Microsoft Buys Corp.com

A few months ago, Brian Krebs told the story of the domain corp.com, and how it is basically a security nightmare:

At issue is a problem known as “namespace collision,” a situation where domain names intended to be used exclusively on an internal company network end up overlapping with domains that can resolve normally on the open Internet.

Windows computers on an internal corporate network validate other things on that network using a Microsoft innovation called Active Directory, which is the umbrella term for a broad range of identity-related services in Windows environments. A core part of the way these things find each other involves a Windows feature called “DNS name devolution,” which is a kind of network shorthand that makes it easier to find other computers or servers without having to specify a full, legitimate domain name for those resources.

For instance, if a company runs an internal network with the name internalnetwork.example.com, and an employee on that network wishes to access a shared drive called “drive1,” there’s no need to type “drive1.internalnetwork.example.com” into Windows Explorer; typing “\\drive1\” alone will suffice, and Windows takes care of the rest.

But things can get far trickier with an internal Windows domain that does not map back to a second-level domain the organization actually owns and controls. And unfortunately, in early versions of Windows that supported Active Directory—Windows 2000 Server, for example—the default or example Active Directory path was given as “corp,” and many companies apparently adopted this setting without modifying it to include a domain they controlled.

Compounding things further, some companies then went on to build (and/or assimilate) vast networks of networks on top of this erroneous setting.

Now, none of this was much of a security concern back in the day when it was impractical for employees to lug their bulky desktop computers and monitors outside of the corporate network. But what happens when an employee working at a company with an Active Directory network path called “corp” takes a company laptop to the local Starbucks?

Chances are good that at least some resources on the employee’s laptop will still try to access that internal “corp” domain. And because of the way DNS name devolution works on Windows, that company laptop online via the Starbucks wireless connection is likely to then seek those same resources at “corp.com.”

In practical terms, this means that whoever controls corp.com can passively intercept private communications from hundreds of thousands of computers that end up being taken outside of a corporate environment which uses this “corp” designation for its Active Directory domain.

Microsoft just bought it, so it wouldn’t fall into the hands of any bad actors:

In a written statement, Microsoft said it acquired the domain to protect its customers.

“To help in keeping systems protected we encourage customers to practice safe security habits when planning for internal domain and network names,” the statement reads. “We released a security advisory in June of 2009 and a security update that helps keep customers safe. In our ongoing commitment to customer security, we also acquired the Corp.com domain.”

Tags: , , ,

Posted on April 9, 2020 at 6:45 AM16 Comments

Comments

John April 9, 2020 7:09 AM

Financial fraud in Germany aimed at the financial aid for companies
(also see here, both article are in written in German)

Fraudsters managed to forge a website pretending to be an application form for companies information trying to apply for financial aid from the German government.
The collected information was used to make false claims to get payments directed to small companies which are struggeling with the ongoing corona crisis.
Interestingly, the attackers managed to manipulate the google search algorithm to make their website show up even above the official website.
Following this, further payments in the federal state NRW are deferred; the financial damage could be immense, because the authorities received well over 100.000 claims since last friday.

David Leppik April 9, 2020 7:49 AM

The article says that the asking price was $1.7 million. That’s a lot for a hobbyist who’s held onto it since the early WWW days, but not a lot for a huge corporation to fix such a large security hole.

grumbles April 9, 2020 9:36 AM

It is nice to see a HugeCo acting responsibly about a negative externality they created for once.

TimH April 9, 2020 9:47 AM

@grumbles: Nice? A major, exploited, well known security hole with a very easy fix? More like obliged before the lawsuits.

wiredog April 9, 2020 10:20 AM

Spammers out in force here already today…

Why the heck didn’t MS use “example.com” like approximately everyone else? Oy.

stormtrooper masks required, citizens! April 9, 2020 11:41 AM

https://en.wikipedia.org/wiki/Microsoft_vs._MikeRoweSoft

Microsoft v. MikeRoweSoft was a legal dispute between Microsoft and a Canadian Belmont High School student named Mike Rowe over the domain name “MikeRoweSoft.com”. Microsoft argued that their trademark had been infringed because of the phonetic resemblance between “Microsoft” and “MikeRoweSoft”.

