In February, KrebsOnSecurity told the story of a private citizen auctioning off the dangerous domain corp.com for the starting price of $1.7 million. Domain experts called corp.com dangerous because years of testing showed whoever wields it would have access to an unending stream of passwords, email and other sensitive data from hundreds of thousands of Microsoft Windows PCs at major companies around the globe. This week, Microsoft Corp. agreed to buy the domain in a bid to keep it out of the hands of those who might abuse its awesome power.
I had no idea that a seemingly innocuous default chosen decades ago had this much of an impact.
(Edited for updates.)
The more correct version of the headline is:
“Microsoft Buys Corp.com So Other Bad Guys Can’t”
The technical stuff is ancillary; Microsoft now has a new way to snoop on their users’ stuff. The only way to prove me wrong on that, would be to null-route (to 0.0.0.0) everything referring to corp.com.
You are technically entirely correct. “Other bad guys can’t” and “Microsoft now has a new way”
Too bad that Microsoft already put out patches and advisories and best practices and patterns and guidelines to block their own evil plan. They were even silly enough to change their own code to not make the most of this acquisition. I highly recommend everyone to monitor changes to undo all of that work in the near future /s
Microsoft offered the following statement in response to the acquisition of Corp.com domain.
“To help in keeping systems protected we encourage customers to practice safe security habits when planning for internal domain and network names. We released a security advisory in June of 2009 and a security update that helps keep customers safe. In our ongoing commitment to customer security, we also acquired the Corp.com domain.”
I love these kinds of dumb problems, because the world is built on them.
CaptainN-,
Haha, yeah.
A common mistake still being made is setting up your intranet using a valid top-level domain (e.g. .com, .co.uk or many of the other ones that have been set up in recent years), creating a load of host entries in your intranet DNS under that domain and then *not* registering the actual domain with a domain registrar (even if it’s just as a protective measure and you don’t ever put anything in your public DNS for it)!
Better to try and pick a TLD for your intranet that isn’t in existence publicly and is unlikely to exist publicly in the future either, IMHO.
The most current best practices suggest to pick a name like this: ad.domainyouown.com(org,net,etc)
Putting ad. or whatever you prefer also avoids a lot of split brain DNS nightmares.
Using a name ending with .local or something like that or picking and absurd random name is not recommended.