Why is .US Being Used to Phish So Many of Us? (1 September 2023)
Brian Krebs, reporting at KrebsOnSecurity, citing
Interisle's Phishing Landscape 2023 report,
noted that "domains names
ending in .US […] are among the most prevalent in phishing scams".
Krebs notes that .US is overseen by the National Telecommunications and Information Administration (NTIA), an executive branch agency of the U.S. Department of Commerce
and NTIA contracts out management of .US to GoDaddy. However, "In response to questions from KrebsOnSecurity, GoDaddy said all .US registrants must certify that they meet
the NTIA's nexus requirements. But this appears to be little more than an affirmative response that is already pre-selected for all new registrants."
Data from the Cybercrime Information Center show many examples of common brand names being
used in .US domain names that have been registered and subsequently identified in phishing attacks.
Collateral Damage from Freenom Phishing Attacks (12 April 2023)
Brian Krebs, reporting at KrebsOnSecurity, recently
reported that, sued by Meta,
registry operator Freenom halted domain registrations.
According to Krebs, Meta alleges the company ignores abuse complaints about phishing websites while monetizing traffic to those abusive domains.
Meta's actions come as no surprise to us. The Cybercrime Information Center has collected
phishing data since May 2020. Freenom's commercialized ccTLDs have repeatedly appeared among the TLDs with the most phishing domains and highest phishing scores.
While brands and individuals of victims of phishing attacks are the most obvious harmed parties, other parties such as hosting operators received collateral damage
from phishing attacks. In a post on the CyberCrime Information Center
we show that while brands and individuals of victims of phishing attacks are the most obvious harmed parties, other parties such as hosting operators received collateral
damage from phishing attacks as well.
New TLDs are coming ... Eventually (16 March 2022)
In a recent blog post, New TLDs are coming #Dangerclose,
Dave Piscitello reacts to the impending next round of new Top-level Domains by explaining
how DNS abuse — or more correctly, cybercrimes that employ domain names — has flourished in the new TLD era. In the blog, Dave cites concerns by the DNS security community, including ICANN's own
security advisory committee, and abuse statistics reported by Interisle and ICANN. He then describes how ICANN has done little to address this problem.
Interisle weighs in on proposed rulemaking to address cybercrime (25 October 2021)
Interisle has submitted a comment in response to the US Department of Commerce's Advance notice of proposed rulemaking (ANPRM).
The ANPRM responds Executive Order 13984 of January 19, 2021,
‘Taking Additional
Steps to Address the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities’. The EO directs the US Commerce Secretary to implement measures to
“deter foreign malicious cyber actors' use of United States Infrastructure as a Service (IaaS) products and assist in the investigation of transactions involving foreign malicious cyber actors.”
Interisle has recommended that DNS hosting and registration services should be classified as IaaS. We explain how criminals use the DNS and how they register and weaponize thousands of domains
to perpetrate online crimes. We argue that the DNS is arguably as much of a critical infrastructure as the mobile and “hard-wired” networks that comprise the Internet.
In Fight Against COVID-19 Scam Sites, Lawmakers Push for Domain Name Ownership Records-and Some Pro-Privacy Advocates Agree (2 June 2020)
In this Morning Consult article, reporter Sam Sabin writes that
“lawmakers have begun taking the first steps to either provide relief for law enforcement and reopen the WHOIS database or hold domain name operators accountable to verifying the identities
of those who purchase web addresses themselves.” Her interviews with politicians, registrars, consumer advocates, and security experts—including Interisle's Dave Piscitello—reveal
broad support for better registration data access and stronger accountability for domain name registrants. “Too many domain name registrars and other internet companies are putting their
heads in the sand as cybercriminals and scammers try to exploit this pandemic by luring people to fraudulent coronavirus-related websites.”
Weaponizing Domain Names via Bulk Registration (31 March 2020)
In this guest blog post at The Spamhaus Project,
Dave Piscitello explains how criminals misuse domain names much in the same manner as terrorists misuse fertilizers to construct improvised explosive devices or as criminals divert pseudoephedrine
to the manufacture of methamphetamine. In all of these cases, a commodity serves as a tool in the pursuit of some malignant (criminal) activity. Domain industry parties will no doubt object to
such an extreme characterization, cyber investigators can demonstrate on an almost daily basis that hundreds or thousands of domain names are registered specifically for cyber attacks.
Dave offers insights from Interisle's Criminal Abuse of Domain Names report and Spamhaus Project editor Sarah Miller
notes that the findings from that October 2019 “emphasized the need for more stringent measures to be put in place within the domain name industry, something that the current COVID-19
pandemic is further highlighting.”
