go to sections menu

The Security box, podcast 30: Domain discussion, a talk segment, news, notes and more from blog The Technology blog and podcast

This is for the technology blog and podcast Commentary, articles, and podcasts

header picture for Ingegno theme

You are here: podcast announcements > The Security box, podcast 30: Domain discussion, a talk segment, news, notes and more

Go to Homepage, contents or to navigation menu



The Security box, podcast 30: Domain discussion, a talk segment, news, notes and more

Hello everyone! Welcome to the tech podcast as part of 986 the mix entitled The Security Box.

For those who don’t know, this is a weekly show on the Independent channel of the Mix’s suite of servers, and we have multiple ways of listening to the server if you wish. Please go to the Magnatune and independent channel page to learn about it and ways to listen.

The technology blog has had the program up since shortly after the program aired, but I neglected to get the show notes up on the blog which this post will cover here.

Do you not like the RSS because you can’t or you would rather have it on the computer? No problem! Please download the 162.57mb file and I hope you enjoy the show as much as I have bringing it together for you!


Now, without any further ado, let us give you the extensive show notes for this episode and we’ll see you on another edition of the program!


Welcome to podcast 30 of the Security Box. On this security box podcast, the goal is to talk about domains. We’ll talk about what a domain is, how they work, a little bit about the IP system, and some recent news in regards to domains, registration companies, look-alike domains and more. We’ll have news, notes, questions, comments and Michael in Tenessee with a segment to boot.

Domains discussion:

Domains are used instead of an IP address so people can get to web sites quicker. Instead of going to 198.x.x.x to get to my web site, you go to my domain name. You can easily get to the IP of where my domain is located by pinging or trace rooting the domain.

In the following example,, I pinged my domain, and the next line will show my current IP.
Pinging jaredrimer.net [198.37.123.246] with 32 bytes of data:

Since the site is up, I got 4 replies (not shown here) and it returned me back to the prompt. Since multiple domains can live on one IP, just typing the IP in to your browser will not give you the web site you want, and I’ve not been able to figure out how to do this without typing the domain name I want such as jaredrimer.net.

According to the Wikipedia page on domain name system it goes back to the Arpanet days in the 1970’s. The Stanford Research Center (SRI International as its now known) maintained a hosts text file that pointed to different domains in the .edu era which was the first domain system for that time. Elizabeth Feinler developed the first directory on Arpanet. She had to be called during business hours and would manually update it. Jon Postel would also work with her as he was at USC’s Information Sciences Institute as it was known then. Elizabeth came up with the DNS and who is directory as well as basing domains based on the location of the computer. There’s more to this, so read the link to DNS for complete information on this.

Now the fun part. The DNS system and domains were not built with security in mind. With that in mind, Phishing for passwords started in the late 80s and early 90s as we discussed in earlier podcasts. Now, domains can be taken over, phishers and scammers can take domains over by social engineering, sub-domains can be created anywhere in the world, web sites can be taken, and more.

Domains must be registered with companies that can provide services for pointing domains to wherever the owner wishes to go. Rules are in place to make sure that certain domains go in certain locations, material suited for adults are labeled as such by the content creator, and valid accurate information is given whether it is public or not. Icann is responsible for IP allocation as well as rules governing domains as outlined above. Registrars must be accredited for following rules set forth by Icann. There are large companies, small companies, and medium sized companies that may sell domains through their services. One such registrant is Net 4 India. They’re looking to get in trouble for some pretty serious stuff, and you can read more through Icann. I found this when making sure I had the right URL to Icann, for the show notes. While they may not be a registrar if they do not comply with what is asked of them.

