Previous month:
May 2014
Next month:
July 2014

June 2014

Suspended domains: An unprecedented data sharing opportunity

A recent Domain Incite article quotes an ICANN Registrar Stakeholder Group (RrSG) claim that over “800,000 domain names have been suspended since the beginning of the year as a result of Whois email verification rules in the new ICANN Registrar Accreditation Agreement (RAA 2013)”. The cause for these suspensions is that registrants did not respond to a validation request sent to the email addresses that they submitted in their domain registration and thus failed to satisfy the validation criteria in the new agreement.

According to DI, the RrSG claim that the suspension figure represents suspension data collected by registrars representing approximately 75% of registered gTLD domains (com, net, org, biz, …). To put that 800,000 figure into context - and assuming a ballpark estimate of the total count of registered domains in the gTLDs is north of 150 million – that’s less than 1 per cent. Given the numerous reported and alleged estimates of Whois inaccuracy over the years 1, 2, 3, I find it hard to understand why anyone would be surprised or alarmed over this figure. However, this figure represents new registrations over a measured period, and thus the percentage would seem more disturbing if not for arguments by experts like Paul Vixie, whose analyses of the DNS cause him to say most new domains are malicious

Let me temper this seeming insensitivity to possible registrant or Internet user harm or inconvenience by suggesting that, rather than looking at this single data point as alarming or indicative of any pattern or unintended consequence, consider the unprecedented opportunity the data set that corroborates this claim offers.

I applaud the registrars who took the time to collect these data.

 I encourage the registrars to share the data.


With respected members of the security, operations, research and public safety communities.

With ICANN’s Identifier Systems SSR team.

These data – the domain names and the associated registration records (Whois) – can be studied to answer important questions related to registrations (legitimate and malicious) and registrant Whois submission practices; for example:

  • Are the registrant data other than email addresses evidently inaccurate?
  • When did registrants first apply for the domain name?
  • Have the registration data – in particular, email address or point of contact information – been modified by the registrant at any time since the original registration?
  • Are the domain names on domain or URL block lists?
  • Are the email addresses evidently inaccurate, one-time use (throwaway) email addresses, or validly composed email addresses that bounced?
  • Are the email addresses associated with other domains outside the data set?
  • Who operates the name servers of these domains?
  • Do the name servers of these domains have a positive or negative reputation (e.g., are the name servers known to host malicious domains)?
  • What services do these domains offer publicly (and uniquely identify in their zone data using A, CNAME, MX, or SRV resource records)?
  • What can be deduced from passive DNS data associated with this domain?
  • Where are these services hosted?
  • Do the hosting providers of these domains have a positive or negative reputation?
  • Where do the prevalence of these domains reside on SEO or site popularity rankings?
  • Do hosted services or content (e.g., web site) provide evidence that the domain is active, dormant or malicious?
  • What is the characteristic use of the domain name (e.g., online presence, merchant, social medium, pay per click, mail exchange, streaming content…)?

This list is not exhaustive but it does illustrate how valuable such data could be if shared with researchers. Such data could continue to be valuable if registrars are willing to repeat periodic collection and provide additional data points of this kind.

Single data points, especially when presented as an unqualified statistic, rarely provide sufficient insight to characterize the entire set of affected registrants. Concluding such without sharing or subjecting the data to deeper analysis is premature. Rather than invite others to produce similar data without commensurate access to registration data, I encourage the RrSG to work in cooperation with security, operations and public safety communities to better understand the data already collected.

As always... the opinions I express here are my own.

Top 5 #InfoSec Reads June 16-23

by Matt Piscitello

Extortion, a level security playing field for iOS and Android, a new RAT, and untenable surveillance policy are on this week's Top 5 InfoSec Reads.

Domino's won't pay ransome on 600,000 record hack

 Cyber criminals were out in force on Monday trying to extort Domino over into paying a considerable ransom for their private records they grabbed in a daring data breach. The hackers demanded five figures for the six figure breach, but Domino's refused to pay up, assuring their customers that no financial information was breached while also suggesting they change their log-in credentials. While businesses should remain resolute in the face of threats like this, they should also take better care that it doesn't occur in the first place.

iOS and Android carry similar security risks

While one of the key selling points for the iOS was its relative safety, new research suggests that iOS is open to various threats that level the playing field between it and Android in terms of security. Whether you agree with the research or not, always keep in mind that no operating system is completely bulletproof, and that your first line of defense should never be a manufacturer's reassurance that it is.

Totally new RAT bites bank users

A variant of the ZeuS malware family is hitting banks using browser hooking. Dyreza (a.k.a. Dyre) is reportedly a never-before-seen malware that circumvents commonly practiced bank security measures. No numbers on the infection yet, but the cleverness of this attack demonstrates how personal security does as much to protect (or in this case, expose) you as it does others.

CryptoLocker takedown unlikely to deter growing ransomware 

Operation Tovar may not prove to be the deciding victory against ransomware that we all wish it was. The Tovar takedown successfully disrupted CryptoLocker and Gameover Zeus but the peer-to-peer capabilities of thes botnets may allow cybercriminals to rebuild, other ransomware families and networks are thriving, and ransomware are likely to target mobile devices next.

Government policy reveals UK snooping on Facebook, Google users

A 50-page document reveals how the UK can conduct surveillance on US-based social media platforms so long as their search doesn't specifically involve a British citizen. Due to the particular wording in the policy, intelligence agencies can freely tap private communications without having to answer to Parliament. This is one in a series of snooping law red flags that should tell you we need to seriously amend our approach to internet privacy.