Hacked - News Update - The Corp.com Conundrum
Episode Date: April 14, 2020Jordan & Scott discuss the the very nerdy story of the website that lets you read secrets and the man who kept it safe. Learn more about your ad choices. Visit podcastchoices.com/adchoices...
Transcript
Discussion (0)
It's 1994, and Mike O'Connor has just scooped up some choice web domains,
one of which comes with a very strange responsibility.
Back in 94, buying domains and really the internet in general was a chaotic place.
ICan, the Internet Corporation for assigned names and numbers,
the big organization that oversees domain registries, didn't even exist until,
1998. So way before what O'Connor calls the domain name land rush, before cyber squatters,
before websites and domains were worth something, Mike buys up a few. Mike buys them because they
reminded him of radio station names. They seemed like they might be useful. Mike O'Connor buys up
a bunch of one-word domains in 1994, and he gets some good ones. And if you know any things,
about cyber squatting and domain investing.
Brace yourself.
Mike Bot, amongst others,
television.com, place.com, bar.com,
cafe.com, have.com, shelter.com, and company.com.
For context, if we go over to Estabot,
a service that creates quick estimates of how much domains are worth,
we see that all by itself,
television.com is one.
little domain is worth at least 1,083,000 U.S. and that is just one.
So good for Mike.
But in all that time, there's been this one domain that Mike has refused to sell.
He's held on to it for 26 years because this domain is dangerous.
Corp-C-O-R-P-com is a Pandora's box.
And for reasons that we will explain, whoever owns you.
that domain possesses a very uneasy power.
Because of an issue affecting networked Windows PCs called namespace collision,
whoever owns corp.com gains access to a never-ending flood of passwords, emails,
and proprietary data from hundreds of thousands of major companies around the world.
All day, every day, for 26 years.
Whoever owns that domain owns a floodgate of secrets that if it were to fall in
into the hands of either cybercriminals or state actors would expose a bottomless well of private
information. You could never claw back. This year, Mike turned 70, and he decided it was time to sell.
And this week, this story, 26 years in the making, finally reached its conclusion. We don't know how much
Mike sold to corporate.com for, but we know his starting price was $1.7 million. This
is a quick explanation of how corp.com worked on this hacked update.
I think we're getting in the weeds in this episode.
This sounds like it's going to be pretty esoteric.
I think we're living in the domain name service headspace for a while here.
It seems like this is one of many updates that revolve around DNS configurations
and how it makes us vulnerable.
Before we get to corp.com.
I've been saying corp.com.
Corp.
Corp.
Like short for corporation.
That's what I thought.
Before we get to that, remind people what DNS is.
DNS is the system that allows us to type Google.com into our web browser,
and it knows the IP address of the server it's trying to reach.
That's what DNS does.
So it's like a big index?
Yeah.
It's like a big phone book.
Cool.
Now that we've gone past...
Wait, people don't know what phone books are anymore.
So that having been said,
What is corp.com?
Corp.com is just a DNS name like anything else.
Same as Google.
Same as hackedpodcast.com.
Same as patreon.com slash hackpodcast.
And what makes it special?
A configuration vulnerability by default in early active directory servers from Microsoft.
Is that a good answer?
I feel like I should let people know that next week's episode,
it's going to be poppy.
is going to be like extortion scams.
It's going to be real provocative stuff.
So if the in-the-weed stuff isn't for you, we totally get that.
But while we're here, can you explain this?
Let me just explain this for you.
Major corporations that run the Microsoft stack,
stack being all the Microsoft major products,
use something called Active Directory to control user logins,
sign-ins, and a bunch of other things.
It's kind of like the keychain for the corporation.
So that active directory servers, when they used to came out like, you know, Microsoft small business server and stuff like this, dating way back to when this problem probably originated, used to kind of come with a default example set up for a corporation called Corp.
But in the world of Microsoft and in the world of these new active directory kind of controlled PCs that connected to this directory,
Corp would become corp.com,
except for that the internal DNS would overwrite it to whatever it needed to be internal to the corporation.
So then when you take these PCs out of the corporation,
out of the network where they have direct access to their stuff,
pre kind of massive rollouts of VPNs,
any time that these computers try to access a local resource,
it would think it was looking for something, something, something, something.
corp.com.
So all of that traffic,
logins,
email server requests,
all of this stuff was getting spilled out
to this random DNS
that this guy owned called corp.com.
