Posted April 1st, 2011
As we are gearing up for major innovation in the domain space, questions of Internet security loom large.
Whois, DNSSEC and New gTLD issues were on the front burner at ICANN 40, so we sat down with Garth Bruen, Internet security expert and creator of Knujon to discuss these topics and more.
NameSmash: What are the most pressing security issues facing the domain community?
Garth Bruen: A lack of consensus on how to pursue criminal and abusive elements. There is no shortage of tools or skilled investigators to find illicit players on the Internet. The really murky part is what happens after they are discovered. Sites are terminated and show up elsewhere, Registrars for a fee allow suspended domains to be transferred to another Registrar outside the United States, botnets move to new networks. Providers who repeatedly service criminal enterprises are rarely sanctioned. A snake will always be a snake, criminals will continue to exploit the Internet and this cannot really be controlled. It can only be managed at the provider level and right now it is fairly trivial to become an illicit service provider as an ISP, Registrar, reseller, web host, etc. Domain customers who are hijacked or ripped off have little recourse as ICANN “does not handle issues” of transactions with Registrars.
NameSmash: ICANN 40 had several securities meetings. What were the top security concerns of the conference?
Garth Bruen: I was present at the DNS Abuse Session and arrived early. As the previous session wrapped up, a ceremony marking the assignment of the last IPV4 block, the front row was full of Registrars who vanished as the DNS Abuse session got started. With the exception of Go Daddy, the Registrars refused to participate in this session. Michael Moran of Interpool bluntly said WHOIS accuracy is joke and that ICANN and the Registrars are not talking to him or helping, and he investigates the worst child exploitation on the planet. Here’s the world’s top child abuse cop calling out the Registrars for help and they just left the room (full transcript: http://svsf40.icann.org/meetings/siliconvalley2011/transcript-dns-abuse-14mar11-en.txt). If he can’t get help for the worst of the worst how are private abuse handlers like Knujon supposed to get Registrars to talk? And why wont they talk or cooperate? Because there is a large amount of money at stake.
Spammers and illicit pharmacies by thousands even tens of thousands of domain names, for some Registrars illicit traffic makes up a significant percentage of their portfolio, and a portion of all these domain sales fund ICANN. The Registrars with the largest number of illicit domains also pass the biggest chunks of money to ICANN in the form of accreditation fees. Demand Media for example has over 130 redundant accreditations for which they hand a Half-Million Dollars to ICANN each year for no obvious reason. This money is in addition to the normal domain and accreditation fees paid by Demand Media. In all, 5 Registrars give ICANN Two Million Dollars per year in voluntary, redundant fees. I asked about this during a policy session in Brussels and the Registrars and ICANN staff in the room declined to answer (full transcript: http://brussels38.icann.org/meetings/brussels2010/transcript-atlarge-registrars-23jun10-en.pdf). Anyone will tell you that the Registrars are in the drivers seat at ICANN. As long as the Registrars are providing ICANN with this income, ICANN wont lift a hand against them. I am hard pressed to find another industry where the regulatory body is funded by the parties it regulates. It’s a basic conflict of interest.
NameSmash: In your opinion, how effective is DNSSEC. What if any changes would you make to it?
Garth Bruen: It’s very important, but it is only one small piece of the problem. Even Steve Crocker, who has been a major driving force behind DNSSEC and involved in every detail, has stated that DNSSEC is only a small percentage of an entire package of measures that need to be installed.
NameSmash: What issues do you anticipate with New gTLDs and how will they be dealt with?
Garth Bruen: There are many predictions and anti-predictions on how successful they will be. ICANN seems to think it will open up the market and increase revenues but the extended set of current gTLDs have not produced the expected interest. DOTjobs is struggling and could be de-accredited, DOTcoop has captured only 6400 of the millions of Co-op associations in the world, DOTpro only recently passed 100,000 registrations, and there are plenty of people in the porn industry who do not want to use DOTxxx. The domain market in general is slowing. One ICANN staffer told me in confidence they think the domain market will collapse in the near future since most people turn to search engines and centralized portals to find information rather than go to specific domain names.
Intellectual property folks are concerned about brand names being hijacked as new gTLDs and governments are concerned about the dilution of the value of their ccTLDs. My concern is that new gTLDs can be used to create a completely unaccountable structure with policies that favor criminality and secrecy. This is not as far-fetched as it sounds as criminals have already hijacked some ccTLDs, become Registrars, and bought their own ISPs. A new gTLD operator could in theory block all WHOIS access, create illegal strings (strings with certain characters that trick browsers or divert traffic), and fail to respond to abuse reports or legal inquiry. In essence a new gTLD could become its own virtual “sovereign” nation.
The main problem is that ICANN has failed to handle compliance for the existing structure and has no plans to scale up to deal with a massively expanded Internet. ICANN does not properly vet its contracted parties so there is little expectation that a new gTLD operator will be thoroughly investigated before starting up. Once entrenched, getting rid of them is nearly impossible.
