dns be

  • British government will close an enormous number of their websites

    The labour government had already announced their plans to reduce heavily the number of seperate websites that government website had set up and continued to pay for, but untill now untill a very small number of them were effectively closed.

    The new government has announced to close down at least 2/3 of all the governmental website and to oblige the seperate website to integrate the content with a few portal websites. THe economies could be enormous on that scale.

    If the governmental agencies were smart they had chosen to use only .gov.uk domains, which would make it easier to close them down because only governmental agencies could register them. THe situation is much more complicated when one buys an enormous list of different domainnames.

    It can be that those domainnames will be continued and parked somewhere so that people can be redirected to the specific pages they were looking for.

    The impact on the ITmarket will be that the portalbusiness will be more important and that hosters of small websites will have to compensate their loss with other income.

    The implications for Belgium are that

    * a strictly controlled Domain.gov.be would make it easier to review the internetpresence from time to time and reorganise it without having to fear hijackers.

    * dns.be makes for the moment a lot of money out of temporary domainnames that are only used during one year. THey find it normal that a creative idea should have its own creative websitename. This is the most stupid thing to do and wastes a a lot of money.

    So the clock seems to be going back to the general portal thing with a lot of subdomains. Because the portal was becoming too big according to some communication specialists they said that each campaign needed their own personal campaignwebsite (and confused this with placing the content on a seperate site instead of integrating it in the portal and using the new domainname as a redirect service). But even than the enormous quantity of domainnames is also just confusing.

    Also it costs a lot of money and is quite a problem for security to give each of these individual websites the same interactive and communication service while they would have them automatically at the portal.

    So how many websites are our governments going to close down this year ?

  • dns.be in 2009 : don't talk about problems please

    DNS.Be has published its yearly review of its numbers with some pseudo research to fill the pages. For the rest it is just a jubilation of itself and a publicity product and for these reasons it is NOT a yearly review.

    It did not mention - for starters - that .be was the victim of a fastflux attack in the beginning of the year (discovered here) and that it took some time to solve that problem.

    It also is a bit easy to say that DNS.Be will lower the price (from 20 Euro's to 2.5 for the registrars-resellers) each time it can and that that won't impact quality and security - which are being mentioned here and there as publicity. It just doesn't add up. You can't say that you don't have the people for monitoring and fastresponse to fastflux and other attacks and at the same time lower the price of your prime product time and time again.

    DNS.Be is NOT an organisation for resellers. If they want to lower the price again and again, than they should form a lobby group. Dns.Be is responsable for the whole .be domain which for most part is owned by Belgians. They are responsable for the economic and other impact .be can have if something goes wrong.

    Like being mentioned as one of the top 5/top3 of the phishing domeinextensions. (also not mentioned there).

    They have a strategic committee that doesn't write their own part of the report and that is more concerned about their looks than their ideas.

    So yes, I think that the .be domain will have to become more expensive if it is to better protect its domainzone and follow up on the incidents that are bound to happen if you have more than 1 million domainnames to look after. And even if the registrars are protesting, they are only part of the community, they are only one of the stakeholders.

    But in dns.be they seem to be the only one sitting at the table and influencing the decisions.

  • the pseudo science of the WHOIS study by NROC for ICANN

    Since several years there are complaints and studies that the WHOIS system (who is responsable for a certain domain) is totally inaccurate and even false and that this has certain dangers.

    So the NRO did a sample study for ICANN but that is so limited in scope that it is not worth the paper it is written on

    * it is concentrated on the .com domain in general (75%)

    * more than 75% of the registrants are according to their WHOIS in the US

    * the number of domains tested is about 1400 (for the same money you could try to test automatically thousands of emailadresses as this one is always used if all the rest is false or incorrect).

    So statistically this is so limited in scope that it doesn't mean a thing. If you want to proof that of the whole general gtld internet the WHOIS has a high percentage of mistakes or false addresses, your sample will have to be much greater.

    The problem is that nobody is saying this.

    The three biggest problems with the present whois are

    * that you have to have the correct name and address - even email of the people responsable for the technical side of the matter if the site gets hacked or attacked

    * that business domains need to have a real business addresses just as in the offline world

    * that criminal online businesses are hiding their addresses or aren't contactable which makes any judicial procedure more difficult

    Off course if you make a study about such a big zone (and even than have a high percentage of faults and noncontactable domains) than you can't give practical solutions because the impact will be too great. And thus the investment - even if there if there is no logical or business reason for them.

    * when one says that it would cost more if the registrar would have to check each address on the whois with the creditcard than this would be totally normal for a business site. And for a higher price this site could have a certified WHOIS logo.

    And if one says that the WHOIS of the different registrars are different and that one need one central database and WHOIS and that this would cost enormous sums, than one has to be assured that this would be totally logic for business sites that are certified.

