[Accred-Model] Letter to ICANN from RiskIQ

Mon Apr 23 04:36:05 UTC 2018

Rubens,

Those can be used to do some correlations, but other factors such as name servers, IP address and target URL (if hiding in a redirection chain) are useful as well.

Name server and IP address are often not useful, especially with email based attacks, which is the majority of attacks now, because the bad guys use the registrar's nameservers and a third party mail server. In other words it doesn't tell us anything to see that the domain has Microsoft or Google or major registrar MX records and IP addresses. Similarly, there is no target URL since the attack is not content based.

A registrar has access to registration data and can act based on that. So, if someone detects that example.example is a security threat, it can raise that issue with the registrar and that registrar can correlate to other domains registered by the same wrong-doer. There is no secret sauce, and this happens in large amounts everyday.

No offense to my registrar friends but they are generally not going to do this kind of investigation and definitely not en masse as would be required if there is no registrant name and email. Basically, you would be shifting the investigation burden to the registrars. Why don't you ask them what they think of that idea and whether it is likely to happen. And that is just the major registrars - the smaller ones generally won't even investigate and say they have no duty to.

Both investigating and enforcing can be done by registrars or thick registries (if they continue to exist after GDPR). Detecting can be done both by registrars and by 3rd parties, and in my experience the best results come from all doing it: we run some pattern detection filters on the stream of new registrations and get threat feeds from the "usual suspects" (OpenPhish, PhishTank, ShadowServer etc.).

See above- not going to happen.

The interim time was between 27 April 2016, when GDPR passed, and 24 May 2018, the last day before its enforcement. Interim stops there, as some DPAs said:

https://urldefense.proofpoint.com/v2/url?u=https-3A__iapp.org_news_a_dpas-2Dto-2Dpros-2Dtheres-2Dno-2Dgrace-2Dperiod-2Dfolks_&d=DwIGaQ&c=2s2mvbfY0UoSKkl6_Ol9wg&r=r5rx-kI5Cxza1vQgpUa9uXTHEPmarcD6Ch-F3m5O9fQ&m=82yN_ETS0oFDPpDfcXjf3emBmkHGWC21Fi6DYKxf71o&s=Pjz2yiMe86q8tuyEpOUG8fw3-ArScoJn6Ipqfph1nYg&e=

Funny but I'm talking about ICANN's interim solution before their final one.

EDPB, known before May 25 as WP29. "The role of the EDPB will be to ensure the consistency of the application of the GDPR throughout the Union, through guidelines, opinions and decisions."

Yes - But they won't give specific guidance before May 25. That much is clear.

Best Regards,

Marc H.Trachtenberg
Shareholder
Greenberg Traurig, LLP
77 West Wacker Drive
Chicago, IL 60601
Office (312) 456-1020
Mobile (773) 677-3305

On Apr 22, 2018, at 5:16 PM, Rubens Kuhl <rubensk at nic.br<mailto:rubensk at nic.br>> wrote:

EDPB, known before May 25 as WP29. "The role of the EDPB will be to ensure the consistency of the application of the GDPR throughout the Union, through guidelines, opinions and decisions."

----------------------------------------------------------------------
If you are not an intended recipient of confidential and privileged information in this email, please delete it, notify us immediately at postmaster at gtlaw.com, and do not use or disseminate such information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/accred-model/attachments/20180423/3acc6323/attachment.html>