DNS Weekly update 27/04/24

Another week, Another meme, another breakdown and there's a lot here, it takes me literally 10 minutes to counterpoint an entire week of misinformation.

This one is going up a day early because I have actual IRL stuff going on starting with the freezer dying sometime during the week and me only finding out last night when I realised my sock was wet in the kitchen (assuming it was run off from the tumble dryer,,, spoiler, it wasn't) and we had to throw away so much good food and my lads Ice creams ?? as well as actually being at work tomorrow... it's been a hot second since I worked a Sunday, so this will be fun.

Anyway we're starting with:

Does his support or hate PDNS?

PDNS is a great idea and a quick breakdown is explained here from the NCSC;

But...

I can't tell if Andy is for or against with this one because he's saying;

So it's a good thing (agreed by Cybersecurity Professionals BTW) BUT he doesn't like it because it doesn't provide controls management? or something?

I don't know, but he can't help liken it to something, a 'soft target' so lets drop in the Post Office Scandal, people know that so they will be mad at it...

If you take something stupid, make a point to say it's 'effecting the children' or something (a soft target), people will use that emotion to be coerced into believing the stupid thing.

It's called an Amygdala hijack

I can't wait to see what post Andy makes next week that mentions this.

To be clear the PDNS thing is a good idea, Andy thinks that too so maybe we just call it a win overall on that one and go from there?

It's SSL certs again isn't it?

Ok so this post;

Exposed here means 'Internet Accessible' to normal people, this login portal for example.

The issue is that it is showing as not secure so obviously the response is HOLY SH*T ITS INSECURE OH NO THEY FOUND ME I MADE THEM A FAKE NUCLEAR BOMB FROM USED PINBALL MACHINE PARTS, RUN MARTY RUN ITS THE LIBYANS, RUN FOR IT MARTY!

Sorry had a Back to the Future flashback there.

As you can see Andy's browser says its not secure meaning,,, it's hacked obviously.

Well actually, no.

It's Andy's first love, a missing SSL cert, from long before that fiery hot redhead with the DNS came along, Andy was all about missing SSL certs.

You see this site has multiple domains that point to the same location:

And this one:

Seems Andy still forgets that you can have different login pages (some SSL cert secured and some not) and there are reasons for this, something as an example may not be able to communicate using secured sockets (the SS in SSL) maybe some OT old tech that should never ever touch the internet in the first place as an example.

Who knows, I am not an expert in OT Cybersecurity or how the highways agency does things, but the responsible thing to do would be to reach out to them and make them aware of it.

This would be done via the proper channels not just hunting for employees or ex-employees on LinkedIn and sending them a DM, also don't expect a response, and don't post about it in 6 months time when you point out the everyone that they didn't get back to you.

Speaking and DNS:

Seems Andy gets into more conferences than people sneaking into football grounds;

It's a chunk of words but basically Andy was invited to chair a conference, other C levels were in attendance/speaking, when asked about DNS only 10% of the audience raised their hands, the rest didn't know and because of that 90% of the industry is hacked.

Not a surprise really as I wouldn't expect certain C level execs to know the ins and outs of a certain aspect of something, that's why they have teams of people they pay to understand and action things for them... IT IS NOT THAT THEY ARE OPEN TO DNS TAMPERING, ABUSE AND ATTACKS!

Andy's pattern of make statement about something and then tie DNS to it really stands out when he builds up a post about Conference speaking, mentioning Paul by name again and then also his favourite bedtime story, read every night, M-19-01 and just poops out a summary of 'there you have it, DNS is used extensively for attacks and DNS servers are exposed an insecure'... because these official sources said so.

Its the equivalent to writing some code and having it work on your machine first time so you stand up arms in the air triumphant and expect praise from everyone else in the room.

It just isn't the case dude, again you are jumping to conclusions (90% don't know) and trying to dumb things down so you can cast a wider net in an attempt to capture more wallets from unknowing and unsuspecting victims.

