Two independently conducted studies demonstrate that the onset of masking Whois contact data has had the direct, corresponding, and ongoing effect of reducing the number of blocklisted domains, dramatically undermining the efficiency of this and other security countermeasures. Continue reading

ICANN has released a January 2019 domain abuse report generated from the Domain Abuse Activity Repor... Continue reading

My friends at Spamhaus published a fine summary of several types of network hijacking attacks, see Network hijacking: the low down. I wrote a series of posts, Internet address hijacking, spoofing and squatting attacks in 2011. This series of articles explores attacks that exploit the Internet’s routing system in this manner. The series also describes the motives for such attacks, classifies the attacks based on certain distinguishing characteristics, and suggests measures that can be taken to mitigate attacks of these kinds. Mine is a good complement to Spamhaus' assessment of the current hijacking landscape if you're interested in digging deeper.... Continue reading

The Anti-Phishing Working Group (APWG) and the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) have collaborated to conduct a survey of cyber investigators and anti-abuse service providers to understand how ICANN’s Temporary Specification for gTLD Registration Data has affected their access and usage of domain name registration information and their ability to mitigate abuse. I served as Principal Investigator for APWG and M3AAWG for this project. I received strong subject matter expertise support from both working groups. From our analysis of 327 survey responses we find that the changes to WHOIS access following ICANN’s implementation of the Temp Spec... Continue reading

I remain skeptical of all the Whois studies that I’ve reviewed (FTC, SSAC, ICANN), including studies where I was a party to the research. I’ll apologize for failing to contribute to a satisfactory Whois study. I’ll also admit that my understanding of how to study a problem scientifically has greatly expanded over the past ten years. A truly scientific Whois study should meet scientific must meet certain common criteria. The purpose should be clearly defined; in particular, the researchers or parties who commission the research should make certain that they are asking the right question. Before I raise anyone’s brows... Continue reading

One of the most memorable lyrics of For What It’s Worth (Buffalo Springfield, 1967) aptly describes the current condition of the post-GDPR debate over domain registration data access: There’s battle lines being drawn… nobody’s right if everybody’s wrong. Cybersecurity and policy pundits are heatedly engaged over the impact of the EU General Data Protection Regulation (GDPR). Both sides have done a poor job of articulating the problem space, overlooking key aspects of the regulation and ICANN’s attempt to comply to GDPR in a Temporary Specification For Whois. As difficult as it is to engage in this discussion dispassionately, it’s both... Continue reading

Domain Incite reports that Famous Four Media’s portfolio of top-level domains is now under the control of Global Registry Services Ltd. The new company has promised to "abandon its failed penny-domain strategy and crack down on spam". Time will tell whether new ownership cleans up arguably the spammiest neighborhoods in the DNS. Famous Four's portfolio includes .loan, .win, .men, .bid, .stream, .review, .trade, .date, .party, .download, .science, .racing, .accountant, .faith, .webcam and .cricket. Historically, nearly all of these have at some point been egregiously spammy. How spammy? Check SURBL's Most Abused TLD list: .date, .loan, .men, .review, .stream, .trade currently... Continue reading

ICANN publishes the Domain Abuse Activity Reporting System (DAAR) methodology white paper and reviews... Reviews of the Domain Abuse Activity Reporting #DAAR by Marcus Ranum and John Bambenek are now available, along with the initial draft of the DAAR Methodology white paper. Spoiler Alert! Some excerpts from the reviews: "the DAAR system is a straightforward implementation of a good idea" " The way DAAR is described is good; it is very neutral, informative, and non-threatening." "having such a system to analyze abuse data at a per-capita level for TLDs and Registrars is exciting" "The description is thorough and complete, so... Continue reading

