[UA-discuss] UASG Response to WordFence IDN Phishing concerns

Andrew Sullivan ajs at anvilwalrusden.com
Thu Apr 27 13:21:36 UTC 2017 

FWIW, I think the redline is now a little too long.

On Wed, Apr 26, 2017 at 03:20:02PM -0700, Jothan Frakes wrote:
> To Lars' point, let's focus on the article and getting it out.
> 
> One of the things that will hurt our efforts in UA is ignoring market
> impacts of scaring people inappropriately or discouraging them from support
> or use of IDN.
> 
> We could benefit from a stronger message that matches more of what edmon
> and rod have identified with respect to the molecule-sized scale of the
> issue.  Using real statistical data from trusted sources, if we can
> indicate that this issue does exist but is quite small in scale, and
> contrast it to other phishing techniques that are prevalent in non-IDN, we
> can hopefully reduce the fear appropriately.
> 
> I am not suggesting we tell people to ignore the homograph confusability
> potential, but rather to put the matter into an appropriate contextual
> scale and not be used as a justification not to explore reaching a wider,
> global audience with IDN, where they might be hobbling growth of their
> goods or services having wider international consumers.
> 
> See if my redline helps - and treat it like a buffet - just put the stuff
> on your tray that works for you...
> 
> -Jothan
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Jothan Frakes
> Tel: +1.206-355-0230
> 
> 
> On Wed, Apr 26, 2017 at 11:47 AM, <icann at rodrasmussen.com> wrote:
> 
> > Resending from my mailing list “approved” address.
> >
> > ===============================
> >
> > Edmon,
> >
> > Greg Aaron and I will be publishing a long-overdue catch-up on these APWG
> > studies within the next couple weeks.  In it we will cover 2015 and 2016.
> > In it we will cover the fact that the described homograph attack problem is
> > virtually non-existent in real-world phishing attacks.  In all of 2015, the
> > various organizations contributing data to the APWG saw ONE true
> > homographic attack, and in 2016, TWO.  There were other uses of IDNs and
> > mixed scripts that we’ll discuss, but there were just a handful.  Phishers
> > don’t need to mount homographic attacks to be successful, and I’d say that
> > most of them don’t have the skills and/or motivation to do so.  Ironically,
> > the “buzz” about it that this article and coverage has created may actually
> > get a few bad guys interested in exploring the concept. :-(  That said,
> > just like any other vulnerability or exploit that has low use but high
> > potential for harm, being prudent about putting measures in place to limit
> > risk and building understanding of those risks are still well worth
> > pursuing, but this certainly isn’t an emergency that needs the
> > “overheating” Andrei so appropriately mentioned.  I’ll send a link to the
> > paper once we get it published via the APWG.
> >
> > Cheers,
> >
> > Rod
> >
> > On Apr 26, 2017, at 5:07 AM, Edmon Chung <edmon at registry.asia> wrote:
> >
> > Should consider including reference to:
> >
> > https://www.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2010.pdf
> > Only 10 of the 42,624 domain names we studied were IDNs, and only one was
> > a homographic attack.
> >
> > https://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2013.pdf
> > Eighty-two of the 82,163 domain names were internationalized domain names
> > (IDNs), and none were homographic attacks.
> >
> > https://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_1H2013.pdf
> > Seventy-eight of the 53,685 domain names were internationalized domain
> > names (IDNs), and three of them were homographic attacks.
> >
> > And this is certainly not a new issue:
> >
> > https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&
> > cd=2&cad=rja&uact=8&ved=0ahUKEwjwwqzBhcLTAhWIVbwKHShHA
> > 9kQFggtMAE&url=https%3A%2F%2Fwww.symantec.com%2Fcontent%
> > 2Fdam%2Fsymantec%2Fdocs%2Fsecurity-center%2Farchives%
> > 2Fintelligence-quarterly-oct-09-en.pdf&usg=AFQjCNGu8162_
> > PXXqnhfHjAQfSUAqYaEXw
> >
> >
> > www.symantec.com/content/en/us/enterprise/other_resources/
> > b-intelligence_report_08-2011.en-us.pdf
> >
> > Edmon
> >
> >
> >
> > *From:* ua-discuss-bounces at icann.org [mailto:ua-discuss-bounces at icann.org
> > <ua-discuss-bounces at icann.org>] *On Behalf Of *Lars Steffen
> > *Sent:* Wednesday, 26 April 2017 18:15 PM
> > *To:* Andrei Kolesnikov <andrei at rol.ru>; Don Hollander <
> > don.hollander at icann.org>
> > *Cc:* Dr. AJAY D A T A <ajay at data.in>; tan tanakadennis via ua-discuss <
> > ua-discuss at icann.org>
> > *Subject:* Re: [UA-discuss] UASG Response to WordFence IDN Phishing
> > concerns
> >
> > Hi all,
> > A general reply to this thread: Can we agree on the current version of the
> > blog post to be published asap before we continue the discussion…?