    Another reason for this is that online business is built upon reputation. Everything you can do online can be spoofed. The only things you can trust a bit are the certification services (if they are secure enough). The WHOIS system needs a certification service. It can even be used as a privacy service for certain details of the contact information.

    * when one says that it will ask a lot of effort to track down most of the users with mistakes in their WHois, one can respond that this effort will only be necessary when there is a real problem with the site that asks such an urgency.

    For the moment the internet is still in the landgrab mentality and just as in the wild wild west there are no clear laws and bounderies. It is time to start setting up a system that will determine clear and distinct legal ownership of the virtual legal estates one has. It is not sure that this registration will be as cheap as it is - and maybe a general certification tax on all new domains would help fund the certification services - but there is no business reason why virtual domains should be that cheap. They are not coca cola for immediate consumption, but investments in virtual real estate and property. The cost shouldn't be times 100 but a 10% increase would already make a big difference.

    This is only possible if a system is set up that would protect global brands across the domainname system from being hijacked.

  • brandmanagers will go to court instead of alternative dispute mechanisms

    In the beginning there was the saying that the internet was not made for the geographical judicial system and that it was too complicated to make an international internet courtsystem.

    So with the community thinking and the new world ideology several kinds of alternative dispute mechanisms were set up. (UDR). Also in Belgium.

    For brand managers it is clear that they have failed and are doomed in their present form. For several reasons.

    They also cost a lot of time and money, even if many of their decisons can - based upon precedents - be automated. If you have decided that any domainname with the name disney in it is a brandname and should have the approval of disney before than any other dispute about the same brandname should take several minutes.

    Secondly contrary to the judicial system the UDR dispute mechanism doesn't take their individual decisions to a higher level. If you have taken tens of decisons, than that should be the basis to make new rules that should be integrated in the contracts. As long as it are totally individual decisions you can use an UDR, but after some time you should prevent the same from happening all over again.

    Otherwise you are in the stupid situation that the registrar is inserting new domainnames that are totally illegal if one should abide by the decisions of the UDR. And you can't expect brandmanagers to go to the UDR for each repetitive cheap domainname that is nearly exactly the thing they got out of the air the month or even the day before.

    This looks a bit like the oil spill....

    Thirdly there is no effective punishment that scares the other parties (if their WHOIS is correct and if they are even contactable) and makes the risk more important.

    So yes, you should go to court and sue them for everything they have and sue those that have helped them to register, host and make the services and getting paid. They should also know there is a risk.

    And yes, this costs money. And yes this will take some time. But after all, it will be LAW. Real LAW.

    And as the online world is becoming less the Wild West and every year even more a normal business environment, businesses and people are turning to something they can really trust and that is REAL LAW.

    Why am I saying this ? Because I believe that after the trial that Verizon, Yahoo and others won against enom it is clear that the UDR process was flawed from the beginning because it didn't make 'community' law that was used as such and that if the internet is to be trusted one day it will need laws. And as the community model didn't work and didn't produce such laws, the centuries old way of making law will have to start doing so. For better and for worse, but there is no alternative.

  • when is a domainregistrar too big too fail even if courts decide as such

    Some big domainregistrars are playing with fire and are - just as the banks and the investors before the crisis - only looking at the short term and the easy criminal money. The are helping online illicit pharmacies to hide from prosecution and are being payed for the whole backoffce (payment) processing that is necessary for those services to function.

    When smaller ISP's and hosters or registrars are being dismantled or disconnected because they are infiltrated or used by the online and offline criminal businesses, the rest of  the internet can take care of the domaintransfers and the hosting of the legitimate businesses.

    THe implication of one of the biggest domainregistrars of the internet in helping and supporting illicit pharmacies can have big implications if one judge in the US decides to condemn for it and call the operation to be criminal. It is not possible to transfer that many domainnames at the present time. Even Knujon.com says that the involvement of enom firms and services in this (by US law) online criminal activity has enormous risks for the whole internet as we know it.

    If we stay with the comparaison with the banking sector we will have to make as a community the following decision

    Or we are accepting that the 5 biggest registrarservices are changing the domainbusiness in a collective monopoly and we need to regulate them more strictly than others because of that systemic risk.

    Or we have to take steps to break them up or liberate the market even more - maybe by limiting the number of domainextensions one may sell or the number of affliates one may have just as we have done in several other industries.

    I think that if this choice is put before them that in the end their choice will be the first.

  • 28 million domains in the top 5 domainextensions with uncontactable WHOIS data

    According to the research for ICANN itself by an university this report estimates that around 28 million domainnames on 100 million don't have WHOIS data that makes it possible to contact effectively the owner of the domain.

