Dear All,

 

Thank you again for participation in today’s meeting. Please find below the notes and action items. I’ll be sharing with you shortly the google doc link to the template. As a reminder, you can use this email address (gnso-rds-pdp-7@icann.org) for any further discussion on this topic.

 

Best regards,

 

Marika

 

============================

 

DT7 - Criminal Investigation or DNS Abuse Mitigation

Meeting 18 October 2017

 

1) Brief recap of DT7 goals and due date – Marika

• To enable better understanding of existing purposes for WHOIS data, small drafting teams composed of WG members with diverse points of view were chosen to define each identified purpose.
• This drafting team should discuss the tasks supported by the purpose “Criminal Investigation of DNS Abuse Mitigation,” the parties involved in this purpose, and the data often used to fulfill this purpose.
• It is hoped that fleshing out purpose definitions will improve communication and help the WG conduct informed discussion about all identified purposes before trying to agreement on legitimacy, etc
• Our drafting team is asked to discuss our assigned purpose by phone and email over the next week, producing a draft purpose definition to be shared on the full WG mailing list no later than 26 October, for discussion during the WG’s F2F meetings at ICANN60.
• A substantial amount of additional use cases & circumstances could be developed for this and probably for others. Is this the objective?

 

2) All team members to share their level of experience with Criminal Investigation or DNS Abuse Mitigation

• Ayden Ferdeline - No experience with LE or criminal investigation. Newcomer to this purpose. Member of the NCSG, works for Internet Society.
• Dic Leaning - ex law enforcement officer (retirement), Europol and Scotland Yard, deep knowledge of criminal investigation. Many different tools used by LE to investigate cybercrime, DNS is just one of the tools. Now working for RIPE. Definition in template seems accurate.
• Marc Anderson - employed by Verisign, registry operator. No detailed knowledge in this purpose as it is handled by others at Verisign.
• Rod Rasmussen - deep subject matter expert. Involved in the EWG. Has been doing security in private sector but also investigation, to designing software and systems to bