My Interisle colleagues, together with Greg Aaron, have completed an in-depth analysis of the effects of ICANN policy for WHOIS, a public lookup service that has until recently made it possible to identify who registered and controls a domain name. The European Union’s General Data Protection Regulation (GDPR), adopted in May 2018, restricted the publication of personally identifiable data in WHOIS. In response, the Internet Corporation for Assigned Names and Numbers (ICANN) established a new policy, allowing registrars and registry operators to redact (withhold) personally identifiable data from publication in WHOIS. The implementation of this policy has been widely criticized,... Continue reading

My colleagues Greg Aaron, Dr. Colin Strutt, Lyman Chapin and I have published a new research report, Phishing Landscape 2020: A Study of the Scope and Distribution of Phishing. The report can be found at http://www.interisle.net/PhishingLandscape2020.html Our goal in this study was to capture and analyze a large set of information about phishing attacks, to better understand how much phishing is taking place and where it is taking place, and to see if the data suggests better ways to fight phishing. We studied where phishers are getting the resources they need to perpetrate their crimes — where they obtain domain... Continue reading

I attended (remotely) a Council of Europe cybercrime webinar on the impact of COVID on cybercrime last week. One of the most disturbing criminal activities discussed was the rise in reports of online predation. The National Center for Missing and Exploited Children (NCMEC) has received 4.2 million reports in April. That’s up 2 million from March 2020 and nearly 3 million from April 2019. (Forbes, 9 May 2020). This is not surprising - nearly everyone who is connected is spending more time on the Internet - but it's still terrifying. Look to the many government agencies have parental guidelines to... Continue reading

My Interisle partners and colleague Greg Aaron have published a detailed study that measures the effectiveness and impact of ICANN's registration data access policies and procedures. This study reveals widespread problems with access to and the reliability of domain name registration data systems (WHOIS). These failures have real-life security implications, which are being seen in the current wave of cybercrime accompanying the COVID-19 pandemic. In our Press Release I make the comment that, “The COVID-19 pandemic has led to a recent explosion of cybercrime, with thousands of new domain names using terms like ‘covid’ or ‘corona’ being used to perpetrate... Continue reading

Microsoft and partners from 35 countries recently took action to dismantle the Necurs spam infrastructure. Microsoft's post calls Necurs a botnet but provides details that illustrate how much more than a botnet Necurs is: The Necurs infrastructure served as a spam delivery platform for spam, cryptomining and DDOS attacks. The spam campaigns contained stock scams, fake pharma, and Russian dating scams, malware and ransomware. The Necurs operators leased services to other criminal actors to perpetrate these attacks. These are characteristics that the Counsel of Europe's Convention on Cybercrime identifies as criminal activities in its Guidance notes on Spam. Many of... Continue reading

My Interisle Consulting Group colleague, Dr. Colin Strutt and I have published a report, Criminal Abuse of Domain Names: Bulk Registration and Contact Information Access http://interisle.net/criminaldomainabuse.html In this report, we study "bulk registration misuse" by criminal actors. Bulk registrations refers to the practice of rapidly acquiring domain names, using these in an attack, and abandoning them as if they were throw-away ("burner") phones. These domains are a critical resource for cyber criminals. We use reputation block list (RBL) data to reveal how the use of bulk registrations, coupled with the crippling of registration data access by the ICANN Temp Spec... Continue reading

ICANN organization has published a memorandum that describes its Readiness to Support Future Rounds of New gTLDs. The last time I looked, new TLD registrations from the 2012 round constituted around 12 percent of the total gTLD registrations. Despite justifications most commonly cited for expansion - for example, "all the good names are taken" - COM, NET, and many country code TLDs continue to prosper and grow. We should ask, "What benefits other than brand- and geo-TLDs does ICANN use to justify this new round?" More importantly, What's the hurry, and has enough been done to study and rectify the... Continue reading

by John Adams Regardless of the type of business, it is virtually inevitable that that your business will be targeted by cyber-attackers. However, while nearly 81% of cyber-attacks occur to small and medium-sized businesses, 97% of these attacks are preventable with the help of outsourcing cybersecurity services or by implementing recommended security practices and raising security awareness among employees. The businesses across the globe are ready to spend more on the security of their business against cybercriminals. According to research conducted by the research firm Cybersecurity Ventures, by 2021, the cost of cyber-crime will cross $6 trillion annually, worldwide. Most... Continue reading

