Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy Security

Dell Lost Control of Key Customer Support Domain for a Month in 2017 (krebsonsecurity.com) 73

Brian Krebs reports: A web site set up by PC maker Dell to help customers recover from malicious software and other computer maladies may have been hijacked for a few weeks this summer by people who specialize in deploying said malware, KrebsOnSecurity has learned. There is a program installed on virtually all Dell computers called "Dell Backup and Recovery Application." It's designed to help customers restore their data and computers to their pristine, factory default state should a problem occur with the device. That backup and recovery program periodically checks a rather catchy domain name -- DellBackupandRecoveryCloudStorage.com -- which until recently was central to PC maker Dell's customer data backup, recovery and cloud storage solutions. Sometime this summer, DellBackupandRecoveryCloudStorage.com was suddenly snatched away from a longtime Dell contractor for a month and exposed to some questionable content. More worryingly, there are signs the domain may have been pushing malware before Dell's contractor regained control over it.
This discussion has been archived. No new comments can be posted.

Dell Lost Control of Key Customer Support Domain for a Month in 2017

Comments Filter:
  • by Nutria ( 679911 ) on Wednesday October 25, 2017 @09:43AM (#55429791)

    I've got to wonder if the Internet has caused a *lot* more problems than it's solved.

    • by Anonymous Coward

      I've wondered the same. The Internet was support to bring a period of human enlightenment and help people become more educated (thus better people). Instead we now have a huge mass of falsely educated people, more than ever before, which is worse than not being educated at all.

      • by Sloppy ( 14984 )

        we now have a huge mass of falsely educated people, more than ever before, which is worse than not being educated at all.

        Wait.. is it worse for them or is it worse for you? I think these people are happier than they used to be. The Internet has removed a lot of tedium and difficulty from my life. How about yours?

    • by sjbe ( 173966 ) on Wednesday October 25, 2017 @10:19AM (#55429981)

      I've got to wonder if the Internet has caused a *lot* more problems than it's solved.

      Let me put your mind at ease. The internet has caused new problems to be sure but it has resolved even more old ones. I'm old enough that I pre-date the internet in anything remotely resembling its current form and I pre-date the world wide web by multiple decades. I can assure you that the Good Old Days weren't all that good and that the the internet has solved substantially more problems than it has caused. Nothing is perfect and people are still just as incompetent as they ever were but that doesn't mean the technology is a bad thing.

      • by Nutria ( 679911 )

        I also predate the Internet by multiple decade (the TRS-80 Model 1 Level 1 was the computer I learned to program on, and was entranced by them back when Radio Shack was still mostly radios and electronic parts).

    • People aren't incompetent. Corporations are incompetent. Procedures and strict controls lead to incompetence.

      I used to criticise "people" until I myself let a critical license go overdue (not a domain name, but a government license). I knew the renewal was coming. After I didn't receive the renewal notice (it was routed to the wrong department in our company and bounced around for 6 weeks) I with plenty of time to spare paid it anyway based on a web invoice. But since there was no paper to track the payment

      • Your company needs to find a way to cut through the silos. Too many compartments all unaware of each other.
        • We're all aware, we just don't interlink.
          And yes we do. I think every country in the Fortune 500 needs to. These problems have existed in every multinational I've worked for, and when joking about it I've heard the same stories from people at others too.

          Mind you the fact I also find a relevant Dilbert cartoon to describe pretty much every single one of my workplace interactions isn't a good sign either :-)

    • by jep77 ( 1357465 )

      It sure has created a lot of jobs though. I wonder where we'd all be working if the internet hadn't cocked things up so badly.

      • by Nutria ( 679911 )

        It sure has created a lot of jobs though.

        Or has it just created different jobs?

        I wonder where we'd all be working if the internet hadn't cocked things up so badly.

        Being disabled and working from home, things would definitely be more inconvenient for me.

  • by XanC ( 644172 ) on Wednesday October 25, 2017 @09:46AM (#55429811)

    Why not just have everything off of dell.com? Wouldn't that make more sense AND be easier to manage?

    • by guruevi ( 827432 ) on Wednesday October 25, 2017 @09:56AM (#55429873)

      In large corporations itâ(TM)s often easier to register a new domain than go through the hoops of getting a subdomain approved.

      Where I work, it takes me $8 and a half hour work to get a domain but it can easily take me 6 work hours across 2-4 weeks to get a subdomain.