It's Not About the Internet (22 October 2019)
In the policy realm what we call “Internet issues” are not actually “Internet” issues—they are well-pedigreed social, political, cultural,
and economic issues, for which we clever technologists have provided a rich new environment in which to grow and multiply. It follows that the people best prepared
to tackle “Internet” issues may be thoughtful professionals in fields such as behavioral psychology, linguistics, sociology, education, history, ethnology,
and political science—not (exclusively) “Internet experts.” Interisle principal Lyman Chapin suggests a broadly interdisciplinary approach to what have
traditionally been considered “Internet” issues in an article that appears in the
50th Anniversary issue of the
ACM SIGCOMM Computer Communication Review.
Worth reading: "Moving the Encryption Policy Conversation Forward" (20 September 2019)
On September 10, the Encryption Working Group—convened under the auspices of the Carnegie Endowment for International Peace and Princeton University—issued a constructive
and wise report titled "Moving the Encryption Policy Conversation Forward"
This report directly addresses the increasingly heated debate over use of encryption technologies to protect privacy contrasted against the needs expressed by law enforcement
to be able to conduct criminal investigations and protect public safety. Instead of adding further heat to this on-going debate, the Encryption Group has wisely recommended
toning down the rhetoric, and instead focusing on problems where feasible solutions can be developed that resolve not just technical issues, but also conform to rational
policies and core principles. This offers a hopeful way forward where polarized debate can be replaced with constructive cooperation toward concrete results that would benefit
individuals and society at large. We hope this report is read by all players concerned with issues of privacy and legitimate access by law enforcement.
Exposing and Documenting Abusive Internet Behavior (29 April 2019)
Today's Internet is increasingly polluted by malware, phishing, scams, and other forms of abuse that degrade the online environment on which so much of our economic,
social, and political lives rely. These abuses erode user confidence and inflict serious harm on individuals and organizations in every part of the world. Countering
them is at the top of everyone's list. But accurate information about abusive behavior on the Internet is surprisingly hard to obtain. This frustrates efforts to protect
Internet users from abuse, and to change the environment in positive, lasting ways.
ICANN's Domain Abuse Activity Reporting (DAAR) project is a system for studying and reporting on abusive
behavior across top-level domain (TLD) registries and registrars. But DAAR reports only aggregated data on gTLD registries; it does not associate any metrics directly
with specific registries, does not include information about registrars, and omits ccTLDs entirely. As such it does not give organizations or individuals the information
they need to make decisions about how to safely and efficiently interact on the Internet. Achieving a safer Internet requires a trusted, neutral, public clearinghouse
to collect, publish, and persistently store information that categorizes and quantifies Internet identifier system behavior, which can be used to deploy security measures,
demonstrate the effectiveness of security or other administrative controls, inform policy makers, and conduct research.
Conservative abuse reporting throws new TLD program under the bus (19 February 2019)
ICANN has released a January 2019 domain abuse report
generated from the Domain Abuse Activity Reporting system (DAAR). DAAR is a system for studying
and reporting on domain name registration and security threat (domain abuse) behavior across top-level domain (TLD) registries and registrars.
It provides a distribution of domains identified as security threats and a breakdown of security threats by class for all new and legacy registries for which the
DAAR project can collect TLD zone data. But the report provides only aggregated summary statistics for TLDs, in pie-chart format; these “findings” are
misleading and do not represent actionable intelligence. The report also omits registrar information. By failing to be open and transparent about the high levels
of abuse in specific new TLDs and registrar portfolios, ICANN actively frustrates efforts to promote Universal Acceptance
of domain names and email addresses and calls future new TLD delegations into question.
Read Dave Piscitello's Security Skeptic blog post:
Conservative abuse reporting throws new TLD program under the bus.
APWG and M3AAWG Survey Finds ICANN WHOIS Changes Impede Cyber Investigations (20 October 2018)
Dave Piscitello's The Security Skeptic blog has a column focusing on how ICANN's "Temporary Specification for gTLD Registration Data" has affected access
and usage of domain name registration by cyber investigators and anti-abuse service providers.
Read Dave's column
and follow Dave's Security Skeptic blog.
Regulating Internet Service As a Utility: The Devil, As Always, Is in the Details (4 February 2015)
On the heels of President Obama's call last November for the FCC to take a stronger regulatory position with respect to "net neutrality,"
FCC Chairman Tom Wheeler is expected to share a proposal with the other Commissioners tomorrow that will set up a vote 3 weeks later on
new rules for Title II regulation of "Internet service." What this means, however, is not clear from the way in which terms like
"net neutrality" and "Internet service" are used by reports in the popular press, such as this recent article in the New York Times:
In Net Neutrality Push, F.C.C. Is Expected to Propose Regulating Internet Service as a Utility (NYT 2/2/15)
"It is expected that the proposal will reclassify high-speed Internet service as a telecommunications service, instead of an information
service, under Title II of the Communications Act..."
