<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">Em 23 de abr de 2018, à(s) 01:36:000, <<a href="mailto:trachtenbergm@gtlaw.com" class="">trachtenbergm@gtlaw.com</a>> <<a href="mailto:trachtenbergm@gtlaw.com" class="">trachtenbergm@gtlaw.com</a>> escreveu:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" class="">
<div dir="auto" class="">
Rubens,
<div class=""><br class="">
</div>
<div class=""><p style="margin: 0px; font-stretch: normal; line-height: normal; font-family: ".SF UI Text"; color: rgb(69, 69, 69);" class="">
</p>
<blockquote type="cite" class=""><span style="font-family: ".SFUIText"; font-size: 14pt;" class="">Those can be used to do some correlations, but other factors such as name servers, IP address and target URL (if hiding in a redirection chain) are useful as well.</span></blockquote><div class=""><br class="webkit-block-placeholder"></div><div style="margin: 0px; font-stretch: normal; line-height: normal; font-family: ".SF UI Text"; color: rgb(69, 69, 69); min-height: 16.7px;" class="">
<span style="font-family: ".SFUIText"; font-size: 14pt;" class=""></span><br class="">
</div><div style="margin: 0px; font-stretch: normal; line-height: normal; font-family: ".SF UI Text"; color: rgb(69, 69, 69); min-height: 16.7px;" class="">
Name server and IP address are often not useful, especially with email based attacks, which is the majority of attacks now, because the bad guys use the registrar's nameservers and a third party mail server. In other words it doesn't tell us anything to see
that the domain has Microsoft or Google or major registrar MX records and IP addresses. </div></div></div></div></blockquote><div><br class=""></div>One of the largest operations we did had exactly name servers as the commonality among dozens of registrations. They were used to provide reverse DNS services so the e-mail sending Cloud VMs ranked more trustworthy at e-mail systems. That perpetrator was the first to be "honored" with a network-wide null-route in order to prevent its registrations from continuing. So, perhaps that information could be useful but the availability of WHOIS made the later to be pursued more often ? </div><div> </div><div><br class=""></div><div> <br class=""><blockquote type="cite" class=""><div class=""><div dir="auto" class=""><div class=""><div style="margin: 0px; font-stretch: normal; line-height: normal; font-family: ".SF UI Text"; color: rgb(69, 69, 69); min-height: 16.7px;" class="">Similarly, there is no target URL since the attack is not content based. </div></div></div></div></blockquote><div><br class=""></div>I would also call exploits sent as attachments as content, and that's why mail security rules usually address those, and there is also a threat intelligence exchange of fingerprints to respond faster to such threats. </div><div><br class=""><blockquote type="cite" class=""><div class=""><div dir="auto" class=""><div class=""><div style="margin: 0px; font-stretch: normal; line-height: normal; font-family: ".SF UI Text"; color: rgb(69, 69, 69); min-height: 16.7px;" class="">
<br class="">
</div><p style="margin: 0px; font-stretch: normal; line-height: normal; font-family: ".SF UI Text"; color: rgb(69, 69, 69);" class="">
</p>
<blockquote type="cite" class=""><span style="font-family: ".SFUIText"; font-size: 14pt;" class="">A registrar has access to registration data and can act based on that. So, if someone detects that example.example is a security threat, it can raise that issue with the registrar
and that registrar can correlate to other domains registered by the same wrong-doer. There is no secret sauce, and this happens in large amounts everyday.</span></blockquote>
<br class=""><div class=""><br class="webkit-block-placeholder"></div><div style="margin: 0px; font-stretch: normal; line-height: normal; font-family: ".SF UI Text"; color: rgb(69, 69, 69);" class="">
No offense to my registrar friends but they are generally not going to do this kind of investigation and definitely not en masse as would be required if there is no registrant name and email. Basically, you would be shifting the investigation burden to the