Honestly, I wouldn't take Andy's training on anything, even being a salesman, you would have more success watching a few episodes of 'Only Fools and Horses'... thats not to insult the show BTW, show is hilarious and still an amazing example of Sir David Jasons work.

*sigh* GuptiMiner Malware;

Ohh ok so Andy has made a post about GuptiMiner and because DNS is mentioned obviously he has to jump on it, but let's actually break that down… what Andy says:

So because it uses ‘Sophisticated DNS’ and Andy is under the impression that ‘Security Professionals DO NOT have a great understanding of the critical area of DNS’, he is the only one who can actually speak with any 'authority' on it.

Actually dude, YOU don't have authority because it isn’t using DNS in the way YOU think it is and a professional who would be an authority would learn to 'git gud' at that first.

Besides what was the last malware you ran into and played with? I used Wannacry in a recent Malware course, made some beacons for Cobalt Strike and some other C2 frameworks, hell I even started some work on injecting chrome plugins so unsuspecting victims would start appearing in my C2 server.... you should remember beacons and stuff though Andy as you never did explain how it made it onto a machine via DNS only.... do you ever get your hands dirty and play in the sand and dirt too like everyone else does Andy?

GuptiMiner is/was actually spreading via an insecurity in the update mechanism of the Indian antivirus setup eScan which has been resolved now, actually last year;

So it’s wasn't using DNS to spread itself to start with, you could argue that DNS was used to misdirect requests to an attacker owned DNS resolver (which is was) via man in the middle,,,, which it did, so that's your argument and only leg to stand on and its not 'sophisticated' in that sense of the word, it's actually expected for the most part...

Additionally the article from avast explains the situation more clearly then I can but the major highlights are below:

It’s almost as if there are bigger teams than just one person (like Andy and myself) who actually look into things on a much deeper level, hell even I peel back the layers and look a little deeper like an actual security professional would do in their day to day,,, Andy, and all without stepping on anyones toes.

Because....

Another thing Andy never mentions is that ANY ACTIVITY on the internet or using the internet uses DNS, not just the shady stuff but also the normal stuff like using your outdated browser to enter false search queries into DNSViz[.]net and screenshot it as an example… Logging into your email, looking at cute cat pictures... ALL OF IT USES DNS IN ONE WAY OR ANOTHER(!!!)

I think the only thing correct in the Andy’s post is that it ‘may be linked to Kimsuki’ but the rest falls a little bit flat TBH.

Finally on this though, Andy does an uncalled for, unapproved by the companies in any way shape or form, DNSViz test on escanav[.]com….

Which actually shows as SECURE;

The ‘INSECURE’ Andy tries to sell things on is because it isn’t using certain records but the ‘translation’ from address name to web server hosting the site you want to visit has already been done…. Magic that…

Sure records are nice to have, but in some cases they are not necessary.

The ONLY way Andy can, I guess you could say "legally" do any testing 'without asking' is if he is part of a BugBounty platform who that vendor works with and is either invited or added to their researchers list via that platform (and all communication should be via that platform, not posts on LinkedIn so he's already shafted himself with a BugBounty Programs Terms and Conditions which he 'probably' wouldn't have read anyway).

Whenever Andy runs these tests fresh you could argue that he is technically performing an illegal test aimed at companies systems and as such could be fined/imprisoned for violating the CFAA (Computer Fraud and Abuse Act) and the CMA (Computer Misuse Act) for us brits.

The difference for me being I am checking for the existence of a record that has already been run, not the actual running of it.

Speaking of which, we are still waiting for Andy to drop that CVE10 and million dollar write up for how having no SSL cert means your entire company is hacked and exposed to internet appendages swinging in the distance.

*crickets*

It's funny really, If I didn’t know something on the internet, I would ask for help from someone more knowledgeable, beauty of the internet is everyone is 'connected'… Something of which I have done when reaching out to a certain 'inventor of DNS who used to be ok with Andy but now doesn't like his name being mentioned by him' (One wonders why?). I've also had other professionals reach out to me that do more 'in depth' work than I, and they aren't impressed either.....

