Connect with us

Uncategorized

A security researcher commandeered a country’s expired top-level domain to save it from hackers

Published

on

In mid-October, a little-known but critically important domain name for one country’s internet space began to expire.

The domain — scpt-network.com — was one of two nameservers for the .cd country code top-level domain, assigned to the Democratic Republic of Congo. If it fell into the wrong hands, an attacker could redirect millions of unknowing internet users to rogue websites of their choosing.

Clearly, a domain of such importance wasn’t supposed to expire; someone in the Congolese government probably forgot to pay for its renewal. Luckily, expired domains don’t disappear immediately. Instead, the clock started on a grace period for its government owners to buy back the domain before it was sold to someone else.

By chance, Fredrik Almroth, a security researcher and co-founder of cybersecurity startup Detectify, was already looking at nameservers of country code top-level domains (or ccTLDs), the two-letter suffixes at the end of regional web addresses, like .fr for France or .uk for the United Kingdom. When he found this critical domain name was about to expire, Almroth began to monitor it, assuming someone in the Congolese government would pay to reclaim the domain.

But nobody ever did.

By the end of December, the clock was almost up and the domain was about to fall off the internet. Within minutes of the domain becoming available, Almroth quickly snapped it up to prevent anyone else from taking it over — because, as he told TechCrunch, “the implications are kind of huge.”

It’s rare but not unheard of for a top-level domain to expire.

In 2017, security researcher Matthew Bryant took over the nameservers of the .io top-level domain, assigned to the British Indian Ocean Territory. But malicious hackers have also shown interest in targeting top-level domains hack into companies and governments that use the same country-based domain suffix.

Read more on TechCrunch

Taking over a nameserver is not supposed to be an easy task because they are a vital part of how the internet works.

Every time you visit a website your device relies on a nameserver to convert a web address in your browser to the machine-readable address that tells your device where on the internet to find the site you’re looking for. Some liken nameservers to the phone directory of the internet. Sometimes your browser looks no further than its own cache for the answer, and sometimes it has to ask the nearest nameserver for the answer. But the nameservers that control top-level domains are considered authoritative and know where to look without having to ask another nameserver.

With control of an authoritative nameserver, malicious hackers could run man-in-the-middle attacks to silently intercept and redirect internet users going to legitimate sites to malicious webpages.

These kinds of attacks have been used in sophisticated espionage campaigns aimed at cloning websites to trick victims into handing over their passwords, which hackers use to get access to company networks to steal information.

Worse, Almroth said with control of the nameserver it was possible to obtain valid SSL (HTTPS) certificates, allowing for an attacker to intercept encrypted web traffic or any email mailbox for any .cd domain, he said. To the untrained eye, a successful attacker could redirect victims to a spoofed website and they would be none the wiser.

“If you can abuse the validation schemes used to issue certificates, you can undermine the SSL of any domain under .cd as well,” Almroth said. “The capabilities of being in such a privileged position is scary.”

Almroth ended up sitting on the domain for about a week as he tried to figure out a way to hand it back. By this point the domain had been inactive for two months already and nothing had catastrophically broken. At most, websites with a .cd domain might have taken slightly longer to load.

Since the remaining nameserver was running normally, Almroth kept the domain offline so that whenever an internet user tried to access a domain that relied on the nameserver under his control, it would automatically timeout and pass the request to the remaining nameserver.

In the end, the Congolese government didn’t bother asking for the domain back. It spun up an entirely new but similarly named domain — scpt-network.net — to replace the one now in Almroth’s possession.

We reached out to the Congolese authorities for comment but did not hear back.

ICANN, the international non-profit organization responsible for internet address allocation, said country code top-level domains are operated by their respective countries and its role is “very limited,” a spokesperson said.

For its part, ICANN encouraged countries to follow best practices and to use DNSSEC, a cryptographically more secure technology that makes it nearly impossible to serve up spoofed websites. One network security engineer who asked not to be named as they were not authorized to speak to the media questioned whether DNSSEC would be effective at all against a top-level domain hijack.

At least in this case, it’s nothing a calendar reminder can’t solve.

Continue Reading
Comments

Uncategorized

What China’s Big Tech CEOs propose at the annual parliament meeting

Published

on

The annual meetings of the Chinese parliament and its advisory body are underway in Beijing this week. Top executives from some of China’s largest tech firms are among the thousands of delegates who attend and put forward their opinions. Here is a look at what the tech bosses are proposing for China’s digital economy.

Pony Ma

More regulatory scrutiny is needed for the country’s budding internet economy, Tencent’s founder and CEO Pony Ma says in one of his proposals, according to a report from the state-backed People’s Posts and Telecommunications News. As a delegate of the National People’s Congress, Ma has submitted over 50 proposals during the parliament meetings over nine consecutive years, said the report.

Specifically, Ma calls for strict governance on peer-to-peer finance, bike-sharing, long-term apartment rental and online grocery group-buying, fledgling areas that have also seen businesses go bust amid cash-hemorrhaging competition.

Ma’s comment comes at a time when regulators are tightening their grips on the country’s tech giants. In recent months, the government has launched probes into Alibaba and other tech firms over anti-competitive practices and proposed a sweeping data law that will limit how platforms collect user information.

Lei Jun

In China’s grand plan to move up the manufacturing value chain, Xiaomi, which makes smartphones and a slew of other hardware devices, has been keen to help factories upgrade.

Xiaomi CEO Lei Jun, a delegate of the NPC, recognizes China is late to smart manufacturing, lacks home-grown innovation and is overreliant on foreign technologies, he says in his proposal. Research and development efforts should be directed to key components such as cutting-edge sensors and precision reducers for factory robots, he says.