      • by ledow ( 319597 ) on Wednesday October 25, 2017 @10:14AM (#55429961) Homepage

        Precisely because any idiot can register a domain with dell in the title, but to get an authorised subdomain.dell.com goes through a verification process and is immediately and obviously representative of Dell as a corporation.

        This is the exact point, I think, and what you WANT to be doing.

        I've gone to great lengths to remove all the old crappy domains that my workplaces insisted on buying up, or using for one-off events, and pushing everything under subdomains. To the point that "drive.domain.com" is actually our Google Drive link (so it automatically knows to sign you in with that domain account rather than your personal GMail, etc.).

        Literally any idiot on the planet can register a domain with your name in. Chasing and pre-registering such - unless you hold a trademark that you need to enforce - is almost impossible, and an endless game of new TLDs and tricks (e.g. "fordsucks.com") make it a no-win game.

        Buy one domain. Put everything on it. Hell, buy two so you have a backup (e.g. companyname.com, companyname.countrycode) and can quickly tell people "don't use the .com, use the local domain for now until we're back up, as it points to our secondary systems and always has."

        But myriad psuedo-related domain names that you forget about while they're running business-critical systems with live user data and the expectation that you'll own them forever is a really stupid idea. And... technically... who owns those domains? Did you register the correct contacts, could you take it over if you wanted? What about the DNS does it actually go to your company's DNS or goes it bounce via yours thus leaving the company in a fragile position should you leave or want to snoop data (e.g. SSL is reliant on DNS being authoritative)? Do those domains have the company SPF fields? Are they included in the main mail domain's SPF record? DKIM? SSL certificate? There are no end of reasons to actively block such adhoc registration in preference to FORCING YOU to jump through the hoops.

        "An easy life" and "security" are often polar opposites.

        • Comment removed based on user account deletion
        • by guruevi ( 827432 )

          Anyone suggesting "security" as a reason to use an official domain/subdomain should not be in security and you end up with cases exactly like this. You can't even guarantee that people WITHIN the organization have company.com resolve to the "authentic" addresses, let alone those outside.

          Whether or not you use live customer data on any particular domain is inconsequential, the data does not move ownership if the domain registration changes.

      • In large corporations itâ(TM)s often easier to register a new domain than go through the hoops of getting a subdomain approved.

        So what? That doesn't make registering a new domain a good idea. I could register a new domain with your company name in it. So could anyone else. It's FAR more difficult for anyone to spoof the subdomain of dell, especially for something as important as system updates and tech support. Seriously, doing what you suggest in a large company is a really really bad idea.

        Where I work, it takes me $8 and a half hour work to get a domain but it can easily take me 6 work hours across 2-4 weeks to get a subdomain.

        Again, so what? I'm sure there are all kinds of idiotic things you can do that are less hassle than going through official channels. Whi

        • by guruevi ( 827432 )

          Explain why is it so 'dangerously stupid'. DNS is no part of any security model, if yours is, then I would fire you in a heartbeat.

          • Explain why is it so 'dangerously stupid'. DNS is no part of any security model, if yours is, then I would fire you in a heartbeat.

            It's about preventing easy opportunities for scams and reducing the attack surface [wikipedia.org]. You are very incorrect that DNS isn't a part of the threat model. Misleading domain names are routinely used in various forms of cyber attacks, particularly phishing attacks.

            It's dangerously stupid because if you don't go through the primary domain that is well understood to be the company in question (Dell in this case) then it becomes ridiculously easy for people with less than honorable intentions mislead customers. If

            • by guruevi ( 827432 )

              This is about software update service, not about a website, if you are designing the system to work over the Internet, you should never trust that in any particular environment any particular domain is legitimate.

              It's not even guaranteed that all subdomains or even all pages on Dell.com are owned by Dell Corp, through JavaScript injection or simply taking over a web server, you could host malware on the main domain. You could also have a hostile DNS resolver in your network redirect Dell.com anywhere the at

    • by crow ( 16139 ) on Wednesday October 25, 2017 @09:58AM (#55429887) Homepage Journal

      As a Dell employee, I couldn't agree more. We're heading into open enrollment right now for next year's benefits, and there are a bunch of web sites that we use for various parts of it, and while they all have "dell" in the domain name, none of them are subdomains off of dell.com. It's crazy.

      And this after the security training where we were told to watch out for suspicious domain names.

      I suspect the reason is that they keep everything under dell.com controlled by Dell directly, so anything contracted to an outside vendor needs its own domain. But at the very least, they should set up for all the valid domains a redirect from subdomain.dell.com to subdomaindell.com so they could still advertise a professional-looking domain.

