[gnso-rds-pdp-wg] @EXT WHOIS info and investigation

Wed Jul 20 19:35:22 UTC 2016

I would like to weigh in here and recommend, because we all have so much
extra time, that you take a few minutes to read the following article
 (there are many others) and Wikipedia bio related to Paul LeRoux,
specifically, please read Section 3, RX Limited in the Wikipedia bio. It is
important to point out that Paul LeRoux's company, ABSystems was an ICANN
accredited registrar. Not only was he running one of the largest Internet
pharmacy networks, he was the SPAM king and responsible for much (not all)
of the Internet pharmacy spam everyone has likely received at some point in
time. It is also important to point out that -- there are others!

<https://news.vice.com/article/paul-le-roux-joseph-hunter-rambo-the-dea-meth-and-cocaine>
(
https://news.vice.com/article/paul-e-roux-joseph-hunter-rambo-the-dea-meth-and-cocaine
)
<https://en.wikipedia.org/wiki/Paul_Le_Roux>(
https://en.wikipedia.org/wiki/Paul-Le_Roux)

Background: This DEA case began with the investigation of LeRoux's online
pharmacy business (I worked at DEA for 16-1/2 years, ten of which I spent
working in the Internet pharmacy investigations section). The RX Limited
network was comprised of approximately 25,000 domain names, and this
investigation, as well as all Internet pharmacy investigations, begin with
collecting WHOIS and DNS information for the domain names. Typically there
are several individuals and organizations involved in the operation of an
online pharmacy network, and typically there are hundreds of domain names
affiliated with the network. WHOIS information is critical to the
investigation, and is utilized to map out the network and identify domain
name ownership. Even if bogus WHOIS information is utilized, it is still
pertinent -- perhaps the same bogus information is given for more than one
domain name. We then know that those domain names with the same bogus
information are likely part of the same network.

Over the years, there have been several requests from ICANN and registrars
for LE to provide case examples. I cannot tell you the number of times I
wish I were able to talk about this particular case. The reality is that
talking about ongoing investigations, and even certain aspects of closed
investigations is forbidden. There is a trust factor that must be
considered here -- we are not making this stuff up -- it's real, and there
is very dangerous criminal activity happening facilitated via the Internet,
and whatever we need to do to curb this activity should be the goal of any
upstanding, moral, law-abiding individual (organization).

I do not claim to have all the answers here, nor how we get to where we
need to be, but I firmly believe that open, unrestricted access to WHOIS
information that includes no fewer data points than what is currently
available, is absolutely critical.

On Wed, Jul 20, 2016 at 12:04 AM, Mark Svancarek via gnso-rds-pdp-wg <
gnso-rds-pdp-wg at icann.org> wrote:

> Here’s one that was used during a criminal investigation though it was
> found by non-law-enforcement people.
>
>
> http://thinkprogress.org/justice/2015/06/20/3672201/alleged-dylann-roof-racist-manifesto-revealed/
>
>
>
>
>
> *From:* Rod Rasmussen [mailto:rrasmussen at infoblox.com]
> *Sent:* Tuesday, July 19, 2016 5:25 PM
> *To:* Mounier, Grégory <gregory.mounier at europol.europa.eu>
> *Cc:* Chuck Gomes <cgomes at verisign.com>; Mark Svancarek <
> marksv at microsoft.com>; Andrew Sullivan <ajs at anvilwalrusden.com>;
> gnso-rds-pdp-wg at icann.org
> *Subject:* Re: [gnso-rds-pdp-wg] @EXT WHOIS info and investigation
>
>
>
> Krebs is always a great read - really knows his stuff technically and as a
> journalist.  If you liked this, check out his book Spam Nation for a whole
> history of this and some of the main actors behind it throughout most of
> the last ten years.
>
>
>
> This is a fairly typical OSINT (Open Source Intelligence) type of
> investigation.  You’d think criminal “masterminds” wouldn’t use horrible
> operational security practices like using their same personal information
> on social media accounts, malicious and personal domain registrations,
> embedded in malcode, or in e-mails.  Yet they do every day and this is a
> major source of cybersecurity professionals being able to track down all
> manner of undesirable Internet activities from services abuse to flat-out
> illegal acts in most if not all jurisdictions.
>
>
>
> A couple of additional things to note.
>
>
>
> 1) Law enforcement had nothing to do with this particular
> story/investigation.  This is true for most cybersecurity operational
> activity and investigations - it’s largely a private-sector affair with
> security companies of various flavors looking at the malware, spam,
> malvertizing, etc. that crosses their paths.  From that starting point they
> try to figure out things like what else is tied to it (so I can block or
> kill it), or “who’s doing this”, or “what are they really up to?”
>
>
>
> 2) There are a lot of “established” service providers around the world
> that have heavy levels of abuse on them over a very long time.  It is
> really hard at times to separate “bad guys” from “incompetent” or
> “uncaring" operators.  Collection of data like this can lead to connections
> between various activities that can put a much better color on their hats.
>
>
>
> 3) To then bring charges that could actually affect a subject’s life
> though, any and all of this kind of research is merely a starting point
> that the police then use to inform a much more traditional investigation
> that involves formal records requests, court-ordered actions like search
> warrants or wiretaps, etc. so they can develop court admissible evidence. A
> whois query result is not evidence, and no one gets thrown in jail for
> having a dodgy domain registered in their name.
>
>
>
> Cheers,
>
>
>
> Rod
>
>
>
> On Jul 19, 2016, at 3:03 PM, Mounier, Grégory <
> gregory.mounier at europol.europa.eu> wrote:
>
>
>
> Dear all,
>
> Here is a nice example of how WHOIS information is used to investigate
> unlawful activities:
>
>
> http://krebsonsecurity.com/2016/07/carbanak-gang-tied-to-russian-security-firm/
>
> Greg
>
>
> ------------------------------
>
> *From:* gnso-rds-pdp-wg-bounces at icann.org on behalf of Gomes, Chuck
> *Sent:* 18 July 2016 20:26:34
> *To:* 'Mark Svancarek'; 'Andrew Sullivan'; gnso-rds-pdp-wg at icann.org
> *Subject:* Re: [gnso-rds-pdp-wg] An important technical consideration
> about nature of the service (was Re: The overflowing list )
>
> Thanks Mark.
>
> Chuck
>
> -----Original Message-----
> From: Mark Svancarek [mailto:marksv at microsoft.com <marksv at microsoft.com>]
> Sent: Monday, July 18, 2016 1:40 PM
> To: Gomes, Chuck; 'Andrew Sullivan'; gnso-rds-pdp-wg at icann.org
> Subject: RE: [gnso-rds-pdp-wg] An important technical consideration about
> nature of the service (was Re: The overflowing list )
>
> I'll take a stab at it.
> I've also asked our IP/Brand people and digital crimes people to help me
> document how Microsoft uses WhoIs data today, but not ETA when that will be
> ready.
>
> -----Original Message-----
> From: gnso-rds-pdp-wg-bounces at icann.org [
> mailto:gnso-rds-pdp-wg-bounces at icann.org
> <gnso-rds-pdp-wg-bounces at icann.org>] On Behalf Of Gomes, Chuck
> Sent: Saturday, July 16, 2016 6:29 AM
> To: 'Andrew Sullivan' <ajs at anvilwalrusden.com>; gnso-rds-pdp-wg at icann.org