After reading yet another round of complaints regarding the approvals process for ICANN's Centralize... Continue reading

In the aftermath of the adoption of the EU GDPR, ICANN’s policies for access to domain registration data (Whois) have created adverse consequences for investigations into terrorist activities, political influence campaigns and cybercrimes, creating serious threats to public safety. In this APWG monograph, I explain how Whois data is employed during preventative and forensic cyber investigations – and how ICANN’s interpretation of GDPR in particular delays development of programmatic machine-driven responses that are widely used to maintain public safety and are vital to the long-term viability of the Internet as a governable domain. Image by https://www.flickr.com/photos/carbonnyc/ Continue reading

Peter Cassidy, on behalf of APWG and APWG EU APWG.EU is holding its fourth annual Symposium on Global Cybersecurity Awareness in partnership with the European Commission and the Council of Europe (Convention on Cybercrime) on June 26 - 27, to be held at the European Commission Representation Office in Bucharest with the theme of Considering Behavioral Interventions at Global Scale. The objectives of the Symposium, inaugurated by APWG.EU in 2016, are the establishment of global strategies for cybersecurity awareness development – and the cultivation of research, measurement tools and awareness assets deployed as instruments of cybercrime prevention regimens subject to... Continue reading

I recently had the opportunity to preview a documentary, Pioneers in Skirts, by Ashley and Lea-Ann Berst. The film is a character-driven documentary addressing how women and girls with pioneering ambitions combat bias and sexism in our culture Through candid conversations of women who've encountered that bias, and most importantly, women have overcome bias to succeed when circumstances conspire against them, the movie seeks to encourage cultures worldwide to adopt gender parity. I watched the documentary in a male dominated ballroom during a recent security conference. It's real. I've raised a daughter to be a dreamer, to believe she can... Continue reading

Two independently conducted studies demonstrate that the onset of masking Whois contact data has had the direct, corresponding, and ongoing effect of reducing the number of blocklisted domains, dramatically undermining the efficiency of this and other security countermeasures. Continue reading

ICANN has released a January 2019 domain abuse report generated from the Domain Abuse Activity Repor... Continue reading

My friends at Spamhaus published a fine summary of several types of network hijacking attacks, see Network hijacking: the low down. I wrote a series of posts, Internet address hijacking, spoofing and squatting attacks in 2011. This series of articles explores attacks that exploit the Internet’s routing system in this manner. The series also describes the motives for such attacks, classifies the attacks based on certain distinguishing characteristics, and suggests measures that can be taken to mitigate attacks of these kinds. Mine is a good complement to Spamhaus' assessment of the current hijacking landscape if you're interested in digging deeper.... Continue reading

The Anti-Phishing Working Group (APWG) and the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) have collaborated to conduct a survey of cyber investigators and anti-abuse service providers to understand how ICANN’s Temporary Specification for gTLD Registration Data has affected their access and usage of domain name registration information and their ability to mitigate abuse. I served as Principal Investigator for APWG and M3AAWG for this project. I received strong subject matter expertise support from both working groups. From our analysis of 327 survey responses we find that the changes to WHOIS access following ICANN’s implementation of the Temp Spec... Continue reading

I remain skeptical of all the Whois studies that I’ve reviewed (FTC, SSAC, ICANN), including studies where I was a party to the research. I’ll apologize for failing to contribute to a satisfactory Whois study. I’ll also admit that my understanding of how to study a problem scientifically has greatly expanded over the past ten years. A truly scientific Whois study should meet scientific must meet certain common criteria. The purpose should be clearly defined; in particular, the researchers or parties who commission the research should make certain that they are asking the right question. Before I raise anyone’s brows... Continue reading