When this happens to Andy and he doesn't know something on the internet, he just doubles down on it.

??

Feeds back into that whole 'who would you believe someone who does the work or someone who misspells 'Microsoft' on their own company headed paper'

Cisco & Splunk:

This one warranted its own post on my feed;

My 'open letter' to the top tier Cisco heads and whomever shared it;

Yeh, it needed to be called out, though I'm sure in some companies cases the message was received loud and clear from Andy:

The Psychology of Security Professionals and Executives.

Seems as though Andy has taken 100mg of professionalism and started posting much more wordy posts not specifically regarding security more 'psychological' and 'thought' experiments, though, for how different the approach maybe, there is always something of the 'other(?)' Andy coming through. case and point his comment on this post

Look it's Andy's other tool he likes to use wrong, the Qualys SSL Checker;

So he ignored this warn message that explains there is a key name mismatch to proceed with the full check;

Did you know there might be a reason for this?

I know weird right, try going to www.volkswagon.com or better yet directly to https://152.195.12.243/

You get this screen:

Ooft, might have been worth checking what happens before running a scan... least that explains why the records say it is mismatched (because the main cert is for vw.com and others) it is still covered by the Entrust Root Certification Authority mind but it's not like that result is ever going to change, it's 404'd

Also if anyone wanted to use DNS and exploit this particular site for their own naughty activities,,, well according to 19-01 that Andy loves so much they had better compromise an user account that can make changes to DNS before touching anything...

Oh thats right, DNS isn't the first port of call but why can't Andy remember that???

================ HONK HONK EDITING POLICE ====================

Whoops I made a slight error on this one, well, sort of.

Microsoft Owned DNS Server 31337 has pointed out that the correct address for 'volkswagon' is actually 'volkswagen'

'e' not 'o', I apologise for this.

To err is to human though so least I can show I am actually human and I do make mistakes BUT unlike Andy I learn from them and work to improve them.

I thanked Microsoft DNS Server 31337 for it's diligent work 'hacking all the things' and wanted to get this article updated to advise my error.

Something to point out though as I wanted to check (being the correct address now), look at the spelling and date on this:

There's only one person who searches specifically in this way..... Hi Andy, when can we expect your next wordy post on this one?

================ HONK HONK EDITING POLICE ====================

Balls, Black Balls;

Again a more philosophical 'higher learning' post.

I mean Wikipedia is great and all but have you ever tried just getting on with work and not farming numbers on social media.

My head cannon guess for why this post exists is Andy got rejected for some big project and is mad about it so wants to make a post and rant but isn't quite sure how.

Bear in mind this is the same head cannon that is trying to figure out ways for Chris Hemsworth to come back for the long rumoured Star Trek 4, I recon that moment when he is shot forward in the Captains Chair where we think he is being crushed/killed under the weight of the Kelvin colliding with the Narada he is actually being jettisoned through the view screen and into the black hole the Narada came from before it closes to somehow flap out into space in the future but somehow alive, or, ya know... Q.

Hey I watched a lot of TNG with my Dad growing up and I've seen far crazier sh*t, Beverly having 'relations' with a Ghost? Lt. Van Mayter embedded in the floor??? Anyone? Scary Crazy Stuff.

So yeah another week, another Gordian Knot untied.

Towards the end seems Andy might be winding down the misuse of tools online, through if his pattern is anything to go by give it the week and I'm sure the DNSViz screenshots will be back in force.

As above I have work tomorrow and now a hole in my kitchen where a freezer used to be... least I can technically use it for storage but I know the pennies will need to be lined up again soonish for a new one and all new nom noms.

Be safe all, and check if your refrigerator is running!

...

as you may need to go catch it!

???????????? <I JOKE AND LAUGH TO HIDE THE PAIN>????????????

See you all next week or something

Peace ??