.zip and .mov TLDs
-
-
@julian what if someone has a zipper company? https://zipper.zip/ looks good... no?
-
@crazycells It's a massive security risk along with .mov
We've actually straight up blocked .zip and .mov TLDs where I work. And I know a lot of other companies have/are doing the same because of the risks it poses.
-
@tankerkiller125 #metoo
-
@tankerkiller125 Thank you for the share this info, I found out about .zip .mov domains just now.
-
@tankerkiller125 said in Who is using NodeBB?:
@crazycells It's a massive security risk along with .mov
We've actually straight up blocked .zip and .mov TLDs where I work. And I know a lot of other companies have/are doing the same because of the risks it poses.
Risk? How does it pose a risk? It's a URL, how does it pose any different risk than any other three letter extension? I have a feeling you are citing a risk of Windows, or a perceived risk of people who use Windows. If the use of three letter extensions to denote file types is a risk, blocking the use of Windows would be the thing to do. Not blocking random Internet domains because they overlap with a third party naming convention on Windows.
If that's not it, I can't even guess what risk three letters have when it is z i and p rather htan o r and g or c o and m.
-
@scottalanmiller I am paraphrasing, but iirc the concern is that it short-circuits common wisdom to "check the url before clicking". For example, I could craft an anchor to this attachment which on cursory glance looks to be a file, but is in fact a website.
A lot of it relies on people being dumb. Most competent tech people can see that URL and know it's a domain, not an attachment... however "people" are often the weakest link, security-wise.
Edit: Originally, the url I chose was
malicious.zip, but when I tested it, it downloaded a zip file to my computer
suffice to say I deleted it immediately. -
@brazzerstop said in Who is using NodeBB?:
@tankerkiller125 Thank you for the share this info, I found out about .zip .mov domains just now.
There is a domain for essentially everything at this point.
-
@scottalanmiller I'll just leave this here.
https://blog.talosintelligence.com/zip-tld-information-leak
Plus, the fact that they are used to register legitimate domain names for nefarious purposes as likely few have actually thought of registering it themselves.
In the Information Security arena I am in, the frequency of these domains being used in attacks is increasing daily.
-
-
@julian said in Who is using NodeBB?:
@scottalanmiller I am paraphrasing, but iirc the concern is that it short-circuits common wisdom to "check the url before clicking". For example, I could craft an anchor to this attachment which on cursory glance looks to be a file, but is in fact a website.
A lot of it relies on people being dumb. Most competent tech people can see that URL and know it's a domain, not an attachment... however "people" are often the weakest link, security-wise.
Edit: Originally, the url I chose was
malicious.zip, but when I tested it, it downloaded a zip file to my computer suffice to say I deleted it immediately.But that's what I was saying... the risk isn't the URL, it's using an operating system that uses three letter name extensions to denote behavior is inherently risky and if people were ACTUALLY concerned with security at all, they would react rationally instead of emotionally, and have long ago moved away from Windows and actually fixed this risk. Avoiding legit domains because their users are too dumb and their security allowed Windows through seems more like an admission of failure and a tacit disregard for actual security. As we say in IT "politics over profits"... looking to clueless managers like we are doing something, rather than actually doing what we are supposed to do.
In most settings, users shouldn't work working with files at all in modern workflows. But that's another level beyond just moving to more secure operating system platforms and processes.
-
@julian said in Who is using NodeBB?:
@phenomlab Perhaps one can drive home the point by registering
quarterlyreports.zipand having it serve a zip bombBut you could do that with a .com and make the opposite point, too. The only real answers are... good users, good secure processes/procedures/platforms. Bandaids are the most dangerous things because it makes people feel that they can act recklessly and blame IT, when in reality nothing was done to protect them.
-
@phenomlab said in Who is using NodeBB?:
@scottalanmiller I'll just leave this here.
https://blog.talosintelligence.com/zip-tld-information-leak
Plus, the fact that they are used to register legitimate domain names for nefarious purposes as likely few have actually thought of registering it themselves.
In the Information Security arena I am in, the frequency of these domains being used in attacks is increasing daily.
So this article is a perfect example of what I mean. Let me quote some:
"How URLs based on filenames can leak information
Talos assesses that domains employing “.zip” and similar TLDs increase the likelihood of sensitive information disclosures through unintended DNS queries or web requests. With the availability of the new “.zip” TLDs, messaging applications like Telegram or internet browsers began reading strings ending in “.zip” as URLs and automatically hyperlinking them. This is especially problematic in chat applications, which sometimes trigger a DNS or web request to show a thumbnail of the linked page. For example, the following chat application changed what was meant to be the name of a file “update[.]exe[.]zip” to a hyperlink pointing to the URL “https[://]update.exe[.]zip”:"
So instead of highlighting the ACTUAL security issue of automatically choosing any string as a URL and hyperlinking it and fetching it and sending DNS to public space (wow, that's a lot of mistakes to make this happen) and blaming the use of insecure products, they point to the benign .zip URL. Because they are trying to cover up the actual security holes.
This is the same Cisco who ten years ago told me I needed a terabyte fiber link to my desktop or YouTube wouldn't work. I'd never put Cisco and security together in a sentence. That's a company whose claim to fame is selling smoke and mirrors to upper management and bypassing IT decision making. Their articles aren't for IT people, they are just selling FUD to management so that they can sell their useless products.
-
If I'm leaking all that data, I'm leaking that data regardless of the .zip domain. What Cisco is proposing is hiding the security risk rather than addressing it. If someone on my security team said this to me, I'd be pretty upset. If I said this when working on Wall St. I'd expect to probably be in big trouble if not lose my position. This isn't a little mistake but a fundamental misunderstanding of security (and IT basics.) Whoever wrote this article isn't even a casual, junior security person. Nor a casual IT one. If this person was hired to work in security and claimed to have security experience, I'd be worried about professional negligence lawsuits if something bad happened.
This is like finding out that your team is taking private company data and putting it outside on the lawn for anyone to grab. And instead of telling them to not do that anymore, asking them to write "Private, don't look" on the envelope.
-
@julian said in Who is using NodeBB?:
@phenomlab Perhaps one can drive home the point by registering
quarterlyreports.zipand having it serve a zip bombThere was 42.zip that hosted the obvious (the 42.zip fork bomb), but Google suspended it for phishing so now it just redirects to a tweet about the suspension
Tbh. the most absurd part of
.mov/.zipis that Google dropped them and then, just a month later, let Squarespace announce that they're killing (selling) Google Domains (they now at least have a support article I guess, but a lack of communication from their side was rather absurd here too).So now it'll not even be their problem (when it comes to policy enforcement) soon.
-
-
-
-
@phenomlab said in Who is using NodeBB?:
@julian I have a load of domains hosted there. They are very cheap as a registrar and they have arguably the fastest DNS on the planet.
Fast like CloudFlare?
