[gnso-rds-pdp-wg] @EXT WHOIS info and investigation

Mark Svancarek marksv at microsoft.com
Wed Jul 20 04:04:33 UTC 2016 

Here’s one that was used during a criminal investigation though it was found by non-law-enforcement people.
http://thinkprogress.org/justice/2015/06/20/3672201/alleged-dylann-roof-racist-manifesto-revealed/


From: Rod Rasmussen [mailto:rrasmussen at infoblox.com]
Sent: Tuesday, July 19, 2016 5:25 PM
To: Mounier, Grégory <gregory.mounier at europol.europa.eu>
Cc: Chuck Gomes <cgomes at verisign.com>; Mark Svancarek <marksv at microsoft.com>; Andrew Sullivan <ajs at anvilwalrusden.com>; gnso-rds-pdp-wg at icann.org
Subject: Re: [gnso-rds-pdp-wg] @EXT WHOIS info and investigation

Krebs is always a great read - really knows his stuff technically and as a journalist.  If you liked this, check out his book Spam Nation for a whole history of this and some of the main actors behind it throughout most of the last ten years.

This is a fairly typical OSINT (Open Source Intelligence) type of investigation.  You’d think criminal “masterminds” wouldn’t use horrible operational security practices like using their same personal information on social media accounts, malicious and personal domain registrations, embedded in malcode, or in e-mails.  Yet they do every day and this is a major source of cybersecurity professionals being able to track down all manner of undesirable Internet activities from services abuse to flat-out illegal acts in most if not all jurisdictions.

A couple of additional things to note.

1) Law enforcement had nothing to do with this particular story/investigation.  This is true for most cybersecurity operational activity and investigations - it’s largely a private-sector affair with security companies of various flavors looking at the malware, spam, malvertizing, etc. that crosses their paths.  From that starting point they try to figure out things like what else is tied to it (so I can block or kill it), or “who’s doing this”, or “what are they really up to?”

2) There are a lot of “established” service providers around the world that have heavy levels of abuse on them over a very long time.  It is really hard at times to separate “bad guys” from “incompetent” or “uncaring" operators.  Collection of data like this can lead to connections between various activities that can put a much better color on their hats.

3) To then bring charges that could actually affect a subject’s life though, any and all of this kind of research is merely a starting point that the police then use to inform a much more traditional investigation that involves formal records requests, court-ordered actions like search warrants or wiretaps, etc. so they can develop court admissible evidence. A whois query result is not evidence, and no one gets thrown in jail for having a dodgy domain registered in their name.

Cheers,

Rod

On Jul 19, 2016, at 3:03 PM, Mounier, Grégory <gregory.mounier at europol.europa.eu<mailto:gregory.mounier at europol.europa.eu>> wrote:

Dear all,

Here is a nice example of how WHOIS information is used to investigate unlawful activities:

http://krebsonsecurity.com/2016/07/carbanak-gang-tied-to-russian-security-firm/

Greg

________________________________
From: gnso-rds-pdp-wg-bounces at icann.org<mailto:gnso-rds-pdp-wg-bounces at icann.org> on behalf of Gomes, Chuck
Sent: 18 July 2016 20:26:34
To: 'Mark Svancarek'; 'Andrew Sullivan'; gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
Subject: Re: [gnso-rds-pdp-wg] An important technical consideration about nature of the service (was Re: The overflowing list )
Thanks Mark.

Chuck

-----Original Message-----
From: Mark Svancarek [mailto:marksv at microsoft.com]
Sent: Monday, July 18, 2016 1:40 PM
To: Gomes, Chuck; 'Andrew Sullivan'; gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
Subject: RE: [gnso-rds-pdp-wg] An important technical consideration about nature of the service (was Re: The overflowing list )

I'll take a stab at it.
I've also asked our IP/Brand people and digital crimes people to help me document how Microsoft uses WhoIs data today, but not ETA when that will be ready.