The details are even more important than usual in this context, as Interisle's comments to the FCC
("Protecting and Promoting the Open Internet")
describe — in detail. Our conclusion is that "[s]ervice providers should be required to make the telecommunications layer
of their networks available to any requesting party on a common carrier basis, subject to Title II regulation, especially Sections
201, 202, 208, and 254." Read the full paper for a clear explanation of the issues.
The Internet Assigned Numbers Authority in Transition (15 December 2014)
The Internet Assigned Numbers Authority (IANA) has been responsible
for making and publishing the assignments of Internet names and numbers, including DNS domain names and Internet Protocol (IP)
addresses, for more than 40 years. The IANA functions are currently performed by the
Internet Corporation for Assigned Names and Numbers (ICANN) under a set
of agreements that includes a
contract
with the National Telecommunications and Information Administration (NTIA) of the U.S. Department of Commerce.
On 14 March 2014, NTIA
announced
that it intended to end its oversight of the IANA functions, and asked ICANN
to launch a multistakeholder effort to propose a non-governmental alternative. As part of that effort,
ICANN's Security and Stability Advisory Committee (SSAC) has prepared and published a set of three Advisories:
SAC067, "Overview and History of the IANA Functions";
SAC068, "Report on the IANA Functions Contract";
and SAC069, "Maintaining the Security and Stability
of the IANA Functions Through the Stewardship Transition." Interisle partner and SSAC member Lyman Chapin co-authored all three Advisories.
Interisle Files Comments in FCC's Network Neutrality Docket (15 July 2014)
Read Interisle's Filing to the FCC
The Federal Communications Commission has been struggling to find a framework for, in its words, "Protecting and Promoting the Open Internet."
Most people simply refer to the topic by the tag line "network neutrality." But it's a much more complicated topic than most people realize,
and can't be solved by simple slogans. Nor, it seems, did the FCC itself have a good understanding of the problem when it framed its own questions.
Consequently, Interisle recommends a simple approach where the FCC treats all major subscriber access providers as common carriers that must
provide neutral transport for ISPs or others, and leave the Internet unregulated so that competition can flourish. This approach is consistent
with long-standing US telecommunications policy and existing laws.
The public Internet evolved out of private networks that had little need for security, were not open to the public, and relied more on policies
than technology to limit what they could be used for. The public Internet's business model and policies evolved in a competitive market that had
open entry into the ISP business. Customer-centric policies gave the illusion of neutrality, enforced by the customer's ability to change ISPs.
However, policy choices made by the FCC in the 2000-2005 time frame dramatically reduced ISP access to essential facilities, with the consequent
result that most independent ISPs have gone out of business. American consumers thus have a limited choice of one or two ISPs. This makes
discriminatory behavior by these dominant ISPs a more realistic threat, prompting public outcry.
While the FCC's proposed approach is to leave the cable/telephone duopoly in place and regulate all ISPs so that non-neutral behavior would have to be
"commercially reasonable," we propose an alternative approach. Interisle's Comment
calls for a layered approach where the underlying access networks between subscribers and ISPs, including DSL, cable, fiber, and cellular, should be
opened up as neutral common carrier transport services available to ISPs or others, while the Internet itself, including all activities from IP to
the application, should remain outside of common carrier regulation. This is essentially the model that worked prior to 2000 and which many other
parts of the world successfully adopted from the US, before the US changed course.
Ten years later—Why so little progress? (7 September 2011)
As the world marks the ten-year anniversary of the 9/11 tragedy, it seems that our nation has made scant progress in correcting
the serious problems with public safety communications that hampered the efforts of first responders that terrible day, and that
were subsequently highlighted in the 2004 9/11 Commission Report.
It is not that money hasn't been spent, but there doesn't seem to be much to show in the way of tangible progress.
Furthermore, some of the new radio technologies seem to be falling short, as is highlighted in the article
Firefighters balk
at new digital radios, as failures risk lives authored by Lydia Mulvaney and Greg Gordon. The BiPartisan Policy Center's
Tenth Anniversary Report Card on the Status of the 9/11 Commission Recommendations
also documents the disappointing progress (ref. page 14) made during the past decade towards improving public safety
communications, and highlights the lack of effective political leadership.
