SoylentNews

The Holy Grail in Computer Hacking

posted by CoolHand on Sunday August 23 2015, @11:05PM   
from the so-glad-we-run-free-software dept.

Ayn Anonymous writes:

Let's assume the information about the Windows 10 key logging is true.
Access to this key logger data is the holy grail in computer hacking.
A dream of every "commercial" hacker. This means you can fully automated generate Fullz each at the moment $35 USD worth.
45 mio. (of 1.5 billion, data from 11-Aug-2015, strong growing) Windows 10 systems at the moment.
The average DNS bit-flip error rate is 1 in 100,000 requests. See Bitsquatting: DNS Hijacking without exploitation

Here is one thought-provoking quote from that dinaburg.org article:

Some machines control considerably more traffic than others. While a bit-error in the memory of a PC or phone will only affect one user, a bit-error in a proxy, recursive DNS server, or a database cache may affect thousands of users. Bit-errors in web application caches, DNS resolvers, and a proxy server were all observed in my experiment. For instance, a bit error changing fbcdn.net to fbbdn.net led to more than a thousand Farmville players to make requests to my server.

P And this are only 1 bit-flips. As it turned out multiple bit flips are even more common than single bit-flips.
This means at least 450 wrong DNS requests from this 45 mio. Windows 10 users. Per domain.
3 domains (nsatc.net, footprintpredict.com, microsoft.com) Wrong requests every day: (A record TTL):
nsatc.net=3 h, footprintpredict.com=0.5 h, microsoft.com=2 h == (24/3*450)+(24/0.5*450)+(24/3*450)==30,600

Not all DNS Bitquatting domains have equal value. The order of bit flipping probability is 0,6,(1+2),8,(3+13),14,12,15,(4+5),(7+9+11),10
The bit in position #0 is 100 times more likely to be flipped than one in position #10
If someone like to exact calculate what are the most likely single and multi bit-flip bitquatting names are, here: Observations on checksum errors in DNS queries are all the data you need to do this.

What single bit-flip bitquatting names are free and which are taken ?
(the taken and connected ones are listed with the IP and country)
[Editor's note: I am just listing a few of the more concerning Microsoft bit-flips in interest of brevity. Please see original submission for the very large full list..]
oicrosoft.com,52.74.200.167,Singapore
iicrosoft.com
eicrosoft.com,103.31.75.164,Hong Kong
mkcrosoft.com,72.52.4.91,United States
mycrosoft.com,208.91.197.104,Virgin Islands
mibrosoft.com,209.15.13.134,United States
miarosoft.com,52.74.200.167,Singapore
mikrosoft.com,65.55.39.10,United States
misrosoft.com,103.224.182.217,Australia
micsosoft.com,65.55.39.10,United States
mic2osoft.com,52.74.200.167,Singapore
microqoft.com,65.55.39.10,United States
microwoft.com,54.174.31.254,United States
microcoft.com,185.53.177.9,Germany
micro3oft.com,23.21.201.35,United States
microsnft.com,184.187.12.126,United States
microsovt.com,208.91.197.104,Virgin Islands
microsofu.com microsofv.com microsofp.com

I'm totally surprised that not all of them are already taken.
Does Microsoft care ? Of course not.

---

Original Submission

• Re:So what's the solution? Re:So what's the solution? (Score: 0) by Anonymous Coward on Monday August 24 2015, @03:12AM

  by Anonymous Coward on Monday August 24 2015, @03:12AM (#226802)

  There is MShost.txt file available over at the other site. It blocks about 5900 MS sites.
  I am creating this list in a host table as you read this.
  I am adding to my IPCop firewall, with MVPS "ad" blocking list - it also include statics sites to help stop tracking.
  YES, it does not stop it all, say hard coded IP in the code or MS is running their own DNS, that is hardcoded in the code. Those will have to blocked by a rule in iptables. Nice to have firewall that is not part of my wireless routers or cable modem, so I can block any thing, once I know about it. I have Win10 in VM, with another VM being a firewall too. This way I can see extactly what is crossing the network.

