Snynet Solution Logo
MON - SUN: 10 AM - 6 PM
+60 11 5624 8319

Blog

Many businesses forget to maintain subdomains, with disastrous consequences

Image Description

Failing to properly maintain subdomains can leave organizations at risk as they often contain overlooked vulnerabilities according to a new report from security researchers at the Vienna University of Technology and the Ca’ Foscari University of Venice.

While cybercriminals often try to hijack organizations' subdomains, the researcher's “Can I take your subdomain?” report, which will be presented at the USENIX Security Symposium in August, highlights how even large businesses with well-funded IT teams can fall victim to an attack by abandoning or ignoring unused subdomains.

As reported by The Register, once a subdomain has been neglected by an organization, it can become vulnerable to cookie-based attacks. In such an attack, a cybercriminal will set up their own site hosted on a different server which they will use to replace a company's subdomain.

As websites usually consider their subdomains to be “safe”, cookies from the main website can be overwritten and accessed by the subdomain. This allows an attacker to impersonate other users on a company's corporate network to launch additional attacks or steal sensitive data.

Vulnerable subdomains

In addition to looking into cookie-based attacks, the researchers also investigated other methods used by cybercriminals to takeover subdomains including dangling records, cross-origin resource sharing, postMessage JavaScript attacks and domain relaxation exploits that make it possible for scripts to run across related domains.

To show just how disastrous not properly maintaining one's subdomains can be, they also scanned 50,000 of the world's top websites from the Tranco list to discover 1,520 vulnerable subdomains across 887 sites. Cisco, CNN, Harvard and the US National Institutes of Health were just several of the organizations whose subdomains were susceptible to potential attacks.

After informing IT admins about their findings, only 31 percent of the vulnerable subdomains were secured after a six-month period. Another reason to properly maintain subdomains is due to the fact that organizations with more of them have a much larger attack surface.

In order to avoid falling victim to any potential attacks, organizations should decommission unused subdomains and keep their certificates up to date.

Via The Register

Date

01 Jul 2021

Sources


Share


Other Blog

  • Why am I so afraid of Elon Musk and editable tweets?

    Twitter will, in the not too distant future, let you edit Tweets. That news, which arrived a few days ago, was momentous enough, but felt more like the shocking aftertaste you get from hard candy with a sour middle – that's because we were still digesting the one-two-punch news of Elon Musk buying 10% interest in the company and quickly joining Twitter's board.

    This was a lot to take in. 

    Understand that I've been using the social network for 15 years. It's only been around for 16 years. Through all the changes, including the launch of a mobile app, the introduction of images, retweets, mentions and threads, doubling the lengths of tweets and the launch of a subscription service, there has never been a week like this.

    Twitter has been a sort of de facto record of the early 21st century, with billions of posts, capturing tiny events and big moments, traveling around the world faster than a SpaceX rocket can escape the Earth's gravity.

    The only way to change that record has been to delete it; or rather, delete tweets. If you think of Twitter as a personal publishing system (we used to call it a micro-blogging platform), this makes sense. Websites have always given us the ability to add, edit, and remove content. Media sites regularly delete vast quantities of material, mostly to fix search engine optimization issues.

    On Twitter, though, most of us never delete our tweets. I do it when there's an embarrassing, egregious error – a wrong or broken link, or a massive typo. Even then, there are times when I lose control of the tweet – it goes a little viral – and removing it might upset hundreds or thousands of people who liked or shared it.

    So I leave it, and dream, once again, of the edit button.

    Elon Musk

    (Image credit: Getty Images / Jim Watson)

    I should be happy for Twitter and myself.

    It just got a huge cash infusion and vote of confidence from a new part-owner (and from the stock market, which liked the news), and I have confirmation that, after years of pleading, I will in the not-too-distant future, be able to edit my Tweets.

    So why am I so anxious?

    First, there's the Elon Musk factor.

    I've been an avid Musk watcher for years. I first interviewed him in 2012 and eventually created a short-lived, daily Musk-watching podcast called 33 Million Miles to Mars. I understand the guy, and think nothing better captured his genius and surprisingly emotional personality than this 2017 Rolling Stone profile.

