Slashdot Mirror
Dell Lost Control of Key Customer Support Domain for a Month in 2017 (krebsonsecurity.com)
Brian Krebs reports: A web site set up by PC maker Dell to help customers recover from malicious software and other computer maladies may have been hijacked for a few weeks this summer by people who specialize in deploying said malware, KrebsOnSecurity has learned. There is a program installed on virtually all Dell computers called "Dell Backup and Recovery Application." It's designed to help customers restore their data and computers to their pristine, factory default state should a problem occur with the device. That backup and recovery program periodically checks a rather catchy domain name -- DellBackupandRecoveryCloudStorage.com -- which until recently was central to PC maker Dell's customer data backup, recovery and cloud storage solutions. Sometime this summer, DellBackupandRecoveryCloudStorage.com was suddenly snatched away from a longtime Dell contractor for a month and exposed to some questionable content. More worryingly, there are signs the domain may have been pushing malware before Dell's contractor regained control over it.
I've got to wonder if the Internet has caused a *lot* more problems than it's solved.
"I don't know, therefore Aliens" Wafflebox1
Why not just have everything off of dell.com? Wouldn't that make more sense AND be easier to manage?
At Dell they don't know anything about subdomain delegation. Do they?
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
A good setup would verify the authenticity of the service before installing any software.
Any WiFi hotspot these days can pretend to be âoeyour websiteâ.
The thing is that these schemes are even built-in to most webservers these days, you need to be truly incompetent not to know about and implement them.
Custom electronics and digital signage for your business: www.evcircuits.com
A clean install of Windows is the better approach. The only thing you need to re-install from Dell is the driver package.
This annoys me.
Why not "backupandrecoverywhateveryouwant.dell.com" as the business-critical bit of it (hard-coded into software, etc.) and then if you REALLY need to, make
www.ridiculousdomainnamehere.com just resolve to that subdomain.
Then nobody is going to let dell.com expire (you would hope), if they do, the service will still work as expected and not be subject to compromise, and worse that happens if you have to tell customers to update their bookmarks if there was some user-focused web element on that domain (but, hey, without the secured login to the dell.com subdomain, it wouldn't matter right?).
Dell users a lot of cheap contractors or ones that just sub out stuff to others.
Dell is (still) a massive H1B shop. I'm surprised they even got the domain registered at all. Perhaps Tata, Wipro, or Cognizant can help the poor beset millionaire C-level pukes figure it out.
I've got to wonder if the Internet has caused a *lot* more problems than it's solved.
Let me put your mind at ease. The internet has caused new problems to be sure but it has resolved even more old ones. I'm old enough that I pre-date the internet in anything remotely resembling its current form and I pre-date the world wide web by multiple decades. I can assure you that the Good Old Days weren't all that good and that the the internet has solved substantially more problems than it has caused. Nothing is perfect and people are still just as incompetent as they ever were but that doesn't mean the technology is a bad thing.
The caller knows my name, address, phone number, and which Dell system I purchased. Dell's corporate security is non-existent.
The big reason a company wouldn't want to allow contractors and other miscellaneous sites under a subdomain of the main domain is how browsers treat domains. Cookie access, cross-site scripting, etc. could all be problems, unless you change the main website to also act under a subdomain, and make sure everything is restricted properly.
The issue is that the tech makes is easier to affect more people's lives. It's a double-edged sword and will get sharper.
That is better than the converse which is an inability to affect lives. Seriously, you do NOT want to go back to the days of the Pony Express if you catch my meaning.
Yes there will be new issues to resolve but that's no different than it has ever been. Every new non-trivial technology has new issues to deal with and it takes society some time to come to grips with them. The industrial revolution has been one long series of new technologies affecting people's lives in ways they need to come to grips with. The so called information age will be no different in that regard.
At this point in time, is it just easier to list the assets on the Internet that haven't been compromised?
Seriously, I'm beginning to think that the Internet died years ago, and this is just Zombie Internet, and the corpse has just been running on inertia this whole time and will sooner or later grind to a halt and become DEAD-dead instead of UNdead.
People aren't incompetent. Corporations are incompetent. Procedures and strict controls lead to incompetence.
I used to criticise "people" until I myself let a critical license go overdue (not a domain name, but a government license). I knew the renewal was coming. After I didn't receive the renewal notice (it was routed to the wrong department in our company and bounced around for 6 weeks) I with plenty of time to spare paid it anyway based on a web invoice. But since there was no paper to track the payment, accounting didn't release the funds despite procurement approving them. Me (the only person who was tracking the license) only saw that procurement had done their job since I have no connection to accounting which is outsourced to a specialist.
