The Security Skeptic

Many Internet applications today support characters from local languages, alphabets or scripts. Visit pages in the dot JP top level domain and you'll eventually find one that uses Kanji characters. Visit domains in the dot AE top level domain (United Arab Emirates) and you'll find domains that display pages in Arabic characters. Support for characters from local languages, alphabets or scripts is growing. This has a positive affect for millions of users for whom characters from the Latin character set are just as unfamiliar as Chinese, Arabic and other characters sets are to English reading individuals.

WHOIS is an internet application. Today, most WHOIS services display contact and DNS configuration information using US-ASCII7 characters. Users (unless they are bad actors) commonly submit contact and DNS configuration information to WHOIS applications using primarily US-ASCII7. The current condition is convenient for English reading WHOIS users, but it is slowly changing and the potential for a WHOIS Babel effect exists. In fact, it exists in a very small way today: the SSAC report illustrates this through examples of what users may encounter today (Hint: the registration data you see and the data you can submit are strongly influenced by the registrar or 3^rd party WHOIS service you use).

ICANN's SSAC has just released a document that explores how the use of characters from local scripts affects WHOIS users who want to identify and contact a party who has registered a domain name. This is a quite common practice for folks who investigate phishing, spam, identity theft, and web defacements. It's also common for people who deal in domain names, who might be interested in acquiring the domain or marketing services to the domain registrant.

The issue is simply stated as "no standards or conventions exist" for how anyone who offers WHOIS services is to support local languages and scripts. The Internationalized Domain Name standards and guidelines only apply to domain names. All the other information that is collected when a user registers a domain name is "in play" for both user submission and display. This is unsettling at best. Imagine a law enforcement agent (LEA) who is gathering information regarding an alleged kiddie porn or phishing site. He does a WHOIS lookup on a domain name that appears to be associated with the site. He can't read it, nor can any of his colleagues. This certainly occurs today among non-English reading LEAs but the problem will worsen, especially if the bad actors determine that creating registrations in Klingon helps sustain their attacks.

I've only touched upon a few aspects of a complex issue here. For a more thorough consideration, read SAC037: Display and usage of Internationalized Registration Data: Support for characters from local languages or scripts.

Archived at http://www.securityskeptic.com/arc20090501.htm#BlogID731 by Dave Piscitello  

Colleagues Greg Aaron and Rod Rasmussen hit another home run with the latest version of the bi-annual APWG study on global phishing trends. The report, Global Phishing Survey: Domain Name Use and Trends in 2H2008, uses data from various phish reporting and monitoring sources. Combined, these sources provide a more accurate assessment of phishing and e-criminal activity than the reports that anti-malware companies are able to generate based on monitoring of customer PCs and user behavior.

Major findings include (from the report):

• Phishers are increasingly using subdomain services to host and manage their phishing sites. Phishers use such services almost as often as they register domain names. And such attacks even account for the majority of phishing attacks in certain large TLDs. This trend shows phishers migrating to services that cannot be taken down by registrars or registry operators, thereby frustrating some takedowns and extending the uptimes of attacks.
• Phishers continue to target specific Top-Level Domains (TLDs) and specific domain name registrars, and shift their preferences over time. 2H2008 demonstrated what can happen to registries and registrars who are not prepared to combat phishing with effective policies and procedures.
• The amount of Internet names and numbers used for phishing has remained fairly steady over the past two years.
• Anti-phishing programs implemented by domain name registries can have a remarkable effect on the up-times (durations) of phishing attacks.
• There are decreases in phishing on IP addresses and the use of brand names in domain names to fool users. Phishers are not using IDNs (Internationalized Domain Names).

I recommend this report to anyone in the ICANN and domainer community who doesn't believe that dealing with phishing is within the remit of ICANN or the ICANN community. Greg and Rod identify the most frequently phished top level domains and rank the TLDs using a metric that fairly assesses phishing per 10,000 domains rather than purely by total phishing domains reported.

Another statistic from this report that I think merits consideration as a major finding is that phishing most often takes place on compromised Web servers. Greg and Rod found that "up to 81% of the domains used for phishing were compromised or hacked domains", explaining that "Phishing on a compromised Web site typically takes place on a subdomain or in a subdirectory, where the phish is not easily noticed by the site’s operator or visitors." Such sites are also *sticky* in the sense that there is legitimate content and purpose hosted at this domain and suspending the domain name would affect the domain owner.

This is an extraordinarily bad figure. For the victims of the over 24,000 phishing attacks involving compromised servers, Suzie Clarke and I recommend an APWG report we published several months ago entitled What to do if your web site has been hacked. It appears we need to write a report on how to secure web sites against hacks as well.