One large registrar is named Go Daddy. They’re based here in California, and while they’ve had their issues, they seem to be very credible and honest. People can choose who to have as a registrar, and that is all well and good. Recently, they have helped out with the Solar Winds fiasco that has plagued us since early December, but in November, an article came out saying that they were tricked to have attackers take over domains including the big named site, escro.com. In this case, a site called liquid.com which is part of a network was incorrectly given to an actor who then got access to other document storage. This isn’t the first time Go Daddy has been in the news and the article linked here entitled GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services should be read for the entire story of this ordeal. I’m sure this can happen to anyone, even if you have two-factor and proper security measures in place. There are items within your account to prohibit transfers without your knowledge, but this can be bypassed by customer service in cases where it may be necessary to do so by law enforcement takedowns or other situations. Besides liquid.com, other sites may have been mentioned within this article which I’m not going to cover in these notes. The article linked here is coming to us from Krebs on Security, and is a great read on its own time.

One of the things we continue to see is phishing, and all kinds of things including what is known as look-alike domains. What is a Look-alike Domain? is the article title. Under “Anatomy of a Look-alike Domain” which is one of many headings within this article, it says:

Domain names act as a map to tell browsers and other applications how to find what we’re looking for. Explaining the full structure of domain names and their hierarchy is more complex than this, yet here are the basics:

There are three bullet points within the article I want to discuss.

  • The top-level domain portion on the far right can identify the location where the domain registrant resides, their organizational purpose, or even the
    industry of the business that registered it. 
  • The second-level domain section is the address name and unique identifier often manipulated to impersonate domains used for legitimate purposes. They
    enable our computers to find the server where a website or email is hosted.
  • A subdomain is a part of the domain that helps registrants organize a website into different sections or categories. Subdomains can also used to create
    look-alike domains. Example: phishlabs.000webhost.com.

According to the article:

The process is inexpensive, and threat actors will see a large return on their investment if they know what they’re doing and move quickly to evade detection.

As discussed earlier, domains can be cheap to buy, and now we’ve got a bigger problem with domains that look like something similar to what you might have seen elsewhere. Take the Apple emails for example. Please check out this article for complete details on this, because it is quite a lot to talk about.

Next week, we’ll talk about the APWG quarter 3 report on Phishing and what criminals are looking for. We’ll also talk about more look-alike domain stuff coming from Phishlabs. For now, if you want to take a peak at the APWG report, APWG Q3 Report: Four Out of Five Criminals Prefer HTTPS and leave your thoughts on it. That article came out in December 2020.

Segments:

Michael in Tennessee is on to talk about Facebook, apps, updating phones and other odds and ends. The segment is roughly 50 minutes long.

News, Notes and more

  • Security Now, podcast 803 talks about a railway in China. I remember hearing something about this, but they were running in flash. I guess the Chinese railway did not know that there was a timebomb in flash where it haulted the railroad for half a day. Good thing I didn’t write or learn flash, seems like it was more of an inaccessibility problem for the disabled with screen readers until elements were made accessible. Time to rid of it, it isn’t useful in today’s environment. Security Now goes in to other agencies that might be effected by flashes demise. Good-bye, Flash.
  • In the same episode, Steve and Leo talk about the ransomware attacks becoming a big problem. We already know that, but according to the episode, actors may deploy a prolonged Distributed Denial of Service attack (ddos) if you don’t pay. This was employed by two ransomware gangs, Suncrypt and Ragnar Locker . Think this is a huge problem now? If I weren’t to pay because I couldn’t afford it, keep my website offline by attacking it until I decided to pay? What else is next?
  • Also in this episode, Steve goes in to great detail from about 47 minutes in, till about 70 minutes in, talking about the Solar Winds breach and the fact that the actors may have started as early as February 2020. They turned off logs when they wanted to do something, turned them back on when they were done, and carefully, painsteakingly, made sure they covered their tracks. Teardrop and raindrop are just two variants of malware that was used. Also disclosed was the fact they removed the malicious DLL’s from Solar Winds in June 2020 after they got their targets. The segment is worth listening to, the episode itself is full of items you might find of interest.
  • Emotet and other gangs have been having their sales shortened with some loss of members. Emotet, NetWalker and TrickBot have taken big blows, but will it be enough? was written by Cyberscoop and International Action Targets Emotet Crimeware are two articles. A third article on this is Sharp Increase in Emotet, Ransomware Droppers should go here because while the gangs are being depleated, this stuff is being used as a backbone to other malware. Researchers are still checking out what is happening, and we’ll see how things go.Read this article linked here, and continue to check out the blog for more.
  • valid.cc is one of many sites shuttered, according to an article written by Krebs on Security. ‘ValidCC,’ a Major Payment Card Bazaar and Looter of E-Commerce Sites, Shuttered is the title of this article.