So in the weeds,
it all revolves around Microsoft
trying to set up a comprehensive
enterprise solution,
showing people how to set up
their first installation of this active directory
and a bunch of other
assets inside of the
Microsoft stack
and doing it under a pretense of
a kind of an example corporation
colloquially known as
corp.
So
all of those IT admins
who just kind of adopted the example
set up
inherited this problem.
So
again
these are probably, and this is
a big assumption
but I'd say a lot of these were smaller
to medium businesses where they didn't have huge IT infrastructures. Maybe there's one IT manager
taking care of the whole 400-person company. And there's just some misconfiguration issues
and set up. That led to long-term vulnerabilities. Think about the last time you heard a
breach story on this show. It always starts the same way. Someone somewhere saw something too late,
An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security operations from the ground up for a world where attackers are already using AI.
They created the Aurora superintelligence platform, a fully agentic system powered by the swarm of experts.
Instead of single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything trust for it.
and all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every week
and over a decade of real-world incident response.
The system reasons on real signals and real context not synthetic training data.
And the result is the new Aurora Agent SOC.
It's the first SOC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries.
human analysts. Arctic Wolf didn't try and bolt AI onto an old model. They rebuilt the model
entirely. What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven decision
reflects your environment instead of generic assumptions. The automation frees your concierge security
team to focus on higher value strategy and proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy production
ready AI and security operations actually looks like, go to arctic wolf.com slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turned defenses on their
head. Organizations around the world saw headlines they never expected and cybersecurity
teams were tested like never before, but here's the thing. These incidents aren't just
news headlines. They're learning opportunities. And that's why Arctic Wolf is hosting a live
webinar on February 5th diving to the most impactful breaches of 2025. Their field CTO and security
leaders are going to unpack not just what happened, but why these attacks succeeded. And most
importantly, what businesses can do to fortify their defenses for it's too late. You're going to walk away
with real insights into how threat actors are evolving, how defenders are responding, and what
strategies can help you stay ahead of the next big breach. It's not fearmongering. It's practical.
actionable intelligence from experts in the trenches.
Register now at arcticwolf.com slash hacked.
This is kind of the equivalent of something's default password being set to password,
the person not changing it, and introducing a vulnerability.
Yeah.
A little bit, yeah.
It's a lot more crazy, complicated and require a lot more stuff to manipulate and take
advantage of it.
But yeah.
Instead of a password, it's this destination.
It's like teaching a bunch of,
you know, teaching a bunch of computers that when they need to do things,
look up DNS entries, send emails, you know, the list goes on,
log into the network, that they need to go to this place to do it,
and then changing that place.
What if Mike had sold it?
For 30 years, this guy's been holding on to the destination of all of this rogue traffic.
What if he had decided, I'm just going to sell this thing to the highest bidder?
Oh, I think Microsoft would have had something to say about it.
Yeah.
I can't imagine, I don't know, that's a great question.
I can't imagine they would have let it go rogue.
I actually am surprised it took them this long to close it down.
And it's probably only because Mike was so innocent in this
and so like altruistic that they didn't have to deal with it earlier.
When it's that the story of its availability was, I think, quite public.
It was pretty widely covered that this domain was kind of up in the air all of a sudden
that Mike had decided to, you know, liquidate his estate and that this was going to be purchasable
and that he wanted Microsoft to buy it.
Yeah.
Yeah.
I think when you talk about the biggest bidders, I think Microsoft is the obvious one.
I'm sure you could have convinced I'm Russian state organization to buy it.
But, you know, at the end of the day, he might go to jail for that one.
Yeah.
I think it's good.
I'm glad Microsoft bought it.
They can, you know, button it up, lock it down, make sure nothing happens with it.
And good for Mike for being so altruistic all of those years, or seeming to be so altruistic after all those years.
So, yeah, I'm glad it's resolved.
There's going to be millions of more instances of this.
When you teach a computer how to look for DNS short handles, like, you know,
immediately anytime somebody type something into the file explorer bar, when it does a network search,
it attaches something, something.com onto the end of it, you're creating a perpetual vulnerability.
ability. Thanks for listening, everybody. I think this is our record for the shortest news update yet.
We're going to be back next week. Got an interesting update lined up. I think you're all going to like.
You can follow us on Twitter at hacked podcast or support the show at patreon.com slash hacked podcast.
Thank you for listening. And thanks to Mike O'Connor for keeping it real.