    You should wonder why security officials at ICANN yesterday were having closed meetings with registrars at ICANN Brussels and asked publicly - with no immediate success but it will become part of the process - if so many domainnames have to be closed down at the root of the domainservers instead of through the right judicial process against the owner itself.

    It is strange that using someone's elses identity of even faking an identity is a crime in most countries but shouldn't be when you are buying a piece of land on the internet (which is the internet in fact, a virtual country). When we buy things offline we have to know exactly who is the owner and even if the owner doesn't want to be contacted directly - as is sometimes the case in businesses - than who is the contactable representative who will be accountable if they don't react on questions form the service providers or law enforcement. If you take the money to represent someone you should also do the work and responsability that comes with it.

    Than there is the question of cost. But let's talk cost and total cost. It would cost according to some comments around half a dollar more to control the WHOIS data automatically for each domainregistration. Well that doesn't seem much for quality and less crime and more trust online. ANd in the end it will make it easier for the registrars to follow up on the questions and affidavits from law enforcement.

    Offcourse this will cost more for smaller companies because they don't have the necessary resources but maybe there is a new industry that may pop up here - permanent address data checking - that could deliver this service to these online services but also to a bunch of others. If there are problems with the address - or it is blakclisted for one reason or another - than it maybe a serious indication that something maybe wrong with your sale and that more information is needed. 

    ANd yes I can't forget to mention that in the .be domain you can lose your registration when your WHOIS data doesn't have a nonresponding emailaddress but it is totally unclear if they check this before or when changes are made or during the lifetime of the domain. Off course testing one million domainnames is not something you can do manually, but with some filters you can check the emailadresses that were non-responsive. If the emailaddress has been deleted or is non-existant than maybe there could be another problem.

    You will see this question popping up again and again in the coming months and you will see probably that the professional registrars with try to make a difference by offering WHOIS services that are trusted and correct and may turn out to be the preferred partners of the bigger domainnameportfolio holders who know that trust and reputation have no price on the internet.

  • dns.be in the storm : agents start reacting

    I can understand that when you have built a good succesfull business on the more or less succesfull .be domainname that you are at the least angry when your business is endangered because some people somewhere don't take the necessary steps to clean up the business from fraudulent agents.

    The articles in the Belgian press that the .be domainname has been presented worldwide at the conference of ICANN as one of the main distributors (in percentage) of phishing domains (not hacked sites that are used as such) and one that doesn't react fast enough if such acts are brought to their attention have started to collect some interesting reactions.

    One is the question why DNS.Be has dismantled its Ethical Commission that had the power to sanction agents that are responsable for the main part of these registrations. Those agents are known to DNS.Be but are still legitimate resellers.

    The new CEO of dns.be has said that he has the intention to work on security and quality, but he will now need to act fast and restore confidence worldwide after this damaging publication. This can't be done by soleley words but have to be done with acts and sanctions and controls and new procedures and obligations.

    A crisis is an opportunity to do things you normally wouldn't be able to push through. Dns.be is now in such a situation (even if they don't think so). Everything will depend on the fact if by the end of 2010 they have re-invented themselves as a maybe somewhat slower registration-activation domainextension but one that one can trust. And that if something goes wrong, there will be a team 24h every day to take all the necessary steps to undertake the necessary actions.

  • ICANN Brussels live : hundreds of new gtld's being prepared but

    One of the most interesting discussions on ICANN today is about brand management in the age of new gtld's and you had a panel of top brand managers from organisations and big lawyer office talking about the prospects and problems of these big gtld's sitting on the panel or in the room.

    Afterwards it was clear that this professional informed public thinks that a few hundred applications for new gtld (domeinextensions like .be, .com and others) will be filled even if the process is very flawed for the moment - from a legal point of view.

    What does this mean for you ?

    If you think that you may need such an extension and that you could use it internally (for your internal secured network or extranet) or internationally as brandmarketing than it is time to start thinking, budgeting and planning it because there is not so much time left and all the laywers and specialists in the panel agreed that it takes a lot of time internally to get everybody around the executive board room to agree. It is about much money, estimates to upto 500.000 dollars operational costs included and marketing costs could go in the millions for big enterprises who will want to change all their online marketing and the offline references to their online presence.

    The other problem is about who is going to operate them ? Who has the experience now and in the future to operate such networks, dns services and administrative background checks. You can say that this may be the registrar companies that already exist (dns.be for Belgium for example) but this is maybe not so evident because some of them may be direct competitors - except if in Belgium one decides that the operational infrastructure has to be seperated from the different gtld's that maybe operational in this country. THis could be .be, .vl, .wal and maybe some others.

    Imagine that a .bank or a .travel gets hacked on their root dns servers and all traffic gets diverted or sniffed ? Imagine the brand reputation damage that would give. THis would be like an atomic explosion on the internet as big as the DDOS on yahoo and Microsoft in the years 2000.