> > Thank you,
> > Lars
> >
> > *Von:* ua-discuss-bounces at icann.org [mailto:ua-discuss-bounces at icann.org
> > <ua-discuss-bounces at icann.org>] *Im Auftrag von *Andrei Kolesnikov
> > *Gesendet:* Mittwoch, 26. April 2017 12:06
> > *An:* Don Hollander <don.hollander at icann.org>
> > *Cc:* Dr. AJAY D A T A <ajay at data.in>; tan tanakadennis via ua-discuss <
> > ua-discuss at icann.org>
> > *Betreff:* Re: [UA-discuss] UASG Response to WordFence IDN Phishing
> > concerns
> >
> > Dusan gave us great overview of different ccTLD which ICANN has very
> > little control. However most of the cc registries carry the mitigation
> > process to bring down malicious domain names used explicitly for bad
> > purposes.
> >
> > I definitely don't support  overheating the problem. If cross-script
> > attack reaches the level of Kaminsky attack hysteria, we are in deep
> > trouble :)
> > --andrei
> >
> > 2017-04-26 12:50 GMT+03:00 Don Hollander <don.hollander at icann.org>:
> >
> > I would expect a fair number of ccTLDs where it could be an issue as well.
> >
> > Andrei:  What about ccTLDs in other Cyrillic script communities?  Have
> > they taken the same precautions as .ru?
> >
> >
> > D
> >
> >
> > On 26/04/2017, at 9:40 PM, Dr. AJAY D A T A <ajay at data.in> wrote:
> >
> > Exactly Andrie. Thank you for confirming the same.
> >
> > I confirmed with .pyc registry (we enabled EAI on почта.рус) also and they
> > are not allowed (as per agreement) to use any other script other than
> > Cyrillic.
> >
> >
> > So basically it looks like .com problem. Any other examples other than
> > .com ?  It narrows down the problem to solve.
> >
> > Thanks.
> > *Dr. Ajay DATA* * | Founder & CEO *
> > Get email id like *अजय@डाटा.भारत
> > <%E0%A4%85%E0%A4%9C%E0%A4%AF at xn--c2bd1gb.xn--h2brj9c>* in your own
> > language,
> > visit www.xgenplus.com
> >
> > ------------------------------
> >
> > *From:* Andrei Kolesnikov <andrei at rol.ru>  MailId : [68484721]
> > *To:* Don Hollander <don.hollander at icann.org>
> > *Cc:* "Dr. AJAY D A T A" <ajay at data.in>,tan tanakadennis via ua-discuss <
> > ua-discuss at icann.org>
> > *Subject: *Re: [UA-discuss] UASG Response to WordFence IDN Phishing
> > concerns
> > *Date:* 26 Apr 2017 02:16:05 PM
> > Don,
> > there is no such thing as IDN at .RU - only ascii allowed - we understood
> > the problem long time ago due to similarity of many Cyrillic letters with
> > Latin.
> >
> > In IDN .РФ in Russia only Cyrillic allowed.
> > This definitely must be the rule for registries. Or some kind of immediate
> > mitigation service to bring down dangerous domains.
> > --andrei
> >
> > 2017-04-26 11:34 GMT+03:00 Don Hollander <don.hollander at icann.org>:
> >
> > Hi Andrei:
> >
> > What about at the ccTLD?  idn.ru?   Does .ru also allow ASCII?
> >
> > Does the .ru registry, for example, do anything to address homoglyphs
> > between ascii and cyrillic?
