The exploitation of vulnerabilities specific to country-code top-level domain (ccTLD) registries has become an increasingly common problem, especially in relatively small markets around the world. A ccTLD is an internet domain registry generally used or reserved for a country, a sovereign state, or a dependent territory, such as .co.uk (for United Kingdom) or .fr (for France). This allows web sites to be associated with their specific country, territory or geographic location and it provides the foundation for internet experiences by ensuring people using the internet reach the services they expect. Today, over 300 country-code top-level domain name registries are responsible for servicing hundreds of millions of domain names worldwide.
Attacks on ccTLDs have far-reaching effects on private individuals, large and small companies, non-profits, and government organizations. Individuals attempting to reach certain web services may be redirected to inappropriate content where their computers can become infected by malware, putting their personal information at risk. Additionally, it is difficult for people to determine whether the problem is with the ccTLD or the organization that runs the service they are trying to reach. This often results in an erosion of confidence in online service providers when, in fact, they had nothing to do with the incident.
Today, at the information security RSA Conference in San Francisco, Scott Charney, Microsoft’s corporate vice president for Trustworthy Computing, announced during his keynote the availability of our new Microsoft Country-Code Top-Level Domain (ccTLD) Registry Security Assessment Service to help registry operators find and fix security vulnerabilities before they are exploited. The service is available now and is being made available at no charge to registry operators.
The Online Services Security and Compliance team (OSSC) that I lead is responsible for securing Microsoft’s cloud infrastructure and data centers that host over 200 cloud services for more than one billion customers, over 20 million businesses and 76 markets worldwide. We are pleased to be able to provide this service to the greater online community and share many of the lessons we have experienced in our own environment.
Microsoft’s History of Support for Country-Code Top-Level Domain Registries
The OSSC team works closely with industry groups such as the Internet Corporation for Assigned Names and Numbers (ICANN) that manages market domain name registries. Many of the companies that manage ccTLD registries are small organizations that may lack the resources to protect themselves from the constant onslaught of attacks. In the past three months, we observed several domain registry attacks that have occurred worldwide. Like the rest of the online community, Microsoft has also had to defend our web services against these types of attacks.
Microsoft has been working with industry peers to support and urge ccTLD operators to adopt important security practices. We have also participated in efforts to work with the ICANN community to provide more oversight in ensuring members adopt these practices. While both of these steps are positive for the industry, our new service is an effort to provide more support.
Microsoft’s Country-Code Top-Level Domain (ccTLD) Registry Security Assessment Service
Microsoft’s ccTLD Registry Security Assessment service is based on an existing internal program that we use to better protect our own web and online services. It provides scanning and reporting of security vulnerabilities of a ccTLD’s externally-facing web applications and servers. After requesting the security assessment service, ccTLDs will receive a vulnerability assessment report. If vulnerabilities are discovered, Microsoft will provide a consultation with guidance on how to remediate the problems. We will also provide periodic re-scanning to help ccTLDs continue to protect their domain registry services on an ongoing basis. Microsoft will also offer free secure development guidance and operations best practices that we employ in Microsoft’s own cloud environment.
The service is available to any top-level domain registries, including country-code top-level domain (ccTLD), generic top-level domain (gTLD) and sponsored top-level domain (sTLD).
How ccTLD Operators Can Receive the Service
If you own a domain registry and are seeking a solution to help identify vulnerabilities and receive guidance that may help to improve the security of your service, please visit: www.microsoft.com/cctldregsec to schedule an assessment.
Through programs and initiatives like these, we hope to help create a safer, more trusted online experience for everyone and support a dynamic environment for increasing the dialogue and sharing of best practices within our industry.