    ValidCC, a dark web bazaar run by a cybercrime group that for more than six years hacked online merchants and sold stolen payment card data, abruptly closed
    up shop last week. The proprietors of the popular store said their servers were seized as part of a coordinated law enforcement operation designed to disconnect and confiscate its infrastructure.

    There are many types of shops out there that sell card not present data, but most source the data from other criminals in the business. The article is pretty detailed, so check it out.

  • This is some great news, U.K. Arrest in ‘SMS Bandits’ Phishing Service is the article.

    Authorities in the United Kingdom have arrested a 20-year-old man for allegedly operating an online service for sending high-volume phishing campaigns
    via mobile text messages. The service, marketed in the underground under the name “SMS Bandits,” has been responsible for blasting out huge volumes of phishing lures spoofing everything from COVID-19 pandemic relief efforts to PayPal, telecommunications providers and tax revenue agencies.

    If we can slow these guys down, that’s great. Keep up the great work! I just got a message about a package beginning with 1Z that was supposed to be a fed-ex package was delayed. I already know the link is not what it claims to be. I have no packages for delivery at this time. Want to try again?

  • The tax man will be coming around to collect their payments for this past year, but a Krebs on Security Article is talking about ID theft as part of the tax man. The Taxman Cometh for ID Theft Victims is the article, and its time to repeat this again. There are a lot of links within the article, quoting anything here is impossible. Check out the article its worth the read.
  • If solar winds wasn’t talked about enough, an article entitled After SolarWinds breach, lawmakers ask NSA for help in cracking Juniper cold case should be read. The first paragraph says:

    As the U.S. investigation into the SolarWinds hacking campaign grinds on, lawmakers are demanding answers from the National Security Agency about another
    troubling supply chain breach that was disclosed five years ago.

    I’m surprised we’re still interested in that one, but I don’t believe we got any answers on it either.

  • This Week in Security News – Jan. 29, 2021 has tons of stuff here including parents saying yes to more screen time during these times, Sodinokibi is examined, another article on emotet, fake office 365 used for phishing attacks, CEOs are most valuable for phishing, three actively exploited zero-days, Linux is not out of the woods as threats are around for that, and cybercriminals use SMS to send sweepsteaks credit cards and delivery scams. As part of Michael in Tennessee’s segment, I mention this.
  • Going back to January of this year, shell scripts are being used for cloud credentials. The article Malicious Shell Script Steals Cloud Credentials is the article, and maybe its time to bring this up as part of news notes. The subhead says: “In past cryptocurrency mining attacks, malicious shell scrips were typically used as downloaders. However, recent cases show that they now serve other purposes such as stealing sensitive data.” This is definitely worth the read.
  • Parler was shut down some time ago, and a denial of service protection company is giving up IP space belonging to them. In an article DDoS-Guard To Forfeit Internet Space Occupied by Parler we learn why. According to one paragraph written by Brian, it says:

    The pending disruption for DDoS-Guard and Parler comes compliments of Ron Guilmette, a researcher who has made it something of a personal mission to de-platform conspiracy theorist and far-right groups.

    This was definitely a very interesting read.

We hope you enjoyed the program as much as we have bringing it together for you. We know there were a few tech problems, it’ll be worked on. Not sure what is up, but its just strange some times. See you on another edition of the box next time.


Informazioni sull'articolo

The Security box, podcast 30: Domain discussion, a talk segment, news, notes and more was released on February 5, 2021 at 1:00 pm by tech in podcast announcements.
Last modified: February 5, 2021.


Comments (0)

No comments yet.

Leave a comment

You must be logged in to post a comment.

go to sections menu


navigation menu

go to sections menu