Before we begin, it is important to understand how websites work, as it pertains to the nature of the threat.
How a Web Browser Actually Works
On the surface, navigating to a website is a somewhat straightforward process: type in the URL, hit Enter, and you’re off to the races, right?
Maybe so. However, this simple interaction hides a much more involved process taking place behind the scenes.
When we think of a website, as users, we think of a certain name, like Google or Facebook or what have you. That’s known as the domain name, and it isn’t what your Internet browser uses to find the website you want. Your browser operates via something known as an Internet Protocol (IP) address. While IP addresses are way too in-depth to review in full here, all we have to keep in mind is that they’re kind of like the coordinates to the websites that your browser is attempting to find.
IP addresses are made up of a series of numbers, which are more challenging to remember than a name. Therefore, something known as nameservers exist: they help connect the URL we know to the IP address your browser recognizes.
Each time you type in a URL, your browser references a nameserver to match it to the IP address of the correct webserver. Once it does so, it can request the content you want. In this way, the nameserver is effectively your browser’s translator—taking your input and converting it to be understood.
That’s what makes the nameserver so important to the function of the Internet, and why these nameservers are so important to keep secure. This importance is only exacerbated when the nameserver controls a top-level domain—the “.com”,”.net”, “.org” or whatever the case may be.
So, if an attacker were to get control of a top-level nameserver, man-in-the-middle attacks would be far too easy for cybercriminals to use to redirect web traffic to malicious websites.
The Situation in the Democratic Republic of Congo
A security researcher named Fredrick Almroth noticed that one of the nameservers controlling a top-level domain for the Democratic Republic of Congo—specifically, the one controlling the .cd country code—was due to expire. With an expiration date set in mid-October, the government would have a limited time after that to claim the nameserver domain scpt-network.com. Almroth took it upon himself to monitor the domain.
Once December was soon to end, Almroth picked up the domain to keep it safe from attackers. Since the domain’s other nameserver was still operational, all Almroth had to do is timeout any requests to the expired nameserver and redirect them to the operational one.
The Risks Involved
If Almroth had not claimed the nameserver’s domain, an attacker may have. In doing so, this attacker could then intercept all traffic that was directed toward any .cd domain, even if it were encrypted. An attacker in this position would therefore have a truly frightening level of power over thousands of websites.
The Congolese government wound up cutting their losses and setting up a new domain, so there was fortunately never a time that the .cd domain was at risk.
What Your Business Can Take Away from This
Simply put, technology is a complicated thing, and this opens a lot of opportunities for cybercriminals to exploit.
This incredibly resourceful class of criminal isn’t above using cheap tricks to infiltrate their targets, and most of them aren’t particular about the size of a given target. Some attackers focus on small businesses while some aim higher at government infrastructures. This is what makes it so important that all organizations have some resource to turn to that can see to their efficiency and cybersecurity alike.
TAP Tech is here to be that resource for you. Our team focuses in on the IT used by our clients to help resolve issues, whether operational or security-based, to ensure that nothing goes by unnoticed. To learn more about what we can do for you, reach out to us at 203-744-9760.