Home Archives Profile Subscribe

ICANN prepares for more gTLDs... has enough been done to mitigate threats?

Friday, 13 September 2019

2384711319_b75212d9cd_mICANN organization has published a memorandum that describes its Readiness to Support Future Rounds of New gTLDs. The last time I looked, new TLD registrations from the 2012 round constituted around 12 percent of the total gTLD registrations. Despite justifications most commonly cited for expansion - for example, "all the good names are taken" - COM, NET, and many country code TLDs continue to prosper and grow. We should ask, "What benefits other than brand- and geo-TLDs does ICANN use to justify this new round?"  More importantly,

What's the hurry, and has enough been done to study and rectify the concentration of security threats in the new TLD space? 

In an earlier post, I commented on a January 2019 domain abuse report generated from the Domain Abuse Activity Reporting system (DAAR). DAAR is a system for studying and reporting on domain name registration and security threat (domain abuse) behavior across top-level domain (TLD) registries and registrars. From the limited data that ICANN shared, I observed that

"Over one-half of the domains identified as security threats are
registered in one-eighth of the generic TLD name space."

From the reputation data that I study nearly daily, I can say with confidence that little has changed statistically, and that no meaningful progress has emerged from ICANN concensus policy to course correct this readily observable concentration of security threat activity in the new TLDs. 

ICANN organization has asked its Advisory Committees to comment on its readiness plan. The Security Stability and Resiliency Advisory Committee, SSAC, recently published its correspondence to ICANN's Senior Vice President of Global Domains Division, where it mentioned in its closing remarks"

"it remains a significant concern for the SSAC that the last round of new gTLDs appears to have introduced the phenomenon of TLDs with exceptionally high rates of abusive registrations. It is also not clear if the ICANN Community is effectively addressing these potential threats and risks or what kind of deliberation will occur on how to mitigate them through consensus policy or contractual negotiation. The SSAC continues to be concerned that a further round of new gTLDs could be delegated prior to comprehensive metrics and mitigations being put in place to prevent such a recurrence."

Someone may have a good argument for hurrying the next round along, but if you use the same individual or composite reputation data that ICANN uses for DAAR, it's obvious that the answer to "has enough been done to study and rectify the concentration of security threats in the new TLD space?" is a resounding "NO!" 

Posted at 10:06 AM in Domain names and DNS | | Comments (0)

Spotlight Posts

  • Facts & Figures: Whois Policy Changes Impair Blocklisting Defenses
    Two independently conducted studies demonstrate that the onset of masking Whois contact data has had the direct, corresponding, and ongoing effect of reducing the number of blocklisted domains, dramatically undermining the efficiency of this and other security countermeasures.
  • Conservative abuse reporting throws new TLD program under the bus
    ICANN has released a January 2019 domain abuse report generated from the Domain Abuse Activity Repor...
  • APWG and M3AAWG Survey Finds ICANN WHOIS Changes Impede Cyber Investigations
    The Anti-Phishing Working Group (APWG) and the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) have collaborated to conduct a survey of cyber investigators and anti-abuse service providers to understand how ICANN’s Temporary Specification for gTLD Registration Data has affected their access and usage of domain name registration information and their ability to mitigate abuse. I served as Principal Investigator for APWG and M3AAWG for this project. I received strong subject matter expertise support from both working groups. From our analysis of 327 survey responses we find that the changes to WHOIS access following ICANN’s implementation of the Temp Spec...
  • What is Ransomware
    Ransomware is a cyberattack (a virus) that is used to extort money. Originally, criminals used ransomware to extract payments from individuals for the recovery of personal information. Today, cyberattackers extort payments from businesses for the recovery of sensitive information. No one is immune to ransomware. Criminals have extorted payments for the recovery of medical or personal data from healthcare providers and have locked guests out of their hotel rooms. Even industrial systems may prove to be vulnerable to ransomware. Early ransomware, called locker ransomware, prevented a victim from accessing a desktop or browser. Cyberattackers quickly evolved to a more sophisticated...
  • Spam: The Security Threat You Easily Forget
    About this time last year, I spoke at a Cybersecurity conference in Krakow. I was asked during a video interview to identify security threats that I believed were most pressing. (Ignore the suit...) Yes, I said spam. Not DDoS? Not ransomware? Not breach of personal data? Not IoT? Are you daft, Dave? No. My thinking has not changed a full year later. Spam is a criminal infrastructure enabler Spam may have been merely annoying, unsolicited messages in your inbox at one time, but that was a millennia ago. The average spam volume reported to the Cisco Talos Email and Web...
Next