« Offline phishing: nasty attacks that phish with a fax | Main | Conficker Summary and Review »

Tuesday, 13 April 2010

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Excellent points all, Richard, and it will no doubt be some small consolation that yesterday's ARIN meeting XXV in Toronto had two positive developments related to WHOIS privacy and accuracy of data.

1. 2010-3: Customer Confidentiality https://www.arin.net/policy/proposals/2010_3.html to which both CAUCE and MAAWG were opposed, was withdrawn by the proposer after some discussions with representatives of the LEA community, and when put to a vote, nonetheless, defeated roundly. 133 attendees, 5 in favour.

2. Leslie Nobile, ARIN Director of Registration
Services noted that they would commence a process of confirming all email points of contact, beginning in June.

I received an email from Richard Cox, CIO, SpamHaus in response to my article on Domain Privacy Misuse. I've copied it here, with his permission:


The Spamhaus Project, as a leading Investigator of net-based Cybercrime, sees serious problems with many aspects of ICANN's WHOIS requirements.

When the only issue was spam, some people were mildly tolerant of abuse and "poor record-keeping"; but what is being perpetrated over the 'net today means that a very different approach is needed.

The feedback we're getting suggests that Internet users and stakeholders are at last coming to recognise the inevitability of this, but are not sure how best to make it happen on a fair and equitable basis.

Of course there is very little difference in terms of the end result, between Domain Privacy and deliberately falsified WHOIS information. The latter can usually be addressed by peer review and the resulting reports to ICANN's WDPRS service. But currently, ICANN's registrars' compliance with the WDPRS rules is monitored only by statistical processes, which can be very slow to detect a trend - and even then compliance processes are long and drawn-out.

A pattern that has become very clear is that while many registrars will enforce the 14-day rule for Bad WHOIS data, far fewer will implement the immediate suspension required for wilfully-inaccurate WHOIS submissions.

A more serious problem occurs with several ICANN-accredited registrars who meet the RIAA requirements for a port-43 based WHOIS server but who then rate-limit users to (say) ten lookups per day. That is wholly unreasonable, but is very helpful to their criminal clientele as it makes Investigators' jobs close to impossible. ICANN needs to modify the RIAA to correct this behaviour, preferably by setting a significantly-higher number of look-ups that those registrars must allow per requesting IP address.

Nominet, the .UK registry, set out two very sound policies some time ago, both of which - if effectively implemented - would have gone a long way towards solving the present problems. But Nominet's initial implementation of those policies was disappointing.

Nominet's approach was that (a) the registrant must be a genuine entity and always visible in the WHOIS and (b) redaction of other details (i.e. personal data) was available to individuals ("real persons") only provided that the domain was only used for ncommercial purposes. But Nominet expected their registrars ("tagholders") to police these rules, while the Tagholders were not quite so enthusiastic about that. When domains are sold by means of e-commerce, there can be no human visibility at any stage of the transaction: nor is there any "sanity-checking" of WHOIS data or the non-trading status of domains whose owners had invoked the privacy feature.

Another Nominet initiative - which has sadly since been abandoned - was to send all registrants a letter in the postal mail containing a code that had to then be entered at a URL on Nominet's website. Not an insuperable barrier, but it made the assertion of bogus WHOIS data much more difficult to do, and therefore something that had to be a deliberate act, rather than one that could be, or could be passed off as, either an "unfortunate mistake" or a "misunderstanding". Such a distinction makes more robust responses generally acceptable.

So let's take a look at the situation today, and the points of the report in the light of our experiences in investigating the Cybercrime we get to see every day.

The report shows "Privacy Protect" as having 52% of the "private" domains. This is hardly surprising given that the registrars involved appear to offer the service without additional cost, which tends to make it the default for registration of all new domains unless the registrant specifically decides otherwise.

The value of Domain Privacy is greatly reduced if it becomes the standard. It needs to be the exception, available where genuinely justifiable, and it does require additional checks and balances to be put in place.

The intention has always been that a domain registrant must be contactable even if through their "Whois Agent": and where there is criminal activity or an actionable issue, it must be possible for Law Enforcement to locate the registrant, and to have the domain taken down if there is ongoing harm. In civil cases, there must be an ability to serve Due Process and to show that it has been properly served in accordance with the requirements of justice.

