<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Helvetica Neue";
panose-1:2 0 5 3 0 0 0 2 0 4;}
@font-face
{font-family:HelveticaNeue;
panose-1:2 0 5 3 0 0 0 2 0 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Jeff,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Was the JAS Controlled Interruption run on corp.com to address the security concerns? What kind of feedback was received?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Matt Thomas<o:p></o:p></p>
<p class="MsoNormal">Verisign<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">NCAP-Discuss <ncap-discuss-bounces@icann.org> on behalf of Matt Larson <matt.larson@icann.org><br>
<b>Date: </b>Wednesday, February 5, 2020 at 2:01 AM<br>
<b>To: </b>Rubens Kuhl <rubensk@nic.br>, NCAP Discussion Group <ncap-discuss@icann.org><br>
<b>Subject: </b>[EXTERNAL] Re: [NCAP-Discuss] [Ext] Revised draft of NCAP Study 1 report<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On Jan 29, 2020, at 3:48 PM, Rubens Kuhl <<a href="mailto:rubensk@nic.br">rubensk@nic.br</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"HelveticaNeue",serif">I was under the impression that<span class="apple-converted-space"> </span><a href="http://corp.com/">corp.com</a> was now part of ORDINAL, but the fact that it's for sale
for USD 1.7 Mi goes against that assumption<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:10.5pt;font-family:"HelveticaNeue",serif">Perhaps Jeff (JAS) could clarify it. <o:p></o:p></span></p>
</div>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Jeff Schmidt sent the text below to clarify the situation with
<a href="http://corp.com">corp.com</a>. Please also see the attached PowerPoint presentation.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Matt<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">Begin forwarded message:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><b><span style="font-family:"Helvetica Neue"">From: </span></b><span style="font-family:"Helvetica Neue"">Jeff Schmidt <<a href="mailto:jschmidt@jasadvisors.com">jschmidt@jasadvisors.com</a>></span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><b><span style="font-family:"Helvetica Neue"">Subject: [Ext] For posting to the NACP list</span></b><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><b><span style="font-family:"Helvetica Neue"">Date: </span></b><span style="font-family:"Helvetica Neue"">February 4, 2020 at 12:29:18 PM EST</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><b><span style="font-family:"Helvetica Neue"">To: </span></b><span style="font-family:"Helvetica Neue"">David Conrad <<a href="mailto:david.conrad@icann.org">david.conrad@icann.org</a>>, Matt Larson <<a href="mailto:matt.larson@icann.org">matt.larson@icann.org</a>></span><o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">Hia gents:<span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal">I hear that there was an inquiry about <a href="http://corp.com/"><span style="color:#0563C1">corp.com</span></a> by the NCAP; please feel free to publish the below response _in its entirety_. It is good to have this history a part of
“the record.” You may post/share this as you see fit. Thanks!<span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><a href="http://corp.com/"><span style="color:#0563C1">Corp.com</span></a> has been owned by Mike O’Connor for just under forever. Mike recognizes that <a href="http://corp.com/"><span style="color:#0563C1">corp.com</span></a> is unique
and he has graciously made data available to a number of researchers – including JAS – over the years in the best interest of the Internet. The <a href="http://corp.com/"><span style="color:#0563C1">corp.com</span></a> data – and the understanding of the
underlying phenomena driving the traffic – contributed materially to the JAS collisions work/reports and to our discovery of MS15-011 thru 014 (CVE-2015-0008) as well as vulnerabilities JAS discovered and privately reported to PeopleSoft/Oracle, Symantec,
Trend Micro, and IBM. <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal">Through Mike’s quiet generosity, the Internet is a safer place today.<span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal">My interest, as a security professional, is that <a href="http://corp.com/"><span style="color:#0563C1">corp.com</span></a> remain in “responsible hands.” There remains significant danger if <a href="http://corp.com/"><span style="color:#0563C1">corp.com</span></a> becomes
controlled by an “irresponsible” party. I have tried for years to get “responsible parties” interested in acquiring <a href="http://corp.com/"><span style="color:#0563C1">corp.com</span></a> – including several firms on this list – however none have expressed
interest. Fortunately, the US Department of Homeland Security (DHS) stepped-up – the *<b>only</b>* party to do so I might add – and provided a small grant for JAS to lease <a href="http://corp.com/"><span style="color:#0563C1">corp.com</span></a> from Mike,
collect data, and make it available to qualified researchers. During the years <a href="http://corp.com/"><span style="color:#0563C1">corp.com</span></a> was delegated to JAS, we spent far more money hosting, collecting, and storing data than we ever got
from grants. No one except the US DHS expressed any willingness to help. My understanding is that ICANN wrote letters to Microsoft, Verisign, and other relevant parties informing them of these issues, but they did not engage. I tried to engage Microsoft
