Administrators’ mistakes are the main reason for vulnerabilities

16.01.2019

Netoscope has published on its website https://netoscope.ru/ru/research/ the results of research projects carried out in 2018 as part of scientific and technical cooperation. There were two projects last year dedicated to a wide range of problems related to traffic interception and domain name spoofing.

Authors of the study, An Analysis of Ways to Spoof DNS Zones by Intercepting Authoritative NS Names, analyzed ways to intercept the address management in second-level domains in the .RU and .РФ ccTLDs as well as .SU by taking advantage of mistakes in delegation. The authors note that very few second-level domain names can be subject to interception in the Russian domains: only one percent in each domain. Mistakes of administrators who set wrong DNS parameters are the main reason for vulnerabilities. The authors believe that the best way to prevent such threats is to inform administrators about how important it is to make sure that the DNS settings are correct and up to date.

The second study, An Analysis of Ways to Intercept Email Traffic by Spoofing MX Servers, covers ways to intercept email traffic by registering wrong names in MX records in TLDs, such as .RU, .РФ, .SU, .MOSCOW, .TATAR, .ДЕТИ, and .МОСКВА. The researchers found 232 second-level domains that can be intercepted. It is a small number, less than 0.01 percent of the entire number of domain names with emails in the TLDs used for the study. In addition, these vulnerable domain names are distributed between various MX records, with the average number of domains per MX being approximately 1, which makes a possible attack on several domains even more difficult. Thus the research shows that the threat of email interception by registering wrong names of the MX servers is low.

“The 2018 research showed that the efforts taken by the Coordination Center for TLD .RU/.РФ and the Technical Center for Internet to ensure the secure functioning of the Russian ccTLDs are quite effective and improve the general level of security in the Russian domain space. We will continue our research in this area to keep on top of it and share interesting and useful information with Russian internet users,” said Andrei Vorobyov, director of the Coordination Center for TLD .RU/.РФ.

The Coordination Center for TLD .RU/.РФ created a research platform to collect information about malicious websites in Russia’s ccTLDs in 2012. A year later, the Netoscope information and analytical resource was founded. It publishes the latest data on cyberthreats and ways to counter malware. As of today, 14 companies and organizations participate in the Netoscope project: the MasterCard Members' Association, BIZon, Group-IB, iThreat Cyber Group Inc., Kaspersky Lab, Mail.ru, the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor), Rostelecom, RU-CERT, SURFnet, SkyDNS, the Technical Center of Internet, FIFA, and Yandex.