Microsoft calls blockchain domains ‘the next big threat’

“The next big threat” is how Microsoft’s latest annual security report characterizes domain names written in a distributed ledger maintained on a constellation of computers instead of being stored in a traditional centralized registry.

Storing domain names on a blockchain can make them difficult to shut down or even to trace their owners. It also makes them inaccessible without software or special settings.

“In recent years, we have observed blockchain domains embedded in cybercrime infrastructure and operations,” the report says, nodding to Microsoft’s experience last spring disrupting a botnet called Necurs.

This botnet used a domain generation algorithm to create new hosts in bulk, including under the top level domain of the .bit blockchain, leaving them unable to be controlled as a .com domain or other compliant domain. standards.

The potential for abuse has led a group called OpenNIC, which promotes alternatives to the traditional domain name system, to vote in 2019 to block the .bit domain for fear that the organization will be “directly responsible for creating the. a whole new class of malware “.

The Microsoft report adds, “This trend of threats using blockchain domains as an infrastructure with the means to create an indisputable criminal network needs to be taken seriously.

I can’t stop them

Among supporters of a decentralized internet, you’ll see a common response to the criticism that blockchain domains cannot be deleted: Yes, that’s correct.

As the sales pitch on the homepage of a blockchain domain registrar, Unstoppable Domains, reads: “Unlike traditional domains, Unstoppable domains are fully owned and controlled by the user with no cost of ownership. renewal (you buy it once, you own it for life)!). “

He cites one-time registration fees ranging from $ 20 to $ 100 under top-level domains such as .crypto, .wallet, .coin, .888, and .x, although costs can increase significantly for shorter domains. and more memorable. For example, potomacriver.x would cost $ 100 compared to $ 7,500 for potomac.x.

By email, Unstoppable Domains CEO Matthew Gould dismissed the idea that his San Francisco-based company was an irresponsible player. He noted the company’s brand compliance policies (his site would not allow me to start registering fastcompany.x, showing this domain as “protected”) and its measures to screen applicants.

“We have also prevented the registration of domains associated with known pirating software or other types of IP theft and fraud,” he wrote, adding that Unstoppable can even take back a domain if the registrants place it with their custodian instead of transferring it to their own cryptocurrency wallet – the first option being an easier route that around 75% of registrants take today.

Gould also dismissed the idea that blockchain domains were optimized for malware, laughing that they would instead increase confidence in cryptocurrency transactions.

“Anonymous users want to generate new addresses every time because that’s the best practice,” he wrote. “Domains create a unique and memorable endpoint that makes crypto payments less anonymous.”

Microsoft declined to expand on the report’s findings.

Special browser required

Sean Gallagher, senior threat researcher for research firm Sophos, wrote in an email that although blockchain domains have been used for malware, their need for custom routing made them an ineffective option for such attacks. , because malware cannot spread through a variety of garden. web browsers that do not support domains. He also noted that blockchain domains offer less privacy than Tor, the masked routing system used to evade many censorship regimes: “They don’t offer anonymity of the destination.”

The easiest way to direct you to a blockchain domain, such as brad.crypto, the web space of Unstoppable Domains co-founder Bradley Kam, is to use one of the few browsers that already support that namespace. , such as Chrome, optimized for privacy. Courageous. Type brad.crypto into Brave’s address bar, click to accept blockchain routing, and you should see Kam’s NFT (non-fungible token) artwork gallery.

Kevin Werbach, a professor at the Wharton School at the University of Pennsylvania, who noted that he had just registered kwerb.eth (this suffix refers to another blockchain domain system, the Ethereum Name Service), said that he doubted browser support for blockchain domains would expand at any time. soon.

“Google, Apple and Microsoft will not provide native support without being comfortable with addressing these concerns,” he wrote. This will leave adoption dependent on people’s willingness to switch browsers, install browser extensions, or configure custom DNS settings, the latter two practices being the kind of tinkering sometimes overused for malware.

“DNS has security vulnerabilities that are in part due to its centralized structure, but putting domain names on a blockchain creates a new set of security risks,” Werbach added. “I don’t think we know enough to make categorical statements about the magnitude of the relative risks.”

The foam that prevails in the cryptocurrency and blockchain hype is giving rise to skepticism.

Mike Masnick, editor of Techdirt tech-policy blog and advocate for a more decentralized social internet, praised the potential of blockchain domains “to create both a different kind of incentive structure and one in which users can retain more control over their own information “.

But he then added that today the blockchain space is “almost entirely filled with profit-seeking mercenaries, which has some useful elements – in terms of funding and inducing certain behaviors, but has also the real potential to prioritize pure profit over society ”. benefit to. “

Masnick didn’t point out the parallels with today’s commercial social media. But why should he do it?

Previous ETL Systems to Showcase Genus 1U Modular Chassis at CABSAT 2021
Next Alec Baldwin Filming News: Breaking news as Rust's film crew expressed safety fears ahead of Halyna Hutchins death, report says

No Comment

Leave a reply

Your email address will not be published.