NameSmash: Can you tell us about Illicit Privacy Proxy WHOIS?
Garth Bruen: We are all concerned about privacy on the Internet and private persons should have an expectation of privacy. However, there has never been a privacy expectation for commercial entities, and there is a difference between privacy and secrecy. Many critics of a public WHOIS use the word “privacy” but are really talking about secrecy. A letter in the real world is good example, while I expect the contents of a letter I send to remain private, the sender and receiver are on the “public” side of the envelope. If I send a threatening or fraudulent letter to someone the postal police should be able to track me down, which is why the post office generally will not accept letters without a return address. And to be sure, whenever I get a letter without a return address it is usually for a shady mortgage operation or some fake contest award.
Some will vaguely refer to “European Privacy” laws prevent WHOIS access (usually not citing the actual law) and fail to recognize one cannot have secret ownership of a pharmacy or bank in Europe. People running completely illegal online businesses frequently cite “privacy laws” and it’s pure nonsense.
Privacy services exist for good reasons to protect individual domain owners or Girl Scout troop websites. Political dissident organizations, victim crisis and counseling centers, and the like have legitimate reasons to request privacy WHOIS, but these are the minority of domains using these services and are not found in our abuse or spam reports. The privacy protected WHOIS domains we see are mostly fake pharmacies or attack sites spreading malware. Phishing, money mule, money laundering, prostitution, child exploitation, and other illicit operations all rely on these services.
In a perfect world a Registrar should lift privacy services when there is a clearly illicit transactions occurring, a legal dispute, or a violation of service terms but frequently they do not. If you peruse the cases at WIPO.INT concerning cybersquatting you will Registrars unilaterally refusing to cooperate on privacy registrations. The outcome of these proceedings is always the same: WIPO awards the domain transfer to the plaintiff brand owner because the non-responsive registrant defaults and the identity of the cybersquatter is never revealed and the Registrar is never sanctioned. It’s a farce. What has been found in some lawsuits against Registrars, as in the cases of OnlineNIC and DirectNIC, the “registrants” concealed by the privacy service are actually the Registrar or persons associated with the Registrar.
As we explained in our report (which supports other research) illicit use of privacy-proxy services far surpasses the general use. Secrecy is part and parcel to an illegal business, and this adds another layer investigators must breakthrough often only to discover the “real” WHOIS underneath is also obfuscated.
Registrars advertise privacy services as a way of avoiding spam and this is myth. Spammers do not get addresses from WHOIS records; they scrape them off websites, hack into address books, randomly generate and/or buy them online. Spammers would have to know that WHOIS records would be a poor source of useful email addresses because they know: 1. WHOIS records are mostly forged, 2. domains are held by other spammers, 3. tech savvy domainers would not respond, and 4. corporate and bulk registrations would have redundant information.
NameSmash: What does the short-term future of domain security look like?
Garth Bruen: It will only improve if the community demands it. Registrars wont spend a penny unless it is in their interest. Domain customers have to push them for better customer service which is a starting point for improved security. Right out of the gate so many Registrars have no contact information or bad contact information. This is a problem KnujOn has reported on multiple times and it continues to be an issue, registrants simply can’t locate or contact their Registrar when there is a problem.
One of ICANN’s biggest problems is malicious or unauthorized domain transfers. Domains are frequently moved without the owners knowledge and ICANN does not have a system for streamlining the complaints. Their staff spends hours manually handling these issues and Registrars who drop the ball are rarely punished. The system has failed the domain customer here. An initiative at ICANN to improve transfer problem handling would be a good step.
NameSmash: What advice would you give to readers on maintaining the security of their domains?
Garth Bruen: You cannot rely on your provider for monitoring and helping you. A domain owner needs to be proactive and check their site regularly, keep backups of all content. Last summer I found nearly 8 million web pages at university domains infected with pharmacy-related malware redirects. I’ve routinely found infections at Harvard and MIT that force browsers to fake pharmacies. These infections/intrusions are silent and rarely announce themselves. Domain owners need to test their own sites, proactively monitor the WHOIS record for changes, use strong passwords for access and KNOW their Registrar and ISP. Keep the provider contact information around like you would your credit card information so you’re not running around looking for it when something goes wrong. Brand owners need to proactively monitor cybersquatting. By the time someone reports a fake website or counterfeit sale to a brand owner it is usually way too late. Domain owners, business and personal, should join a ICANN constituency to represent them and get information.
About KnujOn: KnujOn is a “multi-tiered response to Internet threats, specifically email-based threats. The success of this project is based on the cooperative efforts of business, government, law enforcement, security professionals, consumers, and average citizens. Knujon is a meeting point for all parties who wish to make the Internet a safer place. This multi-purpose e-fraud tool has significantly reduced junk mail traffic to various users and on the Internet in general. As more networks begin using KnujOn, spam, phishing, and other threats will become issues of the past.”
To learn more about Knujon, please visit www.knujon.com