      • Re: (Score:3, Insightful)

        by ctilsie242 ( 4841247 )

        I know this isn't possible, but maybe businesses should have a separate domain that they can federate out to contractors. For example, keep dell.com for core stuff, then have a second domain, dellstuff.com that Dell could hand contractors foo.dellstuff.com, bar.dellstuff.com, etc. This way, if bar.dellstuff.com has issues, it is obvious who the contractor is, and there isn't a need to keep adding new domains. This way, if it doesn't come from dell.com or dellstuff.com, it is almost certainly a fake.

      • by antdude ( 79039 )

        I saw this with big named security companies too in the past. People brought this issue up too! I bet they stilll do that. :(

    • by robmv ( 855035 )

      When you hire awful subcontractors (like the evidence points in this case), you don't want those people putting files (JavaScript for example) on your own domain and later bat victim of some kind of XSS (or related) vulnerability on your site. It is like using another domain for user generated content, in this case the user generated content is the subcontractor output.

  • At Dell they don't know anything about subdomain delegation. Do they?

  • A good setup would verify the authenticity of the service before installing any software.

    Any WiFi hotspot these days can pretend to be âoeyour websiteâ.

    The thing is that these schemes are even built-in to most webservers these days, you need to be truly incompetent not to know about and implement them.

  • by ledow ( 319597 ) on Wednesday October 25, 2017 @10:05AM (#55429913) Homepage

    This annoys me.

    Why not "backupandrecoverywhateveryouwant.dell.com" as the business-critical bit of it (hard-coded into software, etc.) and then if you REALLY need to, make

    www.ridiculousdomainnamehere.com just resolve to that subdomain.

    Then nobody is going to let dell.com expire (you would hope), if they do, the service will still work as expected and not be subject to compromise, and worse that happens if you have to tell customers to update their bookmarks if there was some user-focused web element on that domain (but, hey, without the secured login to the dell.com subdomain, it wouldn't matter right?).

  • Dell users a lot of cheap contractors or ones that just sub out stuff to others.

  • Dell is (still) a massive H1B shop. I'm surprised they even got the domain registered at all. Perhaps Tata, Wipro, or Cognizant can help the poor beset millionaire C-level pukes figure it out.
  • by JoeyRox ( 2711699 ) on Wednesday October 25, 2017 @10:21AM (#55429999)
    The caller knows my name, address, phone number, and which Dell system I purchased. Dell's corporate security is non-existent.
    • Did you buy direct from Dell? TFA mentions such scams, including that the scammers know the service tags of the systems they're calling about. I ask because I suppose it's possible that a re-seller may have been breached, though it makes a lot more sense that it would be Dell itself.

      When did you buy the system and when did you start receiving the calls? If you bought the system recently, that suggests a recent or ongoing breach. If you bought the system a year ago and received the first call six months ago
  • by Burdell ( 228580 ) on Wednesday October 25, 2017 @10:23AM (#55430007)

    The big reason a company wouldn't want to allow contractors and other miscellaneous sites under a subdomain of the main domain is how browsers treat domains. Cookie access, cross-site scripting, etc. could all be problems, unless you change the main website to also act under a subdomain, and make sure everything is restricted properly.

    • The big reason a company wouldn't want to allow contractors and other miscellaneous sites under a subdomain of the main domain is how browsers treat domains. Cookie access, cross-site scripting, etc. could all be problems, unless you change the main website to also act under a subdomain, and make sure everything is restricted properly.

      So your argument is that one of the largest tech companies in the world can't handle cookies properly? Ummm, if that is actually true then nobody should ever buy their products again. Dell is a huge company and they have more than enough heft to force vendors to conform to reasonable security standards and work with their network properly. Vendors who can't handle this probably shouldn't be utilized.

  • At this point in time, is it just easier to list the assets on the Internet that haven't been compromised?
    Seriously, I'm beginning to think that the Internet died years ago, and this is just Zombie Internet, and the corpse has just been running on inertia this whole time and will sooner or later grind to a halt and become DEAD-dead instead of UNdead.
  • When a large, ongoing corporation in tech has part of its infrastructure for customer support compromised in this way, it reinforces my conviction to never do any home automation that requires an external server to work.

    Microsoft/Walmart had the music service based on "Plays for Sure" go dark. Nest disabled its hub. My kids used to play a game with a usb device (similar to Skylanders) that connected to a game server. Phillips stopped working with 3rd party equipment. When the company controlling the hom

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...