  Now, in the end, I will have the local hosts file for some blocking, but mainly for site overrides so local server is used in place of foreign or simulating ooma's need to between modem and router/firewall and built in site: setup.ooma.com is mapped to internal address on ooma. Three extra host files will be added to the dnsmasq.conf for AD blocking, MShost blockings, & MSBitFlipHost blocking.

  The change for AD blocking has really helped improve web performance, but the costs has been some click throughs, like google's sponsored items in the list, or slickdeals.net click throughs.

  #
  # mods to IPCop
  # change: /etc/dnsmasq.conf
  # added line in global: addn-hosts=/etc/hosts.ext
  #
  # Download file from MVPS and place HOSTS on desktop.
  #
  http://www.mvps.org/winhelp2002/hosts.htm [mvps.org]
  #
  # run to copy HOSTS to IPCop.
  #
  scp -P 8022 HOSTS root@ipcop:/etc/hosts.ext
  #
  # gain access to IPCop
  #
  ssh root@ipcop -p 8022
  #
  # run on IPCop to reactive dnamasq
  #
  /etc/rc.d/rc.dnsmasq restart
  #
  # then to leave type
  #
  exit

  Parent

• Re:So what's the solution? Re:So what's the solution? (Score: 1) by blackhawk on Monday August 24 2015, @05:14AM

  by blackhawk (5275) on Monday August 24 2015, @05:14AM (#226867)

  If your router doesn't let you change the hosts file and you don't trust the windows handling of hosts then you can just do what I did a while back. I set up a raspberry pi on my network and installed dnsmasq. It's configured to provide both DHCP and DNS services and makes use of the hosts blocking file in the parent as an additional DNS source. Upstream it defaults to running queries on 8.8.8.8 (googles DNS). I think switched off my router's DHCP and let the new raspberry pi take over. You can do the whole thing in an hour or so including reading the docs / configuring DNS Masq.

  Once that's done, you can block what you like and add in what you like e.g. aliases for DNS entries your ISP / country is blocking.

  Parent

  • Re:So what's the solution? (Score: 0) by Anonymous Coward on Monday August 24 2015, @12:51PM

    by Anonymous Coward on Monday August 24 2015, @12:51PM (#227003)

    Yes, you can. IPFire (a branch off of IPCop) is great and the work is done. Since IPFire is based on IPCop, the same instructions and methods will work.

    I use RPi/IPFire as network backup device paired with my cell phone (rest of the time, it is print server). So it main network is down, unplug from main network modem and plug in IPFire, nothing else changes. I do like the software and would like to use the lower power setup for main firewall, but with only 1 ethernet port (via USB) it is lacking for me through-put.

    Parent

  • Re:So what's the solution? Re:So what's the solution? (Score: 2) by Kromagv0 on Monday August 24 2015, @03:03PM

    by Kromagv0 (1825) on Monday August 24 2015, @03:03PM (#227041) Homepage

    If you have a router that is that bad to begin with I might suggest one of these first [google.com] then go and get a router that has good firmware from the factory or can have OpenWRT or DDWRT put on it.

    --
    T-Shirts and bumper stickers [zazzle.com] to offend someone

    Parent

    • Re:So what's the solution? (Score: 1) by blackhawk on Wednesday August 26 2015, @05:03PM

      by blackhawk (5275) on Wednesday August 26 2015, @05:03PM (#228161)

      That's definitely easier to do in the US than in say Australia. I've looked quite a few times at the list of routers that support Tomato, OpenWRT or DDWRT and never seen a match with one that I can actually buy here. A lot of Aus is on ADSL, and since most of those don't even support ADSL / routers - it's a no show.

      Parent

• Re:So what's the solution? (Score: 2) by captain normal on Monday August 24 2015, @05:22AM

  by captain normal (2205) on Monday August 24 2015, @05:22AM (#226874)

  APK! where have you been? And why AC?

  --
  Everyone is entitled to his own opinion, but not to his own facts"- --Daniel Patrick Moynihan--

  Parent