But recently we find that in the case of some providers of "Whois Privacy" the address given for the privacy agent is itself bogus: "No postal mail accepted" is becoming a common statement - and given the remoteness of some cited street addresses, there is no expectation of finding anyone there who could accept a legal document and ensure its delivery to the registrant. And the corresponding telephone numbers just play out a recording that tells callers they need to "send an email" or "read the Privacy Agent's webpage". Although industry specialists have been able to identify the Privacy Agents involved there, most end users would not be able to do that for themselves.

Therefore - whatever the approach taken on other issues relating to WHOIS Privacy - we recommend as a first priority that: "Any party purporting to offer WHOIS privacy services must be readily identifiable and contactable (at a physical address) based on information in the public WHOIS record".

The key issue with Domain Privacy is that the WHOIS data is hidden from peer review - preventing anyone from finding and notifying inaccuracies in the underlying information to the ICANN WDPRS service or an equivalent. So even when the WHOIS cloaking is removed by the provider/registrar (as they'd need to do in some cases to comply with #3.7.7.3 of the RIAA) we may find that we are still no further forward towards making contact with the registrant. And the Privacy Agent involved may be unable to be of assistance if the registrant bought the privacy services through one of their resellers, because in those cases there would be no direct commercial relationship between the provider and the end user.

The following three principles merit consideration:

{i} Only ICANN-accredited registrars should be allowed to provide Domain WHOIS Privacy services, and only then when they are also the registrar for the domain in question. Such registrars need to be obligated to accept responsibility for the accuracy of the data. The cost of that obligation is part of the "higher cost" of proving Domain Privacy and should be recharged out in full to the customer(s) using the service.

While Resellers can be allowed to resell the WHOIS Privacy product, they should do so at arms-length and should not provide the service themselves. That is to ensure there will always be a direct business relationship between the registrant and the registrar, and all payments would be have to be made directly from the registrant to the registrar. The registered address for the payment card so used could reasonably be required to match the claimed address of the registrant.

{ii} We have seen a number of cases where unsuspecting US citizens have had their payment credentials stolen and used to buy domains which were then set up with the card-billing name and address utilised for the domain WHOIS data. That works fine in the short-term as the criminals then control the domain through the separate email address. To make such Identity theft more difficult, no domain using WHOIS Privacy should be allowed to become active in DNS until the registrar has sent a transaction notice - containing a security code - by post to the registrant at their claimed address, and the registrant has then entered that security code onto a page at the registrar's website.

There is no justifiable case for urgency in activation of a domain that qualifies for WHOIS privacy by virtue of being non-commercial.

{iii} ICANN should publish rules for limitations on use of domains with WHOIS Privacy. Any registrar offering Privacy Services would need to agree to HOLD the related domains within N hours of evidence being sent to them of the breach of such rules. If it was shown to ICANN that a registrar was failing to meet that requirement, the domains should be immediately taken out of the DNS under ICANN's authority, and the registrar then re-charged the cost of that work being done.

No enforcement, in this context, can be meaningful unless registrars are readily contactable (i.e. 24/7/365) and act immediately on notifications. Otherwise an abuser simply registers a batch of domains and wheels each out as soon as their previous domain is deactivated. So, if a registrar takes (say) two weeks to process a complaint, the criminals only need to register 26 domains to keep themselves operational for a complete year. All that would then have been achieved is for the resources of the various investigative agencies to be tied up excessively - and an excellent example of that occurring, is the running of the "Zeus" trojan, which is currently a major problem for government agencies such as the IRS.

It follows that registrars must never allow themselves to be prevented from deactivating infringing domains. Laws of some countries (most signficantly, the Russian Federation) appear to prohibit the takedown of domains without a (local) court order: and it is difficult to understand how any registrar in such a country can be in simultaeneous compliance with both the RIAA and the local legislation.

Equally, there would be a dangerous situation if ever a registrar allowed a high-volume reseller to insist on a contractual stipulation that the registrar will not disable or suspend a domain without the reseller's prior agreement. There is therefore a need for all ICANN-accredited registrars to give ongoing guarantees that their ability to HOLD a domain is not - and will not be - fettered by either contractual or legislative constraints.

The comments to this entry are closed.

My Photo