Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Cert.org this week warned again that internal top level domain names can be used against you, if one of these domains happens to be registered as a new generic top level domain (gTLD). Currently, there are about 1200 approved gTLDs, and the number will only increase even though the initial gold rush seems to have leveled off somewhat [1]

US-Cert just sent out a reminder again regarding the use of internal domain names for automatic proxy configuration via WPAD. If this internal, but not officially assigned TLD is all for suddenused on the public internet, then requests may got to a host within that official TLD, instead of your internal TLD. This is in particular a problem for mobile devices that leave your network.

US Certpoints out a couple of options, most importantly the use of an actual assigned domain, which should be the preferred solution to this problem. On the other hand, this can be difficult to roll out in a larger network where the internal TLD is used for various purposes. In this case, make sure that at least internally, all queries to this internal TLD are directed to your internal name server.

Regarding gTLDs in general, you may also want to consider blocking some from resolving anyway:

- .zip : This gTLD appears to be assigned to Google, and is currently not used. It could lead to the leaking of .zip file names if mail software and the like interprets the file name as a URL and adds a hyperlink to it.
- .top : From my own experience, this TLD is exclusively used for spam. Let me know if you find legitimate use of this gTLD

[1] https://newgtlds.icann.org/en/applicants/agb/base-agreement-contracting#stats
[2]https://www.us-cert.gov/ncas/alerts/TA16-144A

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Techworm

WhatsApp Gold version, a information stealing malware targeting users
Techworm
If you are one of the billions using the hugely popular cross-platform messaging App, WhatsApp, you may have received this message – Download WhatsApp Gold Exclusive Version for you. Unfortunately, if you have fallen prey to the lure, you may have ...

and more »
 

OPM Breach Fallout Grows as Imperatis Bails on the Clean-Up
PR Newswire (press release)
... build their professional reputations. With an audience of more than half a million and more than 10,000 posts by security experts, Peerlyst is the preeminent platform for spreading InfoSec news, asking a question, finding an expert, or offering ...

and more »
 

OPM Breach Fallout Grows as Imperatis Bails on the Clean-Up
Broadway World
... build their professional reputations. With an audience of more than half a million and more than 10,000 posts by security experts, Peerlyst is the preeminent platform for spreading InfoSec news, asking a question, finding an expert, or offering ...

 
MSA-2016-01: PowerFolder Remote Code Execution Vulnerability
 
[SECURITY] [DSA 3586-1] atheme-services security update
 
AfterLogic WebMail Pro ASP.NET < 6.2.7 Administrator Account Takover via XXE Injection
 

The Register

Shuttered Instagram holes opened 20 million accounts to hijack
The Register
Security consultant Arne Swinnen says Instagram has shuttered brute force authentication holes that allowed hijacking of some 20 million accounts. The NVISO infosec man says an absent authentication control coupled with an insecure direct object ...

and more »
 
Internet Storm Center Infocon Status