The case received international press attention following Microsoft’s perceived heavy-handed approach to a 12th grade student’s part-time web design business and the subsequent support that Rowe received from the online community.[3] A settlement was eventually reached, with Rowe granting ownership of the domain to Microsoft in exchange for an Xbox and additional compensation.[4]” […]

https://en.wikipedia.org/wiki/Microsoft_Corp._v._Lindows.com,_Inc.

Microsoft v. Lindows.com, Inc. was a court case brought by Microsoft against Lindows, Inc in December 2001, claiming that the name “Lindows” was a violation of its trademark “Windows.”

After two and a half years of court battles, Microsoft paid US$20 million for the Lindows trademark, and Lindows Inc. became Linspire Inc.”

yoshi April 9, 2020 2:18 PM

That’s a lot for a hobbyist who’s held onto it since the early WWW days, but not a lot for a huge corporation to fix such a large security hole.

O’Conner is not a hobbyist. He has a degree in Economics and he started one of the first high speed ISPs in Minnesota and eventually retired. He didn’t need the money. I believe he owned tv.com at one point. Its good that Microsoft did the right thing and acquired the domain. They should of done it years ago.

(and I see the anti-Microsoft trolls are out in force today)

Norris April 11, 2020 5:05 PM

The article doesn’t explain whether or why .com is special. Would MS also need to buy corp in every other top-level domain to ensure security, such as corp.eu and corp.tv?

bmoz April 11, 2020 8:25 PM

@zomb:

“I smell the strong odor of freedom in your car, open up or doggie gets to sniff => badspam.”

Actually, it was awareness, not spam. But you’re a good little creature aren’t you? Yes you are! Yes you are! Here’s a bone and some meat! You’re so cute! Yes you are! Yes you are!

People NEED to know about ID2020 and “the mark” which is coming. Or is this not a tech related blog? Why don’t you be a good little serf and report all of the political posts which jam up the works like a fist full of wet wipes.

Microsoft Mafia April 11, 2020 8:26 PM

In other news, M$ buys publicity.

Maybe they can buy the whole internet like they did with Skype/Skype nodes so they can $ECURE US ALL!

howler monkey butler April 11, 2020 8:31 PM

(and I see the anti-Microsoft trolls are out in force today)

And the M$ ass kissers.

RealFakeNews April 12, 2020 9:30 AM

@Norris:

When setting up Active Directory (AD) in an organization, one of the basic requirements is a DNS system.

As part of naming the AD, you give it a domain in the same way as you would a website.

example.com

could be the domain you choose, however… AD assumes (we know where ASSumptions get us…) that this domain is actually real, as it is used as part of the DNS integration that takes place when AD is set up.

In an Active Directory domain, every client that joins the Domain is automatically added to DNS every time it connects to AD, allowing it to be easily looked up by what MS call a “fully qualified name”.

Let’s say a computer is called Sam. Its FQN will be sam.example.com and inside the AD network this will work to access resources.

When a system is outside of the LAN, it doesn’t care. It tries to find the AD server through the FQN. It starts by looking up example.com, only it doesn’t know it is now searching internet DNS and not the local LAN AD-based DNS.

This is where the security headache begins for AD systems outside the AD network.

Paul Kosinski April 15, 2020 4:24 PM

Unfortunately, IANA did not define any generally useful reserved TLDs as was done with IP ranges that aren’t supposed to appear on the public Internet (i.e., 10.x.y.z, 192.168.x.y etc.).

The TLDs set aside either have special behavior (“local” and “localhost”) or have everyday meanings that would be confusing or misleading for normal use on most organizations’ LANs: “example”, “onion”, “test” and worst of all, “invalid”.

If IANA had set aside TLDs like “corp”, “lan”, “private” etc., this class of problems wouldn’t have arisen.

bob April 20, 2020 2:37 PM

Reminds me of the E. H. Ferree company, which made wallets, back when SSAN first came out. They put a simulated SS Card in the wallet in a special pocket just for that purpose. The boss of the company used his secretary’s actual card (078-05-1120) as the model. Good marketing gimmick to have the pocket, bad move to put a quasi-realistic looking card in it (should have watermarked “SAMPLE” across it or something).

A lot of people (40,000 at peak according to SSA) when they opened the wallet thought “OK, heres my SS card, that was fast, thanks Woolworth.” and they used that number for years/decades. SSA had to retire the number.

Chris April 21, 2020 1:30 PM

What will happen if a free wifi site catches DNS queries and points corp.com to a system they control? And how large a scale could this be done on?

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.