registrars. Why don't you ask them what they think of that idea and whether it is likely to happen. And that is just the major registrars - the smaller ones generally won't even investigate and say they have no duty to. </div></div></div></div></blockquote><div><br class=""></div>Being a registrar with 3.2 million domains I can tell you that it's not a big of a deal to do such investigations. We also have found that DNS-related fraud is highly correlated to payment fraud, and that every $ we put on it gets us less payment fraud, and keeps us inline with card brands requirements of chargeback volumes. </div><div><br class=""></div><div>But for every contracted party not willing to handle investigations, there will be someone out there that would like signing an agreement to get access and do the investigation for them. For instance, like the recent CoCCA/SDF agreement (<a href="https://cocca.org.nz/#news" class="">https://cocca.org.nz/#news</a>). Data controllers can outsource processing activities, including abuse investigation, provided GDPR is also followed along the process. </div><div><br class=""></div><div>And even if a 3rd party could use layered WHOIS access to investigate, registrar willingness to combat abuse will still be required in order to do enforcement. And that is true today before May 25; GDPR doesn't change who wants to fight abuse and who wants to turn a blind eye to it. Even the ability to determine who are good in doing it and who are not is also not hampered, since registrar on record is still listed at public WHOIS. </div><div><br class=""></div><div><br class=""></div><div><br class=""><blockquote type="cite" class=""><div class=""><div dir="auto" class=""><div class=""><div style="margin: 0px; font-stretch: normal; line-height: normal; font-family: ".SF UI Text"; color: rgb(69, 69, 69); min-height: 16.7px;" class="">
<span style="font-family: ".SFUIText"; font-size: 14pt;" class=""></span><br class="">
</div><p style="margin: 0px; font-stretch: normal; line-height: normal; font-family: ".SF UI Text"; color: rgb(69, 69, 69);" class="">
</p>
<blockquote type="cite" class=""><span style="font-family: ".SFUIText"; font-size: 14pt;" class="">Both investigating and enforcing can be done by registrars or thick registries (if they continue to exist after GDPR). Detecting can be done both by registrars and by 3rd parties,
and in my experience the best results come from all doing it: we run some pattern detection filters on the stream of new registrations and get threat feeds from the "usual suspects" (OpenPhish, PhishTank, ShadowServer etc.).</span></blockquote>
<br class=""><div class=""><br class="webkit-block-placeholder"></div><div style="margin: 0px; font-stretch: normal; line-height: normal; font-family: ".SF UI Text"; color: rgb(69, 69, 69);" class="">
See above- not going to happen. </div></div></div></div></blockquote><div><br class=""></div>As a strong leader once said, "I find your lack of faith disturbing".</div><div>If you are willing to put up with auto-translate of a foreign language, you can see my presentation at a local network operators group on this a few months ago:</div><div><a href="https://www.youtube.com/watch?v=S--UIH_Prc8" class="">https://www.youtube.com/watch?v=S--UIH_Prc8</a></div><div><br class=""></div><div> </div><div><br class=""><blockquote type="cite" class=""><div dir="auto" class=""><div class=""><div style="margin: 0px; font-stretch: normal; line-height: normal; font-family: ".SF UI Text"; color: rgb(69, 69, 69); min-height: 16.7px;" class="">
<span style="font-family: ".SFUIText"; font-size: 14pt;" class=""></span><br class="">
</div><p style="margin: 0px; font-stretch: normal; line-height: normal; font-family: ".SF UI Text"; color: rgb(69, 69, 69);" class="">
</p>
<blockquote type="cite" class=""><span style="font-family: ".SFUIText"; font-size: 14pt;" class="">EDPB, known before May 25 as WP29. "The role of the EDPB will be to ensure the consistency of the application of the GDPR throughout the Union, through guidelines, opinions and
decisions."</span></blockquote><div class=""><br class="webkit-block-placeholder"></div>
<div class=""><br class="">
</div>
Yes - But they won't give specific guidance before May 25. That much is clear. <br class="">
</div></div></blockquote><br class=""></div><div><br class=""></div>That's their discretion, and as public officials, they know the impact of their actions. But I am not willing to replace the lawful position of a public servant chosen by an elected official with mine just because. <div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Rubens</div><div class=""><br class=""><div class=""><br class=""></div></div></body></html>