Today's story is mostly about how not to do security response.
-
Today's story is mostly about how not to do security response.
"The payment card giant MasterCard just fixed a glaring error in its domain name server settings that could have allowed anyone to intercept or divert Internet traffic for the company by registering an unused domain name. The misconfiguration persisted for nearly five years until a security researcher spent $300 to register the domain and prevent it from being grabbed by cybercriminals."
-
-
-
ah, the "shoot the messenger" school of vulnerability remediation. classic...
-
@briankrebs huh. I've worked with Philippe in the past as a client. Weird (but cool) seeing someone I know featured in a story!
-
@briankrebs “Hey guys I spent $300 and a decent chunk of time fixing a massive potential issue for your business.”
“lol no u didn’t nerd. You’re just being mean ”
-
@briankrebs
Platform Behavior Standards Team -
@briankrebs Is this message from BugCrowd? If so, seems like they're pretty disconnected from actual Security Researchers.
-
Buying domain: $300
Preventing criminals from hijacking your DNS: $4,418,102
Watching a company blame you for saving their bacon: PricelessThere are some things credit can't buy.
Accountability is one of them. – Mastercard -
NewsGoth Condensed (if you know you know)replied to BrianKrebs last edited by
@briankrebs Looks like someone got embarassed and decided to make it worse. Cybersecurity education needs to start teaching about the Streisand Syndrome.
-
@briankrebs
Oh my, but not really surprising.
When developing a system they don't start with security issues, but with profit.
Security eventually gets dropped, when the customers decide they want just this one feature in a last minute demand .
But we all play along and pay for the shit. -
"Had he enabled an email server on his new domain akam.ne, Caturegli likely would have received wayward emails directed toward mastercard.com or other affected domains."
Why would enabling a mail server on a NS let you get email intended for dependent domains!
-
BrianKrebsreplied to Gharbeia last edited by [email protected]
@gharbeia depending on how those systems are set up for internal domains, those systems may seek out the typo'd domain if they can't readily reach the other name servers when they are on the public internet.
I linked to a story I wrote a while back about this, which involves a slightly different domain issue, but could become an issue here.
edit: just realized you were asking about emails. Email is weird, and a rogue, trusted DNS server probably is going to get found by lot email clients and services looking for somewhere to deliver undeliverable mail. So at minimum, the typo domain will probably get some bounced emails.
-