at a number of levels, but they were not interested.[1] JAS got poor and Mike sat on a valuable asset for years in the altruistic interest of global Internet SSR.<span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal">A few months back, Mike and I concluded that we have done everything we can do; with Mike not getting any younger, he would sell the domain with a clear conscience. JAS has no further business relationship with Mike or <a href="http://corp.com/"><span style="color:#0563C1">corp.com</span></a> and
we are no longer technically hosting the domain.<span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal">I have attached a technical presentation I gave to IMPACT researchers in 2018. It contains more technical information about the traffic observed at <a href="http://corp.com/"><span style="color:#0563C1">corp.com</span></a> and some cool
“DITL” statistics. <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal">A few high level observations during the 8-month period 2019-01-24 - 2019-09-18:<span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal">* 384,001 unique client IPs sent queries to <a href="http://corp.com/"><span style="color:#0563C1">corp.com</span></a>. These clients are almost all recursives ranging from gigantic public recursives (Google, OpenDNS) to private recursives
run by companies ranging from SMBs to large multi-nationals.<span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal">* 37,046,965 unique qnames were sent to <a href="http://corp.com/"><span style="color:#0563C1">corp.com</span></a>. A plurality of these qnames are related to Microsoft technologies, particularly Active Directory. A subset of these are
exploitable by techniques similar to MS15-011 thru 014 and trivially exploitable using well-known tools like Responder/SMB-Relay[2]. <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal">* For additional perspective, in one month, the HTTP/S website JAS ran at <a href="http://corp.com/"><span style="color:#0563C1">corp.com</span></a> received requests from 379,403 unique clients for WPAD configuration files. Note these
are IP addresses of specific end machines received over HTTP/S, not DNS recursive servers as above. Therefore, this is one of several long- lived target lists of almost certainly vulnerable Microsoft Windows machines. Another party made a big deal about purely
theoretical WPAD vulnerabilities in the new gTLD space a few years back; colliding WPAD queries are much more common and much more dangerous in .com than in any other namespace just given the size and gravitas of .com. Want an instant foothold into about
30 of the world’s largest companies according to the Forbes Global 2000? Control <a href="http://corp.com/"><span style="color:#0563C1">corp.com</span></a>. Anyone claiming namespace collisions in .com, country code, and other legacy TLD space aren’t dangerous
just doesn’t understand – or doesn’t want to understand.<span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal">* JAS temporarily created MX records and accepted email destined to <a href="http://corp.com/"><span style="color:#0563C1">corp.com</span></a>. After about an hour we received in excess of 12 million emails and discontinued the experiment.
While the vast majority of the emails were of an automated nature, we found some of the emails to be sensitive and thus destroyed the entire corpus without further analysis.<span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal">* JAS temporarily accepted protocol level connections to SMB/CIFS and WebDAV over HTTP/S (!!) and found a large number of dangerous connections requesting <a href="file:///SYSVOL"><span style="color:#0563C1">\\SYSVOL</span></a>, <a href="file:///NETLOGON"><span style="color:#0563C1">\\NETLOGON</span></a>, <a href="file:///USER"><span style="color:#0563C1">\\USER</span></a>,
and other dangerous Microsoft mount points directly exploitable by the techniques described in MS15-011 thru 014. We discontinued the experiment after 15 minutes and destroyed the data. It was terrifying. A well-known offensive tester that consulted with
JAS on this experiment remarked that during the experiment it was “raining credentials” and that “he’d never seen anything like it.”<span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal">* Microsoft incorrectly claims these issues are resolved. Unless administrators overtly enable SMB Signing (via a new feature called “UNC Path Hardening” which they added as a response to our bugs), most modern, fully-patched Windows machines
remain vulnerable.[3]<span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal">Someone will eventually purchase <a href="http://corp.com/"><span style="color:#0563C1">corp.com</span></a>. I sincerely hope the acquiring party is “responsible.” Once it’s lost, it’s gone forever.<span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal">Jeff Schmidt<span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal">[1] Microsoft Windows product groups acted honorably upon our reporting of the vulnerabilities and responded appropriately; however, other parts of the company were not interested in discussing <a href="http://corp.com/"><span style="color:#0563C1">corp.com</span></a>.<span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal">[2] <a href="https://github.com/lgandx/Responder"><span style="color:#0563C1">https://github.com/lgandx/Responder</span></a><span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal">[3] <a href="https://security.stackexchange.com/questions/134388/how-does-unc-path-hardening-and-smb-signing-work-under-the-hood"><span style="color:#0563C1">https://security.stackexchange.com/questions/134388/how-does-unc-path-hardening-and-smb-signing-work-under-the-hood</span></a><span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"> <span style="font-size:12.0pt"><o:p></o:p></span></p>
</div>
</div>
</blockquote>
</div>
</div>
</body>
</html>