Archived at http://www.securityskeptic.com/arc20090501.htm#BlogID730 by Dave Piscitello  

If you are looking for credible phishing statistics, try the APWG 2H2008 Phishing Activity Trends Report. Examples of the type of information you can glean from these reports follow:

• The number of unique keyloggers and crimeware oriented malicious applications rose to an all time high in July.
• Unique phishing websites detected by APWG during the second half of 2008 saw a constant increase from July with October.
• The number of phishing attacks against payment services increased more than 34 percent between Q3 and Q4.
• Financial Services continues to be the most targeted industry sector and attacks against payment services are increasing
• The United States continues to be the country hosting the most phishing sites, but Sweden occupied the top spot for one month.
• The United States also leads in hosting malicious code in the form of either a phishing based trojans or downloaders that install keyloggers, but Spain occupied the top spot for one month.

The combined effect of the McColo takedown and the coordinated operational response to the Conficker worm may have contributed to a a drop off in the number of phishing sites detected during the end of the quarter to the lowest number detected since August 2006..

Archived at http://www.securityskeptic.com/arc20090501.htm#BlogID729 by Dave Piscitello  

The Register reported in March that Gabriel Bogdan Ionescu, incarcerated at a Penitentiary in Como, Italy, was admitted to the Polytechnic University of Milano and that a security? company was offering him a part-time job. In another article, Romania's general consul in Italy is quoted as saying, "the media here are presenting the exceptional intellectual qualities of this boy".

Will people never learn? It's not the intellectual qualities but the moral fiber that forms the core of a security professional and practitioner. I have the privilege of working with people whose skills would humble this e-fraudster (remember, if he was that good, he would probably be spending time in some of the nicer corners of Como). What distinguishes them from Ionescu beyond the intellectual qualities is the marked commitment to ethics. For any security endeavor, you want a hard core white hat, someone who won't compromise his integrity, your country's sensitive information, or your company's product for notoriety or money. If you start out with employees whose ethics are at best provably questionable, you're essentially building a home on a floodplain. You can deny all you want, and your home may avoid the inundation, but you're gambling when you don't have to.

Archived at http://www.securityskeptic.com/arc20090501.htm#BlogID728 by Dave Piscitello  

The US DOJ successfully closed its case against the father-son team of Jude LaCour by handing down guilty verdicts on fifty-two counts of money laundering and drug-trafficking offenses involving the sale of controlled substances over the Internet. Previously, son Jeffery pleaded guilty to drug-trafficking offenses. Also found guilty or pleading out were a "dirty dozen" doctors and pharmacists who facilitated the crimes. The doctors "reviewed" patient histories that visitors to the Jive Networks online pharmacy completed online through web forms, and prescribed Schedule III and IV controlled substances without seeing the patients or verifying patient identities; in many cases, the physicians wrote prescriptions for individuals who resided in states where they were not licensed to practice medicine. The pharmacists dispensed and shipped the drugs using Federal Express.

Jude and Jeffery were also convicted of money laundering. How much money are we talking about here? According to the DOJ press release, "During the three-year conspiracy, the organization distributed approximately 4.8 million dosage units of Schedule III controlled substances and approximately 39.2 million dosage units of Schedule IV controlled substances to Internet customers who had no valid prescriptions. Jive Network received well over 500,000 customer orders for controlled substances and illegally generated revenue in excess of $77 million."

If you are thinking, "A half-million orders? Thirty-nine million pills? Seventy-seven million dollars?" Wow...

What sort of controlled substances were these dirt bags were prescribing and dispensing. Schedule III controlled substances include anabolic steroids, barbituates, and hydrocodone/codeine. Schedule IV controlled substances include narcotics, depressants and stimulants. The LaCours and their dirty dozen healthcare professionals were arms' distance drug dealers and the Internet was their street corner.

Some members of the ICANN community have commented that I get overly passionate when I argue in favor of stronger measures to prevent domain name registration and DNS abuse. It's criminal activities and figures like these that get me so exorcised. Today, the lack of any meaningful form domain registration verification makes it trivial for criminals to not only deal controlled substances from street corners, but to hang neon lights advertising "get your fix here" above them.

I'm also not as naive about the cost to businesses built around domain registrations to imagine stricter registration measures come for free as some ICANN community members suggest. If stricter registration measures cost more, charge a higher domain fee for new domain name registrations. The higher fees themselves won't stop Conficker-like behavior, but registrars can use the additional revenue to reduce abuse registrations without penalizing folks who are renewing domains. They can also use the additional fees to add protective measures to prevent the kinds of attacks against domain registration attacks repeatedly performed against Comcast, ICANN, Panix, Photobucket, DomainZ, et. al.

The "domains should be cheap" argument is a tired segue to arguing "we can't slow down automated registration processing by introducing verification measures, it will be too expensive". Prove it. Ask current and would be domain name registrants whether they will stop registering domain names if the annual fee would cost more than a double chocolaty chip frappucino blended creme with whipped cream. Ask if they'd stop registering domain names if the domain name they registered were to be placed on hold while registrars verify the customer's contact information. But be certain to ask "Are you OK with these measures if they will reduce spam, phishing, scams and the illegal sale of controlled substances on the Internet" when you do. TLDs in countries that enforce stricter registration verification measures have (in some cases, markedly) lower incidents of malicious and criminal activities. Raising the bar among GTLDs is long overdue.

Archived at http://www.securityskeptic.com/arc20090501.htm#BlogID727 by Dave Piscitello