> Subject: Re: [gnso-rds-pdp-wg] An important technical consideration about
> nature of the service (was Re: The overflowing list )
>
> Any volunteers to develop Andrew's suggestions into use cases?
>
> Chuck
>
> -----Original Message-----
> From: gnso-rds-pdp-wg-bounces at icann.org [
> mailto:gnso-rds-pdp-wg-bounces at icann.org
> <gnso-rds-pdp-wg-bounces at icann.org>] On Behalf Of Andrew Sullivan
> Sent: Saturday, July 16, 2016 1:00 AM
> To: gnso-rds-pdp-wg at icann.org
> Subject: [gnso-rds-pdp-wg] An important technical consideration about
> nature of the service (was Re: The overflowing list )
>
> Thanks, Stephanie, for the quick issue list.  There's one thing that I
> want to draw out here so that we can keep it foremost when thinking of
> issues:
>
> On Sat, Jul 16, 2016 at 12:05:10AM -0400, Stephanie Perrin wrote:
>
> >  * Where the RDS (whether a central database or federated or completely
> >    disaggregated) resides becomes important for law enforcement access.
>
> This "where data resides" issue is bound to vex us, no matter what kind of
> policy we come up with.  But it's really important to keep in mind that the
> different styles of system design will yield very different properties.
>
> In the taxonomy I offered before
> (
> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fmm.icann.org%2fpipermail%2fgnso-rds-pdp-wg%2f2016-June%2f000951.html&data=01%7c01%7cmarksv%40microsoft.com%7c1ec700f7dd804a931a7008d3ad7d39a5%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=d3d1ttF1Z5Kn9M1VZ1RKPFSppMzJHpCaIKM1LHynBBQ%3d
> ),
> models I and V have a clear since answer to, "Where does the data reside?"
> because they have a single database backing them up.  In models II-IV,
> however, the answer to, "Where does the data reside?" is actually not
> entirely meaningful.  There are multiple places where the data are, and for
> data with respect to any given domain name each datum might be in a
> different place.  (Indeed, part of the design of RDAP is precisely to make
> such arrangements easier to deal with.)
>
> It is therefore better to try to find a way, consistent with all of the
> various requirements documents, to answer some other questions.
> I think these might be helpful in building use cases:
>
>     1.  For any given datum, who has control of and access to the datum?
>
>     2.  For any given datum, what are the conditions under which the
>     datum ought to be accessible?
>
>     3.  For any given set of related data, how can it be accessed?
>
> Notice that answering (3) will provides use cases for data access, whereas
> (1) and (2) provide for limit conditions on how and when use cases might be
> apply.
>
> I hope these framing questions are helpful in figuring out which use cases
> we can bring to bear on requirements.
>
> Best regards,
>
> A
>
> --
> Andrew Sullivan
> ajs at anvilwalrusden.com
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
>
> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fmm.icann.org%2fmailman%2flistinfo%2fgnso-rds-pdp-wg&data=01%7c01%7cmarksv%40microsoft.com%7c1ec700f7dd804a931a7008d3ad7d39a5%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=3UHPWnRvJ10WShDEPFQ8Ymkb8KFChrH%2f7ODoElAYbfQ%3d
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
>
> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fmm.icann.org%2fmailman%2flistinfo%2fgnso-rds-pdp-wg&data=01%7c01%7cmarksv%40microsoft.com%7c1ec700f7dd804a931a7008d3ad7d39a5%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=3UHPWnRvJ10WShDEPFQ8Ymkb8KFChrH%2f7ODoElAYbfQ%3d
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
> *******************
>
> DISCLAIMER : This message is sent in confidence and is only intended for
> the named recipient. If you receive this message by mistake, you may not
> use, copy, distribute or forward this message, or any part of its contents
> or rely upon the information contained in it.
> Please notify the sender immediately by e-mail and delete the relevant
> e-mails from any computer. This message does not constitute a commitment by
> Europol unless otherwise indicated.
>
> ******************* _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>
>
>
> _______________________________________________
> gnso-rds-pdp-wg mailing list
> gnso-rds-pdp-wg at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-wg
>

-- 
*Terri Stumme*
*Investigative Analyst*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160720/008f1a08/attachment.html>