A security researcher commandeered a country’s expired top-level domain to save it from hackers – TechCrunch

In mid-October, a little known But the critically important domain name for a country’s Internet location began to expire.

Domain – scpt-network.com – was one of two nameervers for .cd The country code is the top-level domain assigned to the Democratic Republic of the Congo. If it falls into the wrong hands, an attacker can rub millions of unintentional Internet users into websites of their choosing.

Clearly, an area of ​​such importance was not going to end; Someone in the Congolese government probably forgot to pay for its renewal. Fortunately, expired domains do not disappear immediately. Instead, the watch began on a grace period for its government owners to buy back the domain before it was sold to someone else.

Coincidentally, a security researcher and co-founder of a cyber security startup, Fredrik Almarth was already looking at country code top-level domains (or ccTLDs), the two-letter suffix at the end of the regional web address, like .fr To france or .uk For the United Kingdom. When he found out that this important domain name was about to expire, Almarth began monitoring it, believing that someone in the Congolese government would pay to reclaim the domain.

But nobody ever did.

By the end of December, the clock had almost run out and the domain fell off the Internet. Within minutes of the domain becoming available, Almroth quickly cracked it to prevent anyone else from carrying it – because, as he told TechCrunch, “the implications are huge.”

This is rare, but not unheard of for any top-level domain to terminate.

In 2017, security researcher Matthew Bryant took over Names of .io The top-level domain was assigned to the British Indian Ocean region. But hackers are malicious Also show interest Targeting top-level domains to companies and governments that use the same country-based domain suffix.

Taking nameservers is not considered an easy task as they are an important part of how the Internet works.

Every time you visit a website, your device relies on a nameserver in your browser to convert a web address into a machine-readable address, which tells your device to find that site on the Internet. Is what you are looking for. Some prefer nameservers for Internet phone directories. Sometimes your browser looks no further than its own cache for answers, and sometimes it has to ask the nearest nameserver for an answer. But names that control top-level domains are considered official and know where to look without asking for another name.

With the control of an official namewar, malicious hackers can intercept attacks to silently intercept and redirect Internet users visiting legitimate sites to malicious webpages.

These types of attacks have taken place Used in sophisticated espionage campaigns For the purpose of cloning websites to hand over their passwords to victims, which hackers use to gain access to company networks to steal information.

Worse, Almroth said with the control of the nameservers that it was possible to obtain valid SSL (HTTPS) certificates, allowing the attacker to intercept encrypted web traffic or any email mailbox for any length of time. .cd Domain, he said. To the untrained eye, a successful attacker could redirect victims to a bad website and they would be none the wiser.

“If you can misuse the verification schemes used to issue certificates, you can reduce the SSL of any domain .cd As well, ”said Almroth. “The ability to be in such a privileged position is frightening.”

Almroth sat on the domain for about a week, as he tried to figure out how to hand it back. By this point the domain had already been inactive for two months and nothing was disastrously broken. More and more, one with websites .cd The domain may take a little longer to load.

Since the rest of the nameserver was running normally, Almroth kept the domain offline so that whenever an Internet user tries to access a domain that relies on the nameserver under his control, it will automatically timeout and The rest will pass the request to the nameserver.

In the end, the Congolese government did not bother to ask for the domain back. This is a completely new but similarly named domain – scpt-network.net -Almoth to replace the one now in possession.

We reached out to Congolese officials for comment, but did not hear back.

ICANN, the international non-profit organization responsible for the allocation of the Internet, said that country code top-level domains are operated by their respective countries and that its role is “very limited”, a spokesman said.

For its part, ICANN encouraged countries to follow best practices and To use DNSSECThere is a cryptographically more secure technology that makes it almost impossible to service spoof websites. A network security engineer who did not ask for names, as they were not authorized to talk to the media, questioned whether DNSSEC would be effective at all against a top-level domain hijacking.

At least in this case, it is nothing the calendar reminder cannot solve.