some sort of safeguard I hadn’t considered, apparently not.
Why would you bother? In my opinion it's fully the responsibility of the domain owner. They manage which nameservers it points to. The same could happen if they forget to renew it and someone takes it over or if they point to a nameserver domain that got into other hands.
Really bro. They released Sereznov, you've got to be kidding. What the fuck are they thinking? That he's not going to turn around and start being active again?
I think you misunderstand the situation. Nobody is claiming he won't get up to nefarious activities again. US govt. must've simply deemed the upside to received prisoners worth it based on their own criteria, which is going to be rather complex to evaluate with so many prisoners involved. They likely would have gone back and forth with other names who won ultimately exchanged before arriving at this particular deal.
You need to think about it this way, this is warm war/cold war 2, and it's impressive negotiation to get, from the US perspective, 16 innocent people freed from torture camps, in exchange for Russia being given jurisdiction over some white collar _nonviolent_ criminals who were Russian nationals so from the perspective of Russian government, they should have been extradited to Russia and not the US
i read up on the 16 people Russia freed and they were almost all convicted of espionage in Russia for things like taking photos of tanks and sending them to NATO authorities, this makes them traitors/spies from the perspective of Russian loyalists but innocent from the USA perspective, you just have to understand that is how the world is and has been for about 80 years
And said issues being some of the most basic easily avoidable things possible. It's amazing how sloppy enormous security tech firms are. They should be held liable.
You might think that as it costs nothing to keep it till it expires, you might as well keep it in case you want to use it again after all, or on case you get a juicy offer to buy the rights to the name. The flaw in that thinking is that there is a cost invoked in leaving it insecure: a relationship cost if it's actually repurposed by a third party...
@@trueriver1950 What? No im saying you SHOULD remove the nameservers or delete the domain when you are done using it as it CAN be at risk. If you wanna keep the domain just remove the nameservers. Read my comment again bro.. im agreeing with you.
Sitting Duck Attack 😂😂😂 LMAO Originally called a domain or subdomain takeover. This has been a known issue in the Cyber Space for quite a while now 😂😂😂
Not really, subdomain takeovers usually happen because of a forgotten about CNAME record (which is essentially a domain alias). A sitting duck attack is a total domain takeover which allows you to send emails from the domain, etc, (not possible with subdomain takeover)
@@Seytonic From your explanation, the vulnerability stems from dangling DNS Records that point to an instance that no longer exists allowing an attacker to register an instance with the same domain or subdomain. Other providers such as Google and AWS fixed this issue by requiring domain or subdomain verification i.e you now have to add a .TXT DNS Record with certain metadata to your domain hosting provider to prove that you own the domain.
That sitting duck attack is interesting. 🤔 I guess you’d have to win the luck of the draw and get assigned the same two name servers when adding the domain. But you probably add and remove it a few times to get there. Yeah then even if you didn’t register the domain you could have full control over it. Is kind of a problem for domain owners. But I can see why hosts might want to work in some sort of auth system before allowing people to add domains hrmmm…
Assuming you're talking about how Cloudflare assigns a random 2 nameservers from a pool? Those are actually assigned to the account, not the domain (so multiple new domains will get the same nameservers). However, if the domain is already using your account's assigned nameservers when you go to add it to your cloudflare account it generates a new pair just for that domain. You can't just reroll until you get the ones already in use, because that pair will specifically not be chosen
Both the Sitting Duck attack and the phishing campaign have one thing in common: They rely on lots of people using centralized services (like Digital Ocean for DNS or Microsoft for email) so that bad actors can also use those services. People are no longer running their own DNS and email infrastructure, and here we see one of the downsides. (I run both my own DNS and email servers, FWIW.)
@@boreal3255 would like for that to be the case however one of my email addresses, and one of my friends’ has appeared in a breach labelled this on HIBP, unsure of how big it is
@@ggsapyes but why would they? As domain owner you have a responsibility. If you can't even take care of your own domain for smthg as simple as that, then better stay away from it.
@@alexandrebaux4042 But you're adding the domain as DNS on DO, that means the bad actor just adds the txt record as the NS is already pointing to DO for the domain.
@@clar1016 No, this way you would need to add the TXT record on the DNS service provider before you could even add the domain on your DO project. This would work, and it was the solution applied on MediaTemple.
All 3rd party NS providers are not vulnerable. There are already techniques in use to make sure you don't enable domain hijacking. One way you can make sure that a person claiming a domain name actually owns it is to ask them to make changes at the registrar level. For example, here is what Google is asking you to do if you want to set up your domain name for Google Workspace: "Verify your domain: [...] 1: You'll copy a verification code from the Google Workspace setup tool. 2: You'll sign in to your domain registrar and paste the verification code in to the DNS [TXT] records for your domain. After your domain registrar publishes your verification code, we'll know you are the owner of your domain." Digital Ocean could implement something similar. Alternatively, some 3rd party NS service providers ask you to assign a random set of specific subdomains as name servers, and they make sure that these don't match the ones you've already set up on the registrar side. This way, they can force you to make changes at the registrar level, which proves you own the domain.
As you could see in the video a lot of companies don't have the vulnerability, so it is possible. I think Cloudflare generates a random string that you need to add to your TXT records that you need to re-do whenever you re-add it to another account
Exactly, no real clue. In email, only the domain name really matters because you cannot possibly know all of the local-parts the company uses. "Local-part" being the text before the @. Thus, if the domain is legitimate, you have no ways to validate the local-part, if that is too.
Stop talking to people anyhow. In the beginning of your video, what does idea suck? Yall need to put some respect in your copy and stop talking to people like everyone is a loser