    The main problem the lawyers were having - and which could become a real headache for the process and for the people who are filing for such a new gtld may be that the dispute process will have to be adapted because it now takes too long before it is concluded.

    Nobody was really showing its cards but the feeling was there that it is a really complicated but very important process. You can say that the cost maybe high, but that is relative. THe real question for marketing people is how the public will react, but that is a question for afterwards. THe public will follow whatever major happens on the internet that gives them new interesting or secure services.

  • analysis 2H2009 : .be and .eu domainextensions were the hardest hit by phishers among the big domainzones

    This is what one can conclude from this published report. Curious what the response will be.

    First I also want to make clear that more methodological data should be published together with each report (as it can change) to be fully professional. and scientific clear definitions and comparaisons between different datasets are a necessity for a good understanding. None the less, the report gives us some clear indications. And these indications can be coupled with other information.

    APWG  (Anti phishing workgroup) is the international organisation that coordinates and analyzes the fight against phishing (the stealing of logins of customers from for example banks by setting up fake login pages and sending links with so called security alerts). Their yearly reports about the state of phishing in the world is based on one of the most complete databases global databases around, thanks to the collaboration with many local and other initiatives.

    The researchers make a distinction between a phishing host and a phishing attack because a phishing host can host many attacks against the same or different institutions. It is for this reason important to bring down phishing hosts as quickly as possible. Not only to limit the number of victims but also to limit the number of attacks. As the phishing hosts may be part of a fastflux botnet it is more difficult for the botnetmaster to coordinate new more sophisticated attacks if his phishing hosts are brought down and cleaned up.

    The main conclusion of the research is that more than half of all the phishing attacks around the world in 2009 could be attributed to one group, called the Avalanche gang. They professionalized the tactics of the Storm gang by using fast flux hosting domainnames bought with registries and registrars that don't mind about security on individual infected computers around the world. In the second half of 2009 the gang had to change tactics and diminished its numbers of attacks (it was responsible for about 2/3 of all phishing attacks because each of their phishing domains hosted around 40 phishing attacks) after one of its main control centers was brought down because the criminal ISP was cut off the internet by its peers (other ISP's refused to accept traffic from that ISP or to send traffic). The effect of that action was dramatic but limited in time.

    Fastflux attacks don't use one domain one server architecture, but use domains are somthing that can be used on tens or hunderds of infected PC's or hacked servers around the world. This means that it is no use to bring down a physical server because the domainname will pop up somewhere else around the world. The only way to take down these domains is by blocking the domainname in the central DNS of the organisations responsable for the domainzone.

    In global numbers there were nearly 60.000 domains used for phishing active per year since 2008 which are bought with at  more than 300 different TLD's (but mainly with 5). They are used for about 180.000 attacks against 40 financial institutes in the second half of 2009 (or one site is used for 3 attacks in general).

    IDN attacks (in which numbers and letters are interchanged to confuse the user) are seldom used while only about 5000 to 6000 phishing domains are located on an IP address.

    The 'Avalanche gang' tested and selected several domain registrars to see how long it would take them to suspend their fastflux phishing domainnames. These domainnames were often just a series of letters and numbers that varied a little bit and were often registered in several domain extensions. We saw it here quite often with the .be and .eu domain extension. It seems that a crosscheck between domain extensions would have prevented them from doing this (if one domain is a clear phisher in one domain extension a cross check with the whois data and a screenshot could have shown up the other phishing hosts on other domain extensions - the checks could all be automated).

    Several registries have augmented their security and take-down procedures because of this attack. This was the case in general for several big registries (.biz, .info, .org, .UK) and some small ones after they were attacked (like .hn and .im).

    In April 2010 the 'Avalanche gang' seemed to have diminished its operation quite dramatically. From 12.793 attacks on 498 domains in July 2009 the 'Avalanche gang' was only responsible for 59 attacks on 59 phishing hosts in april 2010.  The real question remains the same as when the Storm spamgang disappeared. What or who next ?  There is a lot of talk about the Canadian Pharmacy spamgang nowadays.

    The report prouds itself that the lifecycle of the 'Avalanche' fastflux phishing hosts was shorter than the other phishing hosts because of the interest everyone was giving to this gang, but in other professional antiphishing literature you read that a phishing host has to be taken down in 4 hours time because most of the victims are made within 4 hours of the launch of the spam for the phishing domain.

    This is far from being the case but it is difficult to interpret the numbers because they may be influenced by some domains or ISP's or hosts that don't react very quickly, if at all. The numbers would be even more interesting if they would be cleaned from phishing hosts with criminal ISP's who advertise the fact that they don't take down any criminal website (bullet-proof hosting). Nevertheless the median time needed to bring down a phishing host is still nearly 12 hours. This is still 8 hours too long to make online phishing ineffective.  If you want to discourage online phishers, you should invest your main resources in a fast response and take-down.

