« September 2018 | Main | January 2019 »

October 2018

Saturday, 20 October 2018

APWG and M3AAWG Survey Finds ICANN WHOIS Changes Impede Cyber Investigations

The Anti-Phishing Working Group (APWG) and the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) have collaborated to conduct a survey of cyber investigators and anti-abuse service providers to understand how ICANN’s Temporary Specification for gTLD Registration Data has affected their access and usage of domain name registration information and their ability to mitigate abuse. I served as Principal Investigator for APWG and M3AAWG for this project. I received strong subject matter expertise support from both working groups.
 
From our analysis of 327 survey responses we find that the changes to WHOIS access following ICANN’s implementation of the Temp Spec is significantly impeding cyber applications and forensic investigations and allowing more harm to victims.
 
The "Temp Spec" has introduced delays to investigations and the reduced utility of public WHOIS data is a dire problem. The loss of timely and repeatable access to complete WHOIS data is impeding investigations of all kinds, from cybercrime activities such as phishing and ransomware, to the distribution of fake news and subversive political influence campaigns.
 
The report contains a detailed analysis of the sets of questions asked to an targeted audience of cyber security practitioners, anti-abuse service providers and law enforcement officers, who were contacted by primary using APWG and M3AAWG mailing lists, augmented with trust collaboration mailing lists used by operational security and law enforcement to share threat intelligence data. The analyses are complemented with comments submitted by survey respondents. Many of these are quite insightful.
 
From the analyses, the APWG and M3AAWG make the following findings:
  1. Cyber-investigations and mitigations are impeded because investigators are unable to access complete domain name registration data.
  2. The mitigation or triage of cyber incidents cannot be accomplished in a timely manner.
  3. WHOIS has become an unreliable or less meaningful source of threat intelligence.
  4. Requests to access non-public WHOIS by legitimate investigators for legitimate. purposes are routinely refused.
  5. Those who protect Internet resources are also making more coarse blocking or mitigation decisions in the absence of what was formerly reliable data. 
  6. The utility of WHOIS has been severely damaged.
  7. The redaction of WHOIS data is excessive.

APWG and M3AAWG make a number of recommendations as well:

  1. There must be an accredited access mechanism, providing tiered or gated access to qualified security actors.
  2. ICANN should not allow redaction of the contact data of legal entities.
  3. ICANN should adopt a contact data access request specification that will ensure consistency across all accredited registrars and gTLD registries.
  4. ICANN should ensure that the accredited access to redacted WHOIS data does not introduce delays in collecting or processing WHOIS data, and further, that the access not be encumbered by per request authorizations.
  5. ICANN should reconsider the current redaction policy.
  6. We ask that ICANN publish point of contact email addresses to provide investigators with an effective means of identifying domains associated with a victim or person of interest in an investigation.

In their final comments, the Working Groups encourage ICANN to improve the current, difficult condition, stating:

"We recognize that ICANN is likely aware of several of these issues. We also realize that ICANN organization and Board of Directors are awaiting the Expedited Policy Development Process for answers to many issues; however, we believe that the ICANN Board of Directors and ICANN organization have the ability to update the Temp Spec to fix the problems that this survey and others have identified as most pressing or egregious while the EPDP work continues."

It's essential that ICANN  implement recommendations 2, 4, and 6 and quickly. From a public safety perspective, these are necessary adjustments. These fall within ICANN's remit to ensure security and stability of the Internet's Identifier systems. ICANN organization should further ensure that the parties involved in consensus policy development for the remaining recommendations consider the findings and analyses in this survey. This would be consistent with the organization's expressed desire to apply data to ensure informed policy deliberation. 

 

Download FINAL ICANN GDPR and WHOIS Users Survey 20181018.pdf (1683.6K)

Posted at 08:03 AM in All matters security, Anti-Malware and Anti-phishing, Domain names and DNS | | Comments (0)

Find me on Mastodon and Facebook

Spotlight Posts

  • Cybercrime Reported in April 2025
    In today's Interisle Insights, Colin Strutt looks at cybercrime activity collected at the Cybercrime Information Center for the month of April 2025.We point out anything that strikes us as particularly interesting in overall numbers as well as significant changes in ranking for Top Level Domains (TLDs), Registrars, and Hosting Networks. Read Cybercrime Reported in April 2025. Interisle Insights is a reader-supported publication. To receive new posts and support our work, consider becoming a free or paid subscriber. Join now!
  • Malware Trends: January - March 2025
    Malware activity reports for the quarter are now posted at the Cybercrime Information Center. Our key statistics show small quarter-over-quarter increases in malicious IP address malware records (Traffic Injectors and Attackware) and unique IPv4 addresses reported as serving or distributing malware, and but meaningful decreases in both endpoint and IoT malware reported. Read Malware Trends: January - March 2025
  • The World's Phishiest Neighborhoods
    In this Interisle Insights article, we take a closer look at our data to better understand what’s hosted at three autonomous systems which have appeared at or near the top in recent quarters. We’ll also review who’s being targeted by these attacks and what corresponding name and address resources are most frequently exploited. Autonomous systems are blocks of Internet addresses, which you can compare to "neighborhoods" in a city. And like any city, some neighborhoods are safe and some are not. The full article, The World's Phishiest Neighborhoods, is hosted here.
  • Interisle Study Reveals Alarming Rise in Online Abuse and Identifies Exploitable Links in Cybercriminal Supply Chains
    My Interisle colleagues and I today published our 2024 Cybercrime Suppy Chain study. We analyzed 16 million cybercrime events to expose a dramatic rise in criminal exploitation of name, address, hosting, and financial supply chains. Our year-over-year findings show that cybercriminals exploit lax policies to easily and cheaply obtain resources for phishing, malware, and spam campaigns. In our report, we provide actionable insights for those aiming to curb cybercrime. Among the major findings in the study, Interisle reports that: The total number of malware, phishing, and spam attacks grew year-over-year by nearly 54%, to nearly 16.3 million attacks. Spam doubled,...
  • Malware quarterly reports for July-September
    Malware quarterly reports for July-September 2024 is now posted at the Cybercrime Information Center. For the period... Malware identified as targeting endpoint devices increased 277% over the prior period. WordPress blog sites used for malware accounted for nearly all the malicious documents reported for this period. We continue to see an uptick in malicious scripts. IPv4 addresses reported for exhibiting characteristics of attackware and traffic injectors increased 38% to just under 1 million. ASNs in China and India again have the most IPv4 addresses reported for hosting malware. More malware trends for the period at https://www.cybercrimeinfocenter.org/malware-trends-july-september-2024. For historical reporting of...

Search

My Photo

Categories