3 weeks later the invoice arrived on my desk along with, a late warning, along with a notice of license cancellation.
Not a single person was incompetent. Everyone did their job exactly like they were supposed to. What we were was limited and encumbered.
In large corporations itâ(TM)s often easier to register a new domain than go through the hoops of getting a subdomain approved.
So what? That doesn't make registering a new domain a good idea. I could register a new domain with your company name in it. So could anyone else. It's FAR more difficult for anyone to spoof the subdomain of dell, especially for something as important as system updates and tech support. Seriously, doing what you suggest in a large company is a really really bad idea.
Where I work, it takes me $8 and a half hour work to get a domain but it can easily take me 6 work hours across 2-4 weeks to get a subdomain.
Again, so what? I'm sure there are all kinds of idiotic things you can do that are less hassle than going through official channels. While nobody is a fan of bureaucracy it often exists for EXACTLY the reason of keeping people from doing stupid things like your suggestion. If you worked for me and you did that I'd fire you in a heartbeat for doing something so dangerously stupid. You're potentially exposing the company to huge financial risk because you're too lazy to go through proper channels for something that actually matters.
The big reason a company wouldn't want to allow contractors and other miscellaneous sites under a subdomain of the main domain is how browsers treat domains. Cookie access, cross-site scripting, etc. could all be problems, unless you change the main website to also act under a subdomain, and make sure everything is restricted properly.
So your argument is that one of the largest tech companies in the world can't handle cookies properly? Ummm, if that is actually true then nobody should ever buy their products again. Dell is a huge company and they have more than enough heft to force vendors to conform to reasonable security standards and work with their network properly. Vendors who can't handle this probably shouldn't be utilized.
When a large, ongoing corporation in tech has part of its infrastructure for customer support compromised in this way, it reinforces my conviction to never do any home automation that requires an external server to work.
Microsoft/Walmart had the music service based on "Plays for Sure" go dark. Nest disabled its hub. My kids used to play a game with a usb device (similar to Skylanders) that connected to a game server. Phillips stopped working with 3rd party equipment. When the company controlling the home it connected to, the devices and content you owned stop working.
I think we'll see more products that rely on a set of servers after the sale. It will be a long time until consumers force companies to design differently. I don't think government will ever regulate these things to the point where telco was: you buy the phone, they have to keep the service going.
We're surrounded by forest preserves and farmland, so most of the directions involve turn right, but get in the left lane to make an immediate left turn, which isn't conveyed well with garmen, apple maps, nor google maps.
Some brands (e.g.: Tomtom, even the older device as long as you've updated to a recent enough software version) can litteraly say that "Turn right, then keep left lane and prepare to turn left", with the logo on the screen showing that too (Big "Right turn" arrow, thin right arrow for "next", then Big "Left Turn" arrow).
Other brand (I've seen it on Volvo in-vehicle infotainment) don't have a special vocal message, but will open a split-screen pop-up next to the usual 3d over-the-shoulder view, with a bird's-eye view illustrating a complicated sequence of such turns.
(Which in theory is a nice idea, but in practice sucks, because you need to take your eyes of the road and look inside the car - as opposed to dedicated satnavs that you can stick on windshield just at the edge of your usual field of view.
On the other hand, that specific Volvo is equipped with forward collision avoidance systems and could autonomously slam the break to avoid rear-ending the car in front while you're looking away. So never had an accident due to taking the eyes that far away from the road).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Explain why is it so 'dangerously stupid'. DNS is no part of any security model, if yours is, then I would fire you in a heartbeat.
It's about preventing easy opportunities for scams and reducing the attack surface. You are very incorrect that DNS isn't a part of the threat model. Misleading domain names are routinely used in various forms of cyber attacks, particularly phishing attacks.
It's dangerously stupid because if you don't go through the primary domain that is well understood to be the company in question (Dell in this case) then it becomes ridiculously easy for people with less than honorable intentions mislead customers. If I register the domain mydellupdates.com, how do you know if it is or is not actually owned and operated by Dell Corporation? Sounds vaguely official so there would be some percentage of people that probably would be fooled. Sure you can do a research into who owns the domain but you ought to know that won't happen in most cases. Lots of people don't know how and more simply cannot be bothered or it doesn't occur to them to try.