One of the most memorable lyrics of For What It’s Worth (Buffalo Springfield, 1967) aptly describes the current condition of the post-GDPR debate over domain registration data access: There’s battle lines being drawn… nobody’s right if everybody’s wrong. Cybersecurity and policy pundits are heatedly engaged over the impact of the EU General Data Protection Regulation (GDPR). Both sides have done a poor job of articulating the problem space, overlooking key aspects of the regulation and ICANN’s attempt to comply to GDPR in a Temporary Specification For Whois. As difficult as it is to engage in this discussion dispassionately, it’s both... Continue reading

Domain Incite reports that Famous Four Media’s portfolio of top-level domains is now under the control of Global Registry Services Ltd. The new company has promised to "abandon its failed penny-domain strategy and crack down on spam". Time will tell whether new ownership cleans up arguably the spammiest neighborhoods in the DNS. Famous Four's portfolio includes .loan, .win, .men, .bid, .stream, .review, .trade, .date, .party, .download, .science, .racing, .accountant, .faith, .webcam and .cricket. Historically, nearly all of these have at some point been egregiously spammy. How spammy? Check SURBL's Most Abused TLD list: .date, .loan, .men, .review, .stream, .trade currently... Continue reading

ICANN publishes the Domain Abuse Activity Reporting System (DAAR) methodology white paper and reviews... Reviews of the Domain Abuse Activity Reporting #DAAR by Marcus Ranum and John Bambenek are now available, along with the initial draft of the DAAR Methodology white paper. Spoiler Alert! Some excerpts from the reviews: "the DAAR system is a straightforward implementation of a good idea" " The way DAAR is described is good; it is very neutral, informative, and non-threatening." "having such a system to analyze abuse data at a per-capita level for TLDs and Registrars is exciting" "The description is thorough and complete, so... Continue reading

Ransomware is a cyberattack (a virus) that is used to extort money. Originally, criminals used ransomware to extract payments from individuals for the recovery of personal information. Today, cyberattackers extort payments from businesses for the recovery of sensitive information. No one is immune to ransomware. Criminals have extorted payments for the recovery of medical or personal data from healthcare providers and have locked guests out of their hotel rooms. Even industrial systems may prove to be vulnerable to ransomware. Early ransomware, called locker ransomware, prevented a victim from accessing a desktop or browser. Cyberattackers quickly evolved to a more sophisticated... Continue reading

Security administrators use firewalls, web proxies, or antispam gateways to block traffic sources that exhibit suspicious or known attack pattern behaviors. Blocking individual IP addresses has been a staple defensive measure for years. Security system administrators have also blocked entire IP network allocations to mitigate attacks and on rare occasions, they have blocked all of the addresses that have been allocated to an ISP. Are enterprise and ISP email operators poised to apply similarly sweeping security measures to protect their organizations against perceived or reported domain name abuse by blocking TLDs to manage spam? Image by Waxy Dan The Roles... Continue reading

About this time last year, I spoke at a Cybersecurity conference in Krakow. I was asked during a video interview to identify security threats that I believed were most pressing. (Ignore the suit...) Yes, I said spam. Not DDoS? Not ransomware? Not breach of personal data? Not IoT? Are you daft, Dave? No. My thinking has not changed a full year later. Spam is a criminal infrastructure enabler Spam may have been merely annoying, unsolicited messages in your inbox at one time, but that was a millennia ago. The average spam volume reported to the Cisco Talos Email and Web... Continue reading

In my last post, What is Authorization and Access Control, I explained that we use authentication to verify identity – to prove you are whom you claim to be – and also to enable an authorization policy, i.e., to define what your identity is allowed to "see and do". We then implement these authorization policies using security measures to grant or deny access to resources we want to control or protect. The measures we use to implement authorization policies are called user access controls, but are also known as user permissions or user privileges. User access control is commonly used... Continue reading

You are probably familiar with the concept of authentication, the way that security systems challenge you to prove you are the customer, user, or employee whom you claim to be, using a password, token, or other form of credential. You may be less familiar with the concept of authorization, and the related term, access control. Authorization is a critical but often overlooked aspect of managing access to information and no less important than authentication. Image by Martin Lewison Authorization Authentication verifies your identity and authentication enables authorization. An authorization policy dictates what your identity is allowed to do. For example,... Continue reading