> >
> > D
> >
> >
> > On 26/04/2017, at 8:30 PM, Andrei Kolesnikov <andrei at rol.ru> wrote:
> >
> > most use of idn.ascii gTLD as far as I know is .com for example
> > http://путин.com/[xn--h1akeme.com]
> > <https://urldefense.proofpoint.com/v2/url?u=http-3A__xn-2D-2Dh1akeme.com_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=YI0XKyKCabKQi3GVWLvuoyCWjH9WBgEBxLbMnmhSRwo&m=b2_5n2l3R5eXR7olCx9BY0h-_Kk-odvJXTKIexpQvuM&s=Aumtm9oLaw_1FAQZ4MvKpmNHj3khbV5zlM_VGiARFFQ&e=>
> >
> > Basically most of the confusing cases discussed above are from .com
> > --andrei
> >
> > 2017-04-26 10:35 GMT+03:00 Dr. AJAY D A T A <ajay at data.in>:
> >
> > Hello Don,
> >
> > Which all registries are allowed to register mix of scripts domain while
> > registering an IDN. I checked .pyc (Cyrillic) and .भारत (Devanagiri) do
> > not allow mix of scripts.  I think we address those registries through
> > ICANN by modifying the registry agreement, major problem can be solved.
> >
> > Thanks.
> >
> > *Dr. Ajay DATA* * | Founder & CEO *
> > Get email id like *अजय@डाटा.भारत
> > <%E0%A4%85%E0%A4%9C%E0%A4%AF at xn--c2bd1gb.xn--h2brj9c>* in your own
> > language,
> > visit www.xgenplus.com[xgenplus.com]
> > <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.xgenplus.com_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=YI0XKyKCabKQi3GVWLvuoyCWjH9WBgEBxLbMnmhSRwo&m=b2_5n2l3R5eXR7olCx9BY0h-_Kk-odvJXTKIexpQvuM&s=-y6ACRLtO7BC6nXjQGKJQgFQOCdSIe6PZqjZMKRTGXc&e=>
> >
> >
> > ------------------------------
> > *From:* "Tan Tanaka,Dennis via UA-discuss" <ua-discuss at icann.org>  MailId
> > : [68456683]
> > *To:* Don Hollander <don.hollander at icann.org>,"ua-discuss at icann.org" <
> > ua-discuss at icann.org>
> > *Subject: *Re: [UA-discuss] UASG Response to WordFence IDN Phishing
> > concerns
> > *Date:* 25 Apr 2017 06:28:22 PM
> >
> > Don, my comments enclosed
> >
> > Thanks
> > -Dennis
> >
> > *From: *<ua-discuss-bounces at icann.org> on behalf of Don Hollander <
> > don.hollander at icann.org>
> > *Date: *Monday, April 24, 2017 at 5:40 PM
> > *To: *"UA-discuss at icann.org" <ua-discuss at icann.org>
> > *Subject: *[EXTERNAL] [UA-discuss] UASG Response to WordFence IDN
> > Phishing concerns
> >
> > Further to recent discussion on this list, we have drafted a document that
> > we plan on posting as a Blog Post to the UASG Web site that can be
> > referenced by others.
> >
> > We want to get feedback from the community on this document by Thursday
> > UTC.
> >
> > So, here it is – pasted below and as a word document in case you want to
> > enable tracking and make amendments.   If you have comments or suggestions,
> > please share them to this group.
> >
> > Don
> >
> >
> >
> > *IDNs and Phishing: What You Need to Know*
> > By TBD at UASG
> >
> > Internationalized Domain Names[icann.org]
> > <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.icann.org_resources_pages_idn-2D2012-2D02-2D25-2Den&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=YI0XKyKCabKQi3GVWLvuoyCWjH9WBgEBxLbMnmhSRwo&m=b2_5n2l3R5eXR7olCx9BY0h-_Kk-odvJXTKIexpQvuM&s=JGHMSOqc_3GaqYY6Sf8m9MBfj3dj9vTRIsoi3E_9KRc&e=>
> >  (IDNs) are growing in popularity, a testament to their role in the
> > expansion of the global Internet and the value they provide in connecting
> > non-English speakers to the Web. However, you may have noticed a renewed
> > focus over the past week of a script mixing technique that phishing
> > scammers could potentially use to trick Internet users into visiting
> > malicious websites. This phishing method takes advantage of the fact that
> > characters from various languages and scripts are sometimes visually
> > similar to each other. For example, the Cyrillic “а” and the
> > ASCII[en.wikipedia.org]
> > <https://urldefense.proofpoint.com/v2/url?u=https-3A__en.wikipedia.org_wiki_ASCII&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=YI0XKyKCabKQi3GVWLvuoyCWjH9WBgEBxLbMnmhSRwo&m=b2_5n2l3R5eXR7olCx9BY0h-_Kk-odvJXTKIexpQvuM&s=yfwSeTzAiHcLTq4jEae3TOx116_t2m_mn8vT4UOo7Go&e=>
> >  “a” look virtually identical. This technique is known as a homograph
> > attack.