-----Original Message-----
From: gnso-rds-pdp-wg-bounces at icann.org<mailto:gnso-rds-pdp-wg-bounces at icann.org> [mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of Gomes, Chuck
Sent: Saturday, July 16, 2016 6:29 AM
To: 'Andrew Sullivan' <ajs at anvilwalrusden.com<mailto:ajs at anvilwalrusden.com>>; gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
Subject: Re: [gnso-rds-pdp-wg] An important technical consideration about nature of the service (was Re: The overflowing list )

Any volunteers to develop Andrew's suggestions into use cases?

Chuck

-----Original Message-----
From: gnso-rds-pdp-wg-bounces at icann.org<mailto:gnso-rds-pdp-wg-bounces at icann.org> [mailto:gnso-rds-pdp-wg-bounces at icann.org] On Behalf Of Andrew Sullivan
Sent: Saturday, July 16, 2016 1:00 AM
To: gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
Subject: [gnso-rds-pdp-wg] An important technical consideration about nature of the service (was Re: The overflowing list )

Thanks, Stephanie, for the quick issue list.  There's one thing that I want to draw out here so that we can keep it foremost when thinking of
issues:

On Sat, Jul 16, 2016 at 12:05:10AM -0400, Stephanie Perrin wrote:

>  * Where the RDS (whether a central database or federated or completely
>    disaggregated) resides becomes important for law enforcement access.

This "where data resides" issue is bound to vex us, no matter what kind of policy we come up with.  But it's really important to keep in mind that the different styles of system design will yield very different properties.

In the taxonomy I offered before
(https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fmm.icann.org%2fpipermail%2fgnso-rds-pdp-wg%2f2016-June%2f000951.html&data=01%7c01%7cmarksv%40microsoft.com%7c1ec700f7dd804a931a7008d3ad7d39a5%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=d3d1ttF1Z5Kn9M1VZ1RKPFSppMzJHpCaIKM1LHynBBQ%3d),
models I and V have a clear since answer to, "Where does the data reside?" because they have a single database backing them up.  In models II-IV, however, the answer to, "Where does the data reside?" is actually not entirely meaningful.  There are multiple places where the data are, and for data with respect to any given domain name each datum might be in a different place.  (Indeed, part of the design of RDAP is precisely to make such arrangements easier to deal with.)

It is therefore better to try to find a way, consistent with all of the various requirements documents, to answer some other questions.
I think these might be helpful in building use cases:

    1.  For any given datum, who has control of and access to the datum?

    2.  For any given datum, what are the conditions under which the
    datum ought to be accessible?

    3.  For any given set of related data, how can it be accessed?

Notice that answering (3) will provides use cases for data access, whereas (1) and (2) provide for limit conditions on how and when use cases might be apply.

I hope these framing questions are helpful in figuring out which use cases we can bring to bear on requirements.

Best regards,

A

--
Andrew Sullivan
ajs at anvilwalrusden.com<mailto:ajs at anvilwalrusden.com>
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fmm.icann.org%2fmailman%2flistinfo%2fgnso-rds-pdp-wg&data=01%7c01%7cmarksv%40microsoft.com%7c1ec700f7dd804a931a7008d3ad7d39a5%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=3UHPWnRvJ10WShDEPFQ8Ymkb8KFChrH%2f7ODoElAYbfQ%3d
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fmm.icann.org%2fmailman%2flistinfo%2fgnso-rds-pdp-wg&data=01%7c01%7cmarksv%40microsoft.com%7c1ec700f7dd804a931a7008d3ad7d39a5%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=3UHPWnRvJ10WShDEPFQ8Ymkb8KFChrH%2f7ODoElAYbfQ%3d
_______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
*******************

DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it.
Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer. This message does not constitute a commitment by Europol unless otherwise indicated.

******************* _______________________________________________
gnso-rds-pdp-wg mailing list
gnso-rds-pdp-wg at icann.org<mailto:gnso-rds-pdp-wg at icann.org>
https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160720/6eaca35c/attachment.html>

More information about the gnso-rds-pdp-wg mailing list