As communications systems technologists, we have to wonder how our industry has failed to deliver on promises of reliable,
interoperable communications. Are we rushing to implement standards that were outdated by the mid 1990s? Have the unique
requirements of first responders been adequately factored into the standards and designs? Is there effective third-party
testing and evaluation of communications systems that address real-world operating environments? There is much our industry
has to answer to.
As the smartphones and tablets in the market today clearly demonstrate, we have made enormous progress in communications
technologies over the past decade, but neither the smartphone, nor the traditional brick public safety radio, seems
capable of meeting the essential requirements of first responders. Clearly there is a vital need to achieve more, without
necessarily having to spend more. The right solutions are often the most cost-effective, while inappropriate solutions cost
more than they should in both dollars and lives.
ICANN sets 12 January 2012 start date for new gTLD program (25 June 2011)
On 20 June the ICANN Board approved a resolution
calling for the long-awaited program to add new generic top-level domains
(gTLDs) to the Domain Name System (DNS) to begin accepting applications on 12 January 2012. The first round of applications,
which will be governed by the Applicant Guidebook
published on 30 May 2011, will remain open until 12 April 2012, and new gTLDs could be operational as early as November 2013.
One Board member (George Sadowsky) voted against
the resolution, and two members (Bruce Tonkin and
Mike Silber) abstained. Early reactions to the Board's
decision have ranged from outrage to
cautious
optimism. Many governments, including the
EU,
strongly oppose the program. The companies that hope to profit by providing advice and services to new gTLD applicants, however, have
been lining up for years; their reactions focus primarily
on business opportunity rather than public policy.
Most were ready for IPv6 (13 June 2011)
8 June 2011 was World IPv6 Day
(see the item below). Reports seem to indicate it went well with few disruptions. Two articles from Network World sum it up: No news is good news on World IPv6 Day and World IPv6 Day Results: New Internet Protocol Proves It's Ready. With Y2K many saw it as a non-event (having expected the worst) though then we couldn't go back. With World IPv6 Day over, we can still continue to use IPv4 — but now we can see that IPv6 is real. Of course, now everyone is going to have to figure out what moving to IPv6 will really cost them, and if it is worth it.
Are you ready for IPv6? (1 June 2011)
As the available pool of new IPv4 addresses is rapidly diminishing, there is a heightened awareness to ensure that IPv6 connectivity can be accomplished. To that end, 8 June 2011 has been designated as World IPv6 Day when many sites (including Google, Facebook, Yahoo!, and Bing among many others) will make their main pages reachable via IPv6. You can test your own system’s ability to use IPv6 (exclusively or in conjunction with IPv4) using the test site http://test-ipv6.com — even after World IPv6 Day is over.
On a related topic, a new RFC has been released by the IETF which might be of interest: RFC 6127 IPv4 Run-Out and IPv4-IPv6 Co-Existence Scenarios.
And there is a related article in Network World: "What if IPv6 Simply Fails to Catch On?"
No one knows exactly what an Internationalized Domain Name "variant"
is... ...but that doesn't deter patent applicants (16 May 2011)
The Internet's Domain Name System (DNS) was designed to work
exclusively with labels composed from a limited set of ASCII
characters (the "letter digit hyphen" (LDH) set specified by
RFC 1035). Internationalized Domain
Names (IDNs) permit labels to be composed from (almost) any character
in the vast Unicode repertoire, freeing
non-Latin linguistic communities from the constraints of LDH — but not
without problems. LDH is simple; Unicode is not. One of the thorniest
problems is how to deal with characters or character sequences that
can be represented in more than one way using a particular script but
"mean the same thing" — so-called "variants." Before anyone can figure
out how to handle "variant" IDNs, we have to figure out precisely what
they are, and what they should mean in the context of the DNS. But at
least one patent applicant isn't waiting.
What is an IP address worth? (9 May 2011)
Perhaps the real question is, what should an IPv4 address be worth? Traditionally, IPv4 addresses have been treated as free to anyone who could justify a need. However, IPv4 addresses represent a finite resource where demand now exceeds supply. For some time, the presumed solution to this dilemma has been the introduction of IPv6, where there is such an overabundance of addresses that they can be treated as essentially free for all time. The problem is that transitioning to IPv6 is anything but free. In fact, aside from economic collapses, there are no historical precedents for a technological transition that offers so much pain for absolutely no gain.
The inescapable conclusion is that a market will emerge for IPv4 addresses, and some would argue already has, as was reported recently in Network World. However, what sort of legitimacy will markets in IPv4 addresses have, and who has authority to establish or regulate such markets? There are also vital policy objectives that should be defined, and ideally markets should be structured to achieve at least some of these policy objectives. Benjamin Edelman's 2009 Harvard Business School Working Paper (pdf) provides a thorough summary of the issues and challenges inherent in establishing any sort of market for IPv4 address redistribution.
