Last February the domain ‘corp.com’ was released. Aside from how attractive it could be for many companies to have a domain like that (which refers to the term ‘corporation’ and is easy to remember), nothing could make one think that it was a domain unlike any other. And yet, corp.com was the key to controlling a potentially devastating security hole for many companies.
Its story begins in 1990, when Mike O’Connor created Go-fast.net, one of the first Internet providers, and registered a good handful of .com domains that would acquire great value in the following years: place.com, bar. com, pub.com, etc.
The security hole called “corp.com
One of them was – as you may have guessed – corp.com. But something made O’Connor hold on for years without auctioning off that particular domain. And that ‘something’ was a design flaw in Active Directory, the Microsoft tool that provides directory services on a LAN.
The point is that, in the first versions of Windows compatible with Active Directory, the default route for validation services within the same corporate LAN was the internal domain “corp.com”.
You may be wondering to what extent that can represent a security hole. Let’s see: if an employee of any of those companies tried to access your company’s data from outside the LAN (say, for example, from the Wi-Fi of the airport) you would actually be connecting to the internet domain “corp.com”.
Yes, the same one O’Connor put up for sale in February. And the same one that, handled for malicious purposes, could take advantage of these involuntary connections to intercept communications from affected companies and extract all series of data (emails, passwords, etc).
No one does anything, and O’Connor gets rid of the problem
But did no one take action? Well, Microsoft released several software updates that partially alleviated the problem, but few companies took advantage of the solutions that these updates enabled.
And they did not do it mainly because they considered it unaffordable to delete their entire Active Directory network for the entire time necessary to implement the necessary changes, because would slow down or freeze applications necessary for your daily operations.
O’Connor explained in February that he viewed the domain as a “dumping ground for chemical waste” and that he did not want to “bequeath it to his children and have them carry it.” And pointed the frustration that he supposed that “the good guys” didn’t seem to care, which could cause “corp.com” to fall into the hands of cybercriminals.
The “good guys” were, of course, the heads of Microsoft, whom O’Connor hoped they were willing to bid on, whose starting price was $ 1.7 million.
Microsoft takes action on the matter
But Microsoft did care about the problem: A year earlier, a study by cybersecurity expert Jeff Schmidt with funding from the US Department of Homeland Security had revealed that over 375,000 Windows computers had attempted to send sensitive information to the corp.com domain, including login details.
So, two months later, O’Connor has disposed of his particular “garbage dump” … after acquiring it Microsoft. According to a company statement (which has not disclosed the acquisition price),
“To help keep systems protected, we encourage our customers to adopt certain security best practices when planning internal domain and network names.
We already launched a security notice about it in June 2009 and [en base a este] Ongoing commitment to customer safety, we also now acquire the Corp.com domain. “