Ransomware is a cyberattack (a virus) that is used to extort money. Originally, criminals used ransomware to extract payments from individuals for the recovery of personal information. Today, cyberattackers extort payments from businesses for the recovery of sensitive information. No one is immune to ransomware. Criminals have extorted payments for the recovery of medical or personal data from healthcare providers and have locked guests out of their hotel rooms. Even industrial systems may prove to be vulnerable to ransomware. Early ransomware, called locker ransomware, prevented a victim from accessing a desktop or browser. Cyberattackers quickly evolved to a more sophisticated... Continue reading

Security administrators use firewalls, web proxies, or antispam gateways to block traffic sources that exhibit suspicious or known attack pattern behaviors. Blocking individual IP addresses has been a staple defensive measure for years. Security system administrators have also blocked entire IP network allocations to mitigate attacks and on rare occasions, they have blocked all of the addresses that have been allocated to an ISP. Are enterprise and ISP email operators poised to apply similarly sweeping security measures to protect their organizations against perceived or reported domain name abuse by blocking TLDs to manage spam? Image by Waxy Dan The Roles... Continue reading

About this time last year, I spoke at a Cybersecurity conference in Krakow. I was asked during a video interview to identify security threats that I believed were most pressing. (Ignore the suit...) Yes, I said spam. Not DDoS? Not ransomware? Not breach of personal data? Not IoT? Are you daft, Dave? No. My thinking has not changed a full year later. Spam is a criminal infrastructure enabler Spam may have been merely annoying, unsolicited messages in your inbox at one time, but that was a millennia ago. The average spam volume reported to the Cisco Talos Email and Web... Continue reading

In my last post, What is Authorization and Access Control, I explained that we use authentication to verify identity – to prove you are whom you claim to be – and also to enable an authorization policy, i.e., to define what your identity is allowed to "see and do". We then implement these authorization policies using security measures to grant or deny access to resources we want to control or protect. The measures we use to implement authorization policies are called user access controls, but are also known as user permissions or user privileges. User access control is commonly used... Continue reading

You are probably familiar with the concept of authentication, the way that security systems challenge you to prove you are the customer, user, or employee whom you claim to be, using a password, token, or other form of credential. You may be less familiar with the concept of authorization, and the related term, access control. Authorization is a critical but often overlooked aspect of managing access to information and no less important than authentication. Image by Martin Lewison Authorization Authentication verifies your identity and authentication enables authorization. An authorization policy dictates what your identity is allowed to do. For example,... Continue reading

By guest author Cristina Ion Improving cybersecurity is an expressed priority for virtually every cyber-enabled country. Actual investments in the IT security industry, however, remain greatly unequal from one region to another, from one country to another, or even from one industry sector to another. By comparison, the hacker community has shaped a burgeoning global industry of its own. While the infosec industry seems fragmented still, hackers have transformed their communities from guild-like organizations into a formidable, global industry with dedicated market places, a long-term vision and fixed objectives. Ironically, the modern day hacker resembles more resembles a cyber-businessman today... Continue reading

An earlier version of this post originally appeared at ICANN blog on 2 October 2015. Many years ago, your local telephone service offered you options. You could subscribe to a private line or you could subscribe to a more economical service that you would share with some of your neighbors. This shared service was called a party line. The shared configuration had two characteristics. If you wanted to place a call, you had to wait until the circuit was idle, i.e., you had to wait until all the other parties on the shared circuit weren’t also trying to place calls.... Continue reading

By guest author Cristina Ion Today, even the smallest company can generate huge sets of data. Fortunately, technology has kept pace with storage needs. With the dawn of Big Data, we are now able to store and analyze huge sets of digital information. What we must remember here is that, whereas this may appear to be a “Big Answer”, there is an even Bigger Question at stake. Big Data is not about exploring and finding new sources of information: it's more like modern day archaeology: it is about using newly found methods to collect and unveil information that is already... Continue reading