At this point, possession probably represents nine tenths of the law, and those who currently have IP address allocations are likely sitting on assets that will assume tangible value in the coming years. Sadly, all the current incentives promote hoarding of IPv4 addresses, which may be the strongest argument for allowing markets in IPv4 addresses to emerge.
Preserving the Free and Open Internet - and not just in the U.S. (2 May 2011)
The debate over "network neutrality" did not end with the publication
of the U.S. Federal Communications Commission's
Open Internet Rules (pdf)
last December - far from it, as the FCC's rules have been widely
criticized for failing to adequately protect Internet users' interest
in a "free and open Internet." Now the European Commission has
followed the FCC's lead with the equally timid
announcement
on 19 April of new EU telecoms rules (pdf)
concerning "the open internet and net neutrality in Europe" that
will take effect on 25 May 2011. Europe and the U.S. still lead the
world in protecting Internet freedom - the recent study
Freedom on
the Net 2011: A Global Assessment of Internet and Digital Media (pdf) released on 18 April by
Freedom House
ranks Estonia first and the U.S. second among the 37 countries
surveyed with respect to "barriers to access, limitations on content,
and violations of users’ rights" - but the FCC and EC regulations
still rely heavily on optimistic expectations for market competition
in telecom services. In a 21 April Federal Register notice the FCC
announced the formation of an
Open Internet Advisory Committee (pdf)
to "track and evaluate the effects of the FCC's Open Internet
rules." No details concerning membership or mandate have been provided
by the FCC, so it is not clear what role it will play in the debate
over how and to what extent the FCC (and similar regulatory agencies
in other jurisdictions) should act to preserve a free and open Internet.
IPv6 is still all push and no pull - but push is coming to shove (23 April 2011)
Watching the Regional Internet Registries
RIRs) manage the dwindling pool of available IPv4 address blocks
has so far done little to inspire businesses, much less individual
users, to finally get serious about embracing IPv6 as the alternative.
Hoping to change this, the Internet Society (ISOC) - with support from
some of the largest Internet companies, including Facebook, Yahoo!,
and Google - is promoting World IPv6 Day
on 8 June 2011. The idea is for mainstream Internet sites to
demonstrate how easy it is to use IPv6 to reach them and their popular
content. They won't shut off IPv4 on 8 June, of course; unlike the
Internet Engineering Task Force (IETF), which ran an IPv6 experiment
in 2008 during which it did just that, no Internet company could
survive without IPv4 for even a few hours, much less an entire day.
The National Telecommunications and Information Agency of the U.S.
Department of Commerce has developed and published an IPv6 Readiness Tool for Businesses,
a "comprehensive checklist" (in the form of a Microsoft
Excel spreadsheet) for "businesses preparing to deploy and adopt
IPv6." Because nothing is pulling businesses to IPv6, few are likely
to make the effort until they are pushed hard enough by their Internet
service provider(s). That day will surely come - but not on 8 June (2011).
ICANN publishes updated Guidebook for new gTLD applicants (16 April 2011)
ICANN posted the latest Draft Applicant Guidebook
on 15 April. The Guidebook specifies the rules and procedures for new
generic top-level domain (gTLD) applicants. This discussion draft is
scheduled for a "final" vote
by the ICANN Board on 20 June in Singapore, after a
public comment period that will close on 15 May.
Among the most important changes in this draft is a much stronger role for governments, including a new "early warning system" for
ICANN's Governmental Advisory Committee (GAC) and special provisions for governments to object to individual TLD applications.
Despite these new provisions, the GAC
remains opposed
to significant elements of the new gTLD application process.
New .XXX domain is up and running (16 April 2011)
At its meeting in San Francisco in March, the ICANN Board approved
the application from ICM Registry to operate the top-level domain "XXX". That domain has now been
delegated and
icmregistry.xxx is up and running. Pending agreements with registrars, the XXX domain
contains only a few placeholders, such as porn.xxx and sex.xxx.
Among other things, the approval of XXX has revived debate about blocking and filtering in the domain name system (DNS); India was the
first country to
announce
that it will block resolution of domain names that end in .XXX, and others are expected to follow suit. In his
dissent
from the Board's vote to approve .XXX, Director George Sadowsky expressed concern that "the approval of the application for dot xxx
could encourage moves to break the cohesiveness and uniqueness of the DNS."
Other observers
note that "widespread blocking of the Internet exists today" and downplay the significance of governmental efforts to block or filter new top-level domains.
|