    Becauise the difference between the fastflux Phishing domains from the Avalanche group and the others  is a too big difference you can't have a meaningful general inication for all the phishing domains.

    The median uptime for phishing .be domains from the 'Avalanche group' is still 10 hours which is the 6th  of the 9 domain extensions that hosted the most Avalanche phishing domains in the second half of 2009. You could also note that 3 big domain extensions (.cn, .info and .org) kept this uptime under or just above 4 hours.

    This is totally not the case for the other phishing attacks where NOT one domain extension can bring down the phishing host in the same timeframe. The best is .info with 10 hours which is 8 hours longer (a working day) to bring down a non-Avalanche gang phishing host. The .be domain needs more than 20 hours (median time) to bring down a phishing host which is the 9th slowest (out of the 10 main domain extensions with phishing hosts). The .eu is the LAST. It needs 22 hours to bring down a phishing host that is not from the Avalanche gang (and those were very few which means that it took a lot of time for most of these phishing hosts). The .eu is also the LAST one in bringing down Avalanche gang phishing domains which shows that even when it was heavily abused it didn't set up the necessary fast tracks to fend off the attackers and discourage them. As the internet is the Wild Wild West the best defence for now is to try to fend off the attacker in the hope that he will concentrate on another victim that hasn't put so much time and money in security.

    One should remember that taking down the domain name of the host is the ONLY way to deactivate a phishing host if the phishers use a botnet with fast flux botnet. With fastlux hosting the domain name is hosted on another server in another country every so many visits or minutes. THis is done by an infrastructure of DNS servers or procedures set up by the botnet and the infection software on the individual hosts or zombies. This makes it more or less impossible for law officers to bring down phishing domains by bringing down one server or infected PC. They have to take down the core to bring down the phishing domains and these are or the botnet infrastructure (or its criminal ISP) or the domainnames themselves at the root dns of the domain extension.

    This blog was active in pushing the FCCU and dns.be in bringing down a number of fast flux domains in the .be and in trying to convince them to use a fast track between them. But it is clear that a more permanent and automated system is necessary. At the time this blog said that the reputation of the domain extension .be an sich was at stake if no drastic actions were taken. What was surprising was that most of the information in the Whois (identification of the owner) seemed false or needed verification before activation.  This process can also be automated. Checking telephone numbers with countries and checking the emailadresses can be automated for example. At the time a process was put in place by which the Cyberpolice FCCU contacted the justice department based upon a standardized demand to take down a fastflux phishing domain based upon the Belgian Cybercrime law (I suppose) which was sent to DNS.BE after signature by a judge for the effective take-down (or should we say blocking) of the respective domainnames in the rootserver of the .be domainextension.

    When we look now at the numbers and the time necessary for a take-down it is clear that those efforts may have been gigantic and effective at the time but have been bypassed by those from a whole series of other domainextensions. The net effect of this is that as the other domainextensions became less interesting the .eu and .be domainextensions became increasingly more interesting. It didn’t help the .be domainextension that it is often sold together with the .eu domainextension and that the main crimegangs online had already some experience with the .be domainextension from the period in which they could try it totally free for a year. As this blogger at the time discovered, this campaign was abused by international crimegangs to infiltrate the Belgian webspace. If such a campaign were to be relaunched today the effects would be even more disastrous because the online crimeworld is much better organized and experienced than ever before, thanks to all the money they have amazed during the last years.

    If you look at the numbers of the phishing domains for each of the main domain extensions that were used by phishers worldwide in the second half of 2009 you will see clearly that the .be and .eu domain extension were at that time the favourites from criminals. There are practical reasons for that. You don't need to live in Belgium to be a .be domain name and the registration is quasi automated without many controls. Your domain name can be immediately activated which leaves you - in a weekend for example easily the opportunity to launch a phishing campaign (without being downed in 4 hours). And even during working days it would take more or less 10 hours to take them down.

    When we analyze the numbers we can conclude the following for the .be domain (the numbers are even worse for the .eu domain extension).

    For all the domain extensions of the world the .be domainextion was in the second half of 2009 with 297 unique .be phishing domains the 6th domainextension in the world based upon the total number of unique registered domainnames used solely for phishing and of these 287 were registered by the Avalanche gang which makes the .be domainextension the 4th of all domainextensions worldwide that were used by that gang.

    These .be domains were used by the Avalanche gang for 915 attacks against the users of 40 financial institutions. This means that the .be Belgium domainspace was the 9th worldwide in the number of such attacks by the Avalanche gang. I am not sure that we should be proud about that.