An earlier version of this post originally appeared at ICANN blog on 15 Sep 2015. Nearly every day, we see news stories or tweets that reveal another "cyber attack" against a well-known brand, bank or government agency are commonplace today. These are almost always characterized as sophisticated hacking schemes. Some are described as acts of hacktivism. In an effort to characterize certain attacks as the most sophisticated ever, one enthusiastic Wikipedia contributor uses the phrase advanced targeted computer hacking attack. However, the reality is that a cyber attack doesn't necessarily involve hacking, and a great many hacks have nothing to... Continue reading

Matthew Bryant's recent post, Respect My Authority – Hijacking Broken Nameservers to Compromise Your Target, describes attacks against authoritative name servers. These are the name servers that host DNS records for your domain name (A, NS, MX, CNAME, TXT...) and thus the definitive or authoritative sources for resolution, i.e., they host the database that applications use to resolve host names such as your web site name to an Internet address. Name server hijack example Bryant's post describes scenarios where domain name resolution for an organization's domain name can be hijacked by an attacker. In one scenario, (a) an organization has... Continue reading

Andra Zaharia invited me to share my thoughts in her recent Heimdal Security blog, Is Internet Security A Losing Battle? Please read the other 30+ experts thoughts at Andra's blog. Here, I've complemented what I shared with Andra with some additional thoughts. To answer Andra's question directly, any battle that you engage on your enemy’s terms, with indefensible assets or limited offensive capabilities, and where your enemy’s risk and cost of attack is small is arguably a losing battle. However, I’m not certain that warfare remains the right analog for Internet security today. I'm convinced that it's wrong. I say... Continue reading

Image by Henrik Berggren This post originally appeared at ICANN blog on 15 Sep 2015. Nearly every day, we see news stories or tweets that reveal another "cyber attack" against a well-known brand, bank or government agency are commonplace today. These are almost always characterized as sophisticated hacking schemes. Some are described as acts of hacktivism. In an effort to characterize certain attacks as the most sophisticated ever, one enthusiastic Wikipedia contributor uses the phrase advanced targeted computer hacking attack. However, the reality is that a cyber attack doesn't necessarily involve hacking, and a great many hacks have nothing to... Continue reading

I was invited to speak at the Eastern European DNS Forum/UADOM on 1 December 2016 in a session on the Internet of Things (IoT). I followed A. Baranov's fine presentation about the promises and benefits of IoT with a presentation on IoT characteristics, challenges and threat landscape. I concluded the presentation asking, "is the past a prelude to the future?", explaining that if we don't learn from our past mistakes and haste to market decisions, the IoT cannot deliver all that we aspire it to be but instead may pose an Internet of Threats. I want to thank my ICANN... Continue reading

I was invited to speak at the Eastern European DNS Form/UADOM on 1 December 2016 in a session entitled Tackling cybercrime: challenges and roles. I described the many activities I and my fellow Identifier Systems Security Stability and Resiliency team engage in as part of our $dayjob, from threat awareness and preparedness, to subject matter expertise outreach and capability building (training). Great audience. Excellent question and answer session. Thank you to those who attended and participated so attentively and enthusiastically! To those who could not, view the presentation here. If you have questions, please ask! Continue reading

This post originally appeared at ICANN blog on 10 Aug 2015. Some of the most commonly used security terms are misunderstood or used as if they were synonymous. Certain of these security terms are so closely related that it's worth examining these together. Today, we'll look at several related terms – threat, vulnerability, and exploit – and learn how security professionals use these to assess or determine risk. Remember the Objective: Protect Assets The reason we put security measures in place is to protect assets. Assets are anything that we determine to have value. An asset's value can be tangible;... Continue reading

This post originally appeared at ICANN blog on 13 July 2015 Today, I'll explain two-factor authentication, how this improves the security of your online accounts or logins, and examples of where you'll find two-factor authentication in use today. Begin at the beginning: What is authentication? Authentication is a security term for demonstrating that you are who you claim to be. The formal language used to describe this activity is "verifying your identity". Throughout military history, sentries posted at a military encampment would challenge anyone who approached to say the password or watchword before admitting them to the camp. Today, we... Continue reading