China also lacks the talent for advancing factory innovation, Lei points out, thus government policies should support corporations in attracting foreign talent and cultivating collaboration between industries and academia.

Robin Li

As part of its artificial intelligence pivot, Baidu, China’s biggest search engine service, has invested heavily in smart driving tech. Regulation is a major hurdle for autonomous driving firms like Baidu that need large volumes of data to train algorithms, and the rate at which testing permits are issued varies greatly across regions.

Robin Li, CEO of Baidu and a member of the Chinese People’s Political Consultative Conference, urges regulators to be more innovative and pave the way for legal and at-scale commercialization of autonomous driving. A mechanism should be created for various government agencies, industry players and academia to collectively promote the commercial deployment of autonomous driving.

In addition, Li calls for more senior-friendly technologies, greater public access to government data, and better online protection for underage users in China.

Continue Reading

Uncategorized

Indonesian logistics startup SiCepat raises $170 million Series B

Published

on

SiCepat, an end-to-end logistics startup in Indonesia, announced today it has raised a $170 million Series B funding round. Founded in 2014 to provide last-mile deliveries for small merchants, the company has since expanded to serve large e-commerce platforms, too. Its services now also cover warehousing and fulfillment, middle-mile logistics and online distribution.

Investors in SiCepat’s Series B include Falcon House Partners; Kejora Capital; DEG (the German Development Finance Institution); Telkom Indonesia’s investment arm MDI Ventures; Indies Capital; Temasek Holdings subsidiary Pavilion Capital; Tri Hill; and Daiwa Securities. The company’s last funding announcement was a $50 million Series A in April 2019.

In a press statement, The Kim Hai, founder and chief executive officer of SiCepat’s parent company Onstar Express, said the funding will be used to “further fortify SiCepat’s position as the leading end-to-end logistics service provider in the Indonesian market and potentially to explore expansion to other markets in Southeast Asia.” SiCepat claims to be profitable already and that it was able to fulfill more than 1.4 million packages per day in 2020.

The logistics industry in Indonesia is highly fragmented, which means higher costs for businesses. At the same time, demand for deliveries is increasing thanks to the growth of e-commerce, especially during the COVID-19 pandemic.

SiCepat is one of several Indonesian startups that have raised funding recently to make the supply chain and logistics infrastructure more efficient. For example, earlier this week, supply chain SaaS provider Advotics announced a $2.75 million round. Other notable startups in the space include Kargo, founded by a former Uber Asia executive, and Waresix.

SiCepat focuses in particular on e-commerce and social commerce, or people who sell goods through their social media networks. In statement, Kejora Capital managing partner Sebastian Togelang, said the Indonesian e-commerce market is expected to grow at five-year compounded annual growth rate of 21%, reaching $82 billion by 2025.

“We believe SiCepat is ideally positioned to serve customers from e-commerce giants to uprising social commerce players which contribute an estimated 25% to the total digital commerce economy,” he added.

Continue Reading

Uncategorized

InsurGrid raises pre-seed financing to help modernize legacy insurance agents

Published

on

Insurance agents spend hours handling paperwork and grabbing client information over the phone. A new seed-stage startup, InsurGrid, has developed a software solution to help ease the process, and make it easier for agents to serve existing clients — and secure new ones.

InsurGrid gives agents a personalized platform to collect information from clients, such as date of birth, driver’s license information and policy declaration. This platform helps agents avoid sitting on long calls or managing back-to-back emails, and instead gives them one spot to understand how all their different clients function. It is starting with property and casualty management.

The startup integrates with 85 insurance carriers, serving as the software layer instead of the provider. Using the InsurGrid platform, insurers can ask clients to upload information and within seconds be registered as a policyholder. This essentially turns into a living Rolodex that insurers can use to access information on the account, and offer quotes on a faster rate.

Image Credits: InsurGrid

There’s a monetary benefit in providing better service. Eden Insurance, a customer of InsurGrid, said that people who submit information through the platform converted at an 82% higher rate than those who don’t. Jeremy Eden, the agency owner of Eden Insurance, said they were able to show consumers that its plan was $300 cheaper than its existing rate.

At the heart of InsurGrid is a bet from the founding team that legacy insurance agents aren’t going anywhere. Co-founder/CEO Chase Beach pointed out that the majority of the $684 billion of annual property and casualty insurance premiums in the United States is distributed by approximately 800,000 agents working in 16,000 brokerages. So far, InsurGrid works with more than 150 of those agencies.

When asked if InsurGrid ever had plans to offer its own insurance, similar to insurtech giants Hippo, Lemonade and Root, Beach said that it is solely working on innovating around the sales process for now. He said that these big companies, which have either recently gone public or are planning to, still rely on agents to be successful.

“Instead of us replacing the insurance agent, what if we gave them that same level of technology of a Hippo or large carrier,” Beach said. “And provide them with the digital experiences so they can compete in 2021.”

As time goes on, he sees insurance agents taking the same role that financial advisors or real estate agents take: “very much involved in the process because they are that expert.”

Other startups that have popped up in this space include Gabi, Trellis and Canopy Connect. The differentiator, the team sees, is that Beach comes from a 144-year-old insurance legacy, giving him key insights on how to sell to agents in a successful and effective way. It is starting with sales, but expect InsurGrid to expand to other parts of the insurance process as well.

To help them compete with new and old startups, InsurGrid recently raised $1.3 million in pre-seed financing to help it fulfill its goal to be the “underdog for the underdogs,” Beach said. Investors include Engineering Capital, Hustle Fund, Vess Capital, Sahil Lavingia and Trevor Kienzle.

Continue Reading

Trending