    I know dns.be will say that even these numbers are very limited as a percentage (we had nearly 1 million .be domainnames at that time) but APWG states clearly that independently of the number of domains a domain extention has, they should be very alarmed if more than 2.9% of those are used for phishing. For the .be domain it is about 3.1%  Icann has also issued several alarms in 2009 and has tried to help several registrars to stop the infiltration. Several domainextensions have taken drastic actions in 2009 and 2010 (.ru, .hk and .cn) to stop the flood of registrering domainnames for malicious use. It is time for .be to take appropriate actions in their marketplace if it doesn’t want to be seen as a dangerous domain by firewalls (blocking now on domainextension and geography) and malware reputationtools.

    In that respect one can say that .be has passed the 1 million domains but that makes the problem only worse. If we exclude all the smaller domains and only take the  domain extensions into account with more than nearly a million domains than the .EU and .be domainextensions were the most used as a percentage by the phishers. It means that if you want to play in the garden of the big boys that you will have to change the way you are doing things and you will have take on new responsabilities and will have to invest enough to keep the domain extension safe.

    When you have that many users and investors you are morally obliged to invest much more in security and make it an obligation throughout your organisation and operation, even if some people and vested interests didn’t make the mental switch yet. It is not possible anymore to block a domain extension with one million domains but the loss would be enourmous if that would become more and more the case, if more and more enterprises and networks all over the world start asking, do we need websites from Belgium if all that malware and phishing starts spreading over its domains ?  For 95% of the internet the .be domains are not necessary and most of the important .be domains have also bought other domainextensions and can switch their main focus easily.

    And what would it take. Look at the numbers. We are looking at a total of nearly 300 domains in 6 months, which means generally bout 50 each month or nearly two take-downs from the central dns server a day. And this even ain’t true because those domains are registered in small packages that are even not so difficult to spot in the registrationdatabase (for insiders).  With backup and so on, you would in fact need two to three take-down officers who follow up all the incoming demands and forward the complaints to the CERT for control if not enough proof is added or the FCCU if it comes from certificed security sources. It is not that these securityresearchers wouldn’t be willing to work together with official resources to take down these sites immediately as long as they see an immediate effect.

    So you have the 1 million domains, you have a new direction and now it is time to show that you are ready to make from the .be domain extension a domain extension where it is “safe to .be”(copyright)


  • how can this .be domainregistration be accepted

    If you read it, you can see immediately that it is a fake one

    Secondly, it is being used in fastflux phishing botnets according to Arbor Networks

    It is in Quarantaine but avaible, what does that mean (and if I don't understand, how will somebody else from another country understand this). It is quarantained or blocked (and not available) or it is avaible. Maybe it is in quarantaine because they are awaiting payment - that never comes and it is being used. I think some clarification and controls are in order here.



  • dns.be will de-block conficker domainnames

    really, you can read it here

    "Since April 2009, DNS BE has blocked almost 200,000 .be-domain names upon the advice of ICANN (http://www.icann.org). When using the whois, the status 'blocked' was shown for these names.

    Every 3 months we receive an up-to-date list from ICANN containing domain names sighted by the Conficker worm. This list contains mainly new domain names which are not yet registered, nor blocked; a small percentage contains domain names that were already sighted before.

    Therefore, DNS BE has decided to unblock all non-registered domain names that figured on earlier Conficker lists but that do not pose a threat anymore. Those domain names will be unblocked this week.

    In order to avoid speculation, we will never publish a list of these domain names."


    okay, so why make it those guys difficult.

    They can now relaunch their conficker with all the old domainnames - especially those with .be as domainextension

    Why the hurry ? Conficker is still a few million strong and nobody knows exactly when the updated version will come along. If the first versions have learnt us anything, than is it that these guys are not only really smart but they also read a lot about the analysis and countermeasures and take the appropriate steps.

    and most of them weren't even names but just a bunch of letters and numbers without any logical meaning.

  • .ru will block international sales from the first of april and are .be and .eu ready ?

    First the .cn domain blocks all international sales and says that it will go through an internal clean-up after becoming one of the most malicious domains on earth and the internet. It will now become necessary to go in person with your identity papers to the offices to get an .cn domain name. For the time being, but I suppose that a verification process will be set up so that things can go faster.

    Secondly we see an expected migration of malicious domains to the .ru domain that are being used for fastflux botnets, phishing and malware infections

    The .ru domain has announced that it also will clean up this mess and stop the international sales starting the first of april and will control the identity of those who want to buy a domain name with the .ru domainextension.

    Where will they go after that ?

    They need a domain extension that you can register online with bogus addresses that aren't controlled instantly with temporary creditcards and for which the registrars (the companies that sell the domainnames) don't ask too many questions.

    .be and .eu have proven to be in that category because last year there were a number of fastfluxdomains with these domainextensions. After some weeks of campaigning on this blog and some contacts and lobbying behind closed doors, the sites were downed by a coordinated action of the FCCU, Justice Department and DNS.Be but meanwhile some people have left DNS.Be and it is not clear if the procedures and contacts will still hold when an new onslaught of malicious domains will start.

