16 February 2018 (Zurich, Switzerland) – Brian Krebs published a post this week on the General Data Protection Regulation (GDPR) which takes effect May 25, 2018. He states that many security experts are worried that the new GDPR changes being ushered in by the rush to adhere to the law may make it more difficult to track down cybercriminals and less likely that organizations will be willing to share data about new online threats.
Yes. Compounding matters, the scope and complexity of GDPR extends beyond cybersecurity, requiring equal involvement from legal and IT teams. So Kreb’s focus in this post is specifically on how plans to redact WHOIS domain name records may hamper anti-abuse efforts.
In brief:
- the Internet Corporation for Assigned Names and Numbers (ICANN) – the nonprofit entity that manages the global domain name system – is poised to propose changes to the rules governing how much personal information Web site name registrars can collect and who should have access to the data
- ICANN has been seeking feedback on a range of proposals to redact information provided in WHOIS, the system for querying databases that store the registered users of domain names and blocks of Internet address ranges (IP addresses)
- Under current ICANN rules, domain name registrars should collect and display a variety of data points when someone performs a WHOIS lookup on a given domain, such as the registrant’s name, address, email address and phone number. As Krebs notes “most registrars offer a privacy protection service that shields this information from public WHOIS lookups; some registrars charge a nominal fee for this service, while others offer it for free”.
- But the GDPR seems to impose more privacy restrictions that the WHOIS now violates, so in a bid to help domain registrars comply with the GDPR regulations, ICANN is looking for feedback from its members on what form that compliance should take.
His post is a bit of a long read but he simplifies what he says is the debate between two sides:
- those in the privacy camp say WHOIS records are being routinely plundered and abused by all manner of ne’er-do-wells, including spammers, scammers, phishers and stalkers. In short, their view seems to be that the availability of registrant data in the WHOIS records causes more problems than it is designed to solve.
- Meanwhile, security experts are arguing that the data in WHOIS records has been indispensable in tracking down and bringing to justice those who seek to perpetrate said scams, spams, phishes and….er….stalkers.
You probably should read his post before reading my following points, although my position is simply that getting a handle on the new GDPR is a difficult task and there is a lot of wrong information out there. I have been in Zurich for a series of workshops discussing these very issues — the GDPR, cybersecurity, privacy issues plus a series of red team exercises on how to handle the GDPR plus other unrelated cybersecurity issues — and it has been enlightening.
- I am certainly with Krebs on one issue. It is not WHOIS data that is the problem. It is the Googles and Facebooks of this world abusing users that is the problem. The addiction to “free” services by those most vociferous about privacy makes their argument laughable.
- I also agree with him on another point. Being a data journalist, I have found many a clue about the identities of those who perpetrate cybercrime or generate “fake news” just by following a trail of information in WHOIS records that predates cybercriminal careers or entity associations.
- One thing he is wrong about. He says: “Either way, it’s IP addresses belonging to people with vulnerable/infected devices and sharing them may be perceived as bad practice on our end. We consider the list of IPs with infected victims to be private information at this point”.
Wrong. The exchange of information is not forbidden by GDPR. Even looking at the new Privacy Shield, transfers are still valid. The treatment of personal information can be justified by the legal basis of legitimate interest of the processors and controllers to detect fraud or harmful attacks and to protects the persons concerned by the theft. You need to read GDPR Art 6-f. It is all in there.
- Another peeve: “… requires technology companies to get affirmative consent for any information they collect ….”. No. That is inaccurate and misleading. Consent is a last resort if there are no other legitimate bases for processing.
- I tried to research this but came up blank. It would be interesting to know how often WHOIS is used to effectively counter abuse, but I imagine it is a very low percentage. This as compared to the amount of unsolicited sales, spam, etc. as a result of a public WHOIS. I think the industry needs to focus on another mechanism for tackling abuse. It needs to find a way to have the Registrar’s payment gateway providers force a “know-your-customer” process or have greater fraud detection/mapping at that point. I learned here in Zurich that there is AI out there that can help.
- Here in Zurich, many security professionals find themselves on both sides of the fence on this issue. As a security professional, they rely on WHOIS extensively. But as a domain owner, they keep their privacy settings enabled. Certificate issuance to security professionals for either manual or automated implementation of lookups can probably address this issue to some degree, but it will inevitably come with associated costs.
- Interesting comment from a Zurich attendee:
“look, Registrars have been looking for ways of getting rid of WHOIS for years. As Brian notes in his post, it’s a massive pain in their rears when ‘we’ find fraudulent registrations or just plain criminality, highlighting the fact that they do little to no checks regarding who uses their services, since this hits the profits. Having sat through many ICANN meetings when solutions were offered only to be shot down by the Registrars (not all, some are very helpful) it was always clear which way it was going to go. Add to this their [ICANN] constant rhetoric regarding transparency, yet their abuse team can turn a complex complaint around in hours stating nothing is wrong, but refusing to release how and where they checked the information. I could go on about a non-profit making massive profits, but you get the idea. I don’t normally walk from a fight, but when it’s so obviously loaded against, you have to find a new way”
a new game – cyber threat hunting!
As the world of computing has extended its reach over the last decade, high demand has risen for more sophisticated information systems, big data analytics tools, cloud computing, and mobile applications. The past decade has seen drastic growth in new security vulnerabilities and malware alone has evolved, becoming more sophisticated, unexpected, diverse, and powerful than ever before.
Ah, the old days – when early forms of malware sought to generate high-profile nuisance attacks. But now? Its aims are increasingly pernicious, focusing on ransom, theft and other malicious and hostile activities. Thus malware has become much more of a concern for organisations.
What has been most interesting this week has been a session on using AI intelligently … get it? … in cyber security. During the last decade most companies have managed to change their tactics and have moved from alert chasing to threat hunting. These activities started to gain momentum and while most security activities are still defined as detection, analysis, and response but this is simply not sufficient.
So the analyst’s role has been converted from a chaser to hunter and now they must take a proactive approach to protect their company assets by looking for active threats, vulnerabilities, breached systems, and leaked data. Threat hunting focuses on proactively finding threats. Threat hunting requires deep inspection of potentially breached systems and looking across wide ranges of historical data to find malicious activity not identified by traditional alerting mechanisms. Said David Femm of FireEye:
In the past decade there were many changes in the evolution of the security solutions. These changes evolved around the attacks prominent at a particular time. One of the first solutions in the market concentrated on the widespread DDOS attacks, which spurred the development in protection of third layer interaction that innovated the Firewall. In the later years as cyber crimes became more sophisticated, the security response had to step up.