    It's also pretty easy to see Musk's personality on Twitter, a platform he loves and hates in equal measure. He's been on it for years, and often uses it as his visible ID (and ego), letting loose with silliness, abrasiveness, pique, and insight. I've had, on Twitter a few really interesting conversations with him about Tesla's technology.

    Musk cares about Twitter, but he also seems inclined to burn it to the ground; it's clear that he has no intention of being a silent partner. Former CEO and Twitter co-founder Jack Dorsey admitted as much when he called the current Twitter CEO Parag Agrawal and Musk "a team."

    Viewed as an agent of change, Musk's arrival on the Twitter board could be welcomed with excitement. What will he inspire? What will he demand? What might he carelessly share about Twitter's future plans on Twitter?

    Adding Musk to the board is not like bringing on anyone else. He is one of the most recognizable people in the world and a polarizing figure. For every fan of his triumphs in the EV and space sector, there are people who believe him a dangerous, self-aggrandizing showboat. My take is that Musk is a true genius (he taught himself rocket science) with an underdeveloped emotional core.

    Shortly after announcing his stock buy, and true to form, Musk took to Twitter and ran a poll on whether Twitter should introduce editable Tweets. More than four million people voted, with 73% saying yes (or "yse" as his tweet comically put it).

    See more

    Knowing Musk as I do, I was still processing his big move when Twitter shocked me, and its 300 million-plus other devoted Twitter users, with news that it's currently working on editable tweets. The company insisted that it had been working on the feature for months prior to Musk joining the board.

    Sure. Okay.

    Instead of being thrilled, though, I felt a new wave of anxiety. Saying "editable tweets" is one thing – implementing the feature in a way that doesn't destabilize Twitter to the point of uselessness is another.

    I immediately wondered if I'd be using it to go back and fix silly errors, or a structural problem on my single most viral tweet. I'm not jumping to do it, because the more I think about editing tweets, the more I realize it's not about rewriting history (I pray it's not); it's about fixing of-the-moment errors. Silly things like typos, and bigger things like where you angry-tweet one minute, and realize five minutes later that you can tone it down and not incite a Twitter riot.

    My concern meter dialed back a bit after Jay Sullivan, Twitter's Head of Consumer Product, offered a few more details about how Twitter might approach the biggest change to its platform in a decade.

    He noted that Twitter knows people want to fix "(sometimes embarrassing) mistakes, typos and hot takes in the moment," but more crucially added, "Without things like time limits, controls, and transparency about what has been edited, Edit could be misused to alter the record of the public conversation. Protecting the integrity of that public conversation is our top priority when we approach this work."

    Personally, I hope this means that I won't be able to go back five years and tweak my viral tweet, that we'll have change histories, and that historically significant Tweets can't be altered at any time. That last point is a bigger ask, I know, and may relate to who is tweeting. Public figures might be stuck with policy tweets, and only be able to access the editable tweet feature in the first 10 minutes after posting. Unverified and non-public figures might be given more time.

    This would be reasonable, but even as I write this, I feel Musk's stare. He has thoughts on this, I'm sure, and could push for more extensive and free-wheeling editable tweet settings, especially some that could help him go back and change everything and anything in his Twitter timeline.

    Still, Musk is also a savvy businessman, and could not have built and maintained multiple businesses, especially the successful Tesla and SpaceX, without having exercised some restraint. I have to believe that Musk will show restraint here; otherwise... well, I'll just leave a Musk recent tweet right here.

    See more

    Read More
  • Microsoft defers Windows 10 1803 end-of-service date

    Microsoft has pushed back Windows 10 1803's end of service date to allow organizations to focus on business continuity during the pandemic.

    Read More
  • This bonkers laptop has 7 built-in screens

    The Aurora 7 is a prototype laptop that has seven times the average number of monitors.

    Read More
  • LibreOffice team say they are working on a WebAssembly port

    You’ll soon be able to use the office suite from within a web browser. Again.

    Read More

Find Out More About Us

Want to hire best people for your project? Look no further you came to the right place!

Contact Us