    The greatest danger for any domainextension is that they wait too long to intervene so that after a while the filtering on mailservers and internetconnections will just blacklist any domain with that domainextension (as most now do for .cn and .ru) and that the international value of that domain just crashes.

    For the moment aside the .ru dominance of the fastflux botnetdomains, .uk and .kr are the most prevalent in the listings. They should contact arbor networks to clean up and get a procedure to block those domains at the rootlevel of their domainextension. It is the only way to stop fastflux botnets and it increases the responsability of the different players in the domainextension world.

    Yes, the global insecurity of the internet has reached your business on a level that you will have to take coordinated fast drastic actions if you want to survive - even as a business. Nobody will want to buy a local domainname if its reputation is tarnished by an international crimegang and blocked by thousands of networks.

  • the domains .in and .at used in fast flux botnets

    There is also the .ru and the .cn domainextension but I don't think that they will be blocked by the domainextension managers anyway soon. And the same goes for the .net, .com and .org domainnames. If they change their mind they could maybe contact Arbor networks.


    Because when in the beginning of this year the .be domainname was used/tested by the operators of the fastflux botnets (in which the IP address and the location changes every tiime but only the domainname stays the same so it makes no sense in trying to get the server down) it was by a drastic but effective coordinated action by the FCCU, the magistrate and the DNS responsable for the .be domainname that those names were quickly blocked at the root level. The reason is that or the domains were registrered by fraudulent addresses or they were used for fraudulent illegal activities and based upon our commercial and cybercrime laws those domains could be blocked immediately. Also the conditions of use by DNS.Be gave dns.be the possibility to do such a thing if they were instructed by the justice department.

    The .at and .in domainextension managers should look into it and demand themselves if they will let the problem continue and grow (and arrive at the same blacklist as .ru and .cn if you don't need them extensively) or if they will act and preserve the trust in their domainextension.

    Start with getting into contact with arbor networks.

    Check the listings often.

    Have a process for handling such cases quickly (standard form for the magistrate from the police/cyberpolice with the standard proof from the web and the registration) and block it at your root dns of the domainextension. They will continue to try now and than, but if you follow up they will just go on untill they find another domainextension that doesn't have such processes.

    Oh yes and if you find 10 domains that are registrered by the same person you should block them all, even if they were not all used because if 5 were used for phishing than the other five will not be used for personal means.

    It is effective because aside one or two new trials we haven't seen any .be domains in the list of fastflux domains in 2009 after the first re-action.

  • .tk domain under fastflux attack (react or be blocked)

    If the .tk domain does not clean up its act immediately it will be blacklisted and will not recover from this attack. Malwarescenario architects have developed a scheme in which they are taking these free redirection domainnames as a cover for their other sites. First it were only a few, than .tk blocked them and they went away but since a few days the number .tk domains that are used in fastflux botnets is growing exponently.

    Many blocking services and critical networks will now just blacklist it. Unless it acts now and dramatically.

    When the .be domainname was used at the beginning of this year it took belsec some weeks to convince everyone in the chain of command but at last the domain registrar, the justice department and the FCCU had a very simple procedure to take those domains out in a few hours time with very clear procedures and contacts between the different parties. It has since than worked very efficiently and also thanks to arbor networks.

    If .tk has no fast procedure to take those domains out as fast as possible with clear procedures and communication lines it will become a wasted unnecessary domainextension that will just be blacklisted.

    Viewing the number of .tk domains that are being used now as malware infectors it has no choice but to act now

    this is just a part of the list from Arbor Networks (and the list of active zombies seems to be increasing since last week, normally they were around 600 to 800 active zombie domains, now there are around 1600-1800 daily). Maybe the exploits are no coïncidence.


    Do not visit these sites, some are chinese and the chinese web is for the moment responsable for most of the zerodays attacks. We don't know if there is a link.

  • why do cybercriminals like the .eu and .be domain - here is why

    According to the WHOIS policy for .EU domains, I am not allowed to share with you in my blog the patently false registration information for the domain 1il1il1.eu.

    You would have to WHOIS the information yourself from: www.eurid.eu, which is probably part of why criminals like .eu domains so much.

    .be domains, like .eu domains, require you to visit the Registrar's website to reveal WHOIS details. According to www.dns.be, its not allowed for me to post information from their WHOIS database about hftiili.be here, so you would have to look that information up yourself:

    Lookup WHOIS for hftiili.be.


    Time to change that I think.