> >
> > Homographic phishing efforts associated with IDNs are not new. In fact,
> > they date back to the early 2000s. Registries have since implemented
> > policies that preclude mixing scripts[1] within a domain name label.
> >
> > While this issue should be taken seriously and serves as an important
> > reminder of consumer safety, various IDN and anti-abuse groups are actively
> > working to mitigate potential threats, and there are already certain
> > browser-set protections in place. In the meantime, Internet users should
> > practice the same basic security hygiene that is always recommended: avoid
> > clicking suspicious links, and use a good password manager that will only
> > enter login credentials on trusted sites.
> >
> > Equally important is to recognize the benefits of IDNs and avoid disabling
> > them, which could lead to an unpredictable user experience and eventually a
> > decrease in adoption. IDNs are essential in bringing non-English speakers –
> > the majority of the world’s population – online, and allowing those users
> > to create their own highly relevant online identities as well as navigate
> > the Internet in their native languages. In addition to the social and
> > cultural benefits of IDNs, they also represent a significant economic
> > opportunity; a recent report[uasg.tech]
> > <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_whitepaper_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=YI0XKyKCabKQi3GVWLvuoyCWjH9WBgEBxLbMnmhSRwo&m=b2_5n2l3R5eXR7olCx9BY0h-_Kk-odvJXTKIexpQvuM&s=VMxJkqVb1W-ZyIEhQREIQRg3LsygAashMrgpllm7Qs4&e=>
> > commissioned by the Universal Acceptance Steering Group (UASG) found that
> > online spending from new IDN users could start at USD 6.2 billion per year.
> >
> >
> > The UASG’s mission is to help software developers and website owners keep
> > pace with the evolving Domain Name System (DNS) – and this includes issues
> > around the adoption and acceptance of IDNs. If you’d like to get involved
> > in helping work toward a solution to this and other IDN-related issues,
> > please visit https://uasg.tech/[uasg.tech]
> > <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=YI0XKyKCabKQi3GVWLvuoyCWjH9WBgEBxLbMnmhSRwo&m=b2_5n2l3R5eXR7olCx9BY0h-_Kk-odvJXTKIexpQvuM&s=fHMruCNtXCtlHyAJqUQ0xMY3bJLSKhk8h77uH_2ctvk&e=>
> >  or get in touch[uasg.tech]
> > <https://urldefense.proofpoint.com/v2/url?u=https-3A__uasg.tech_contact_&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=YI0XKyKCabKQi3GVWLvuoyCWjH9WBgEBxLbMnmhSRwo&m=b2_5n2l3R5eXR7olCx9BY0h-_Kk-odvJXTKIexpQvuM&s=YqvahA1bKLAZn3Ywt6hgEEjSlYv9iV1zX3u3qDUzvXE&e=>
> >  to learn more.
> >
> >
> >
> > ------------------------------
> >
> > ------------------------------
> >
> > [1] Exceptions are practiced for languages with established orthographies
> > and conventions that require the commingled use of multiple scripts, e.g.
> > the Japanese writing system.
> > Do not Remove:
> > [HID]20170425182821379[-HID]<~WRD039.jpg> <~WRD039.jpg>
> >
> >
> >
> >
> > --
> > Andrey Kolesnikov
> > RIPN.NET[RIPN.NET]
> > <https://urldefense.proofpoint.com/v2/url?u=http-3A__RIPN.NET&d=DwMFaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=YI0XKyKCabKQi3GVWLvuoyCWjH9WBgEBxLbMnmhSRwo&m=b2_5n2l3R5eXR7olCx9BY0h-_Kk-odvJXTKIexpQvuM&s=bzXSVwk1DZEFet4B2d2K-x7-PI4e37O64WojUXqaNCM&e=>
> >
> >
> >
> > Don Hollander
> > Universal Acceptance Steering Group
> > Skype: don_hollander
> >
> >
> >
> >
> >
> > --
> > Andrey Kolesnikov
> > RIPN.NET <http://ripn.net/>
> >
> > <~WRD039.jpg><~WRD039.jpg>
> >
> >
> > Don Hollander
> > Universal Acceptance Steering Group
> > Skype: don_hollander
> >
> >
> >
> >
> >
> >
> >
> > --
> > Andrey Kolesnikov
> > RIPN.NET <http://ripn.net/>
> >
> >
> >
> >



-- 
Andrew Sullivan
ajs at anvilwalrusden.com

More information about the UA-discuss mailing list