    Why not do like most of the other domainextension - except for those that promote the privacy and protection of that information even to the police

  • the .cn domain is in hands of pirates and malware

    The figures for April show that Masiello was right. But they also show something else. Many of the top-level domains (TLDs) in which the spam images are being hosted are registered in China’s .cn domain. This probably is a result of the McColo crackdown, MessageLabs said

    This is also the case for the domains of the fastflux networks, of the domains with malware and the phishing domains.

    If you don't need the domain in your environment or you need just a few, you should block .cn and whitelist all the others.

    untill they clean it up.

    they are no democracy anyway.

  • the effects of a DNS hijacking

    NET Virtua's DNS records reportedly were hijacked on April 11, so that customers who visited any site that ran Google Adsense content were redirected to a site that tried to install and run a Java applet that in turn installed a Trojan horse program.

    Globo.com said the attackers also took aim at Bradesco, one of Brazil's largest financial institutions. NET Virtua customers who tried to visit Bradesco.com.br during the four hours the DNS records were hijacked were redirected to a counterfeit version of the site designed to steal customer credentials, the story notes


  • domain registrars the next attacked weak spot

    Earlier today some Turkish defacers broke into the New Zealand based registrar Domainz.net (which belongs to MelbourneIT) and redirected some of their customers' high profile web sites to a third party server with a defaced page. Companies which had their New Zealand web sites defaced include Microsoft, HSBC, Coca-Cola, F-secure, Bitdefender, Sony and Xerox.

    The hacked websites carried the messages: "Hacked by Peace Crew" ,"STOP THE WAR ISRAEL". In addition the crackers inserted a picture of Bill Gates creampie'd on the Microsoft defacements


    they simple used an sql injection in the management software of the domain registrar to change the IP address of the domainnames.


    imagine doing that for a bank or a high level ecommerce site.

    Imagine sending them to a fake securitydownload software or zero day exploit virus

    Time to give security certifications to domain registrars BEFORE they can (continue) to sell any domainnames online ?

    Time to block your domainname so that NO CHANGE at all can be done ONLINE to ANYTHING without confirmation on paper (fax). If you are high level, you have to treat your domainnames as high security and if you don't have the manpower or knowledge to manage this yourself, you should take a specialised agency to do that for you.

    As with most things in cyberspace, the management of things becomes even more important than the launching or buying of things. People start their projects but don't calculate the costs for the permanent management and forget about it.

    This is maybe a whole new business for domain registrars and will make the difference between the amateurs and the professionals.

    Because if you click on the listings for the three members of the clan that made the attacks, they are truly highlevel hackers that only attack very specific targets and only in a way that it is remarkable. They are not the "script kiddies" running some automated attack tool.

    We always said that you have to stop automated attacks as far away from your infrastructure as possible (router) to be able to monitor the targeted attacks by the powerful. If they can hide between thousands of scans, you will never see them.

  • how to get malicious domainresellers out of the system

    "The end of a long drama that started last summer: Registrar Parava Netowrks(aka 10-Domains.com) has been terminated by ICANN for failing to address non-compliance of the RAA. Parava first came to our attention while working with LegitScript on a report on Underground Steroid Websites. While conduction our investigation we discovered that Parava had falsified its address."


    This is normal as fraudulent or undergroundlinked business can't have normal addresses because it would make the money trail too obvious (and this is what the normal policework is all about if you can't get the network information).

    The advantage is you could use simple stupid self-evident rules like that to completely push them outside of the normal online business system. Any mobbusiness has only one goal and that is to infiltrate the normal businessnetwork and this is also the worst nightmare of the online crimefighters, that is that the mob gets its hold on a domain registrar, ISP or complete network. It already had so last year but the rest of the networks cut all links to them (RBN for example).

    The only problem is that every dns or domainregistrar should control on a permanent basis (or give this job to outside agencies) if all information is correct and act if that is not the case.

  • is the chinese .cn domain being blasted to blacklists worldwide because of Russian cybercriminals

    In other words, we have see Russkrainians (Russian/Ukrainian cyber criminals) use certain aspects of Chinese culture to falsely implicate Chinese involvement, and vice-versa. There is currently an especially disturbing trend of Russkrainian cyber criminals using Chinese assets (e.g. domain registrations in .CN, etc.) to implicate innocent parties.

    the only thing .cn has to do to survive is to set up a cybersecurity center (take some soldiers from the webfilters) that can close down fast mailicious new domains and contact normal website owners to inform them that they have been attacked, hacked and are being used in cybercrime.

    it has always been astonishing that so many .cn domains could be used for so much cybercrime without any of those thousands of official cybersoldiers cleaning up that mess.

    Some would call it cyberwar by which the official domain of one country is being undermined and blasted to blacklists because of hijacking of the domains reputation by hackers and cybercriminals.

    This could happen to any domain for whcih one doesn't have to live in the country.

    The .be domain has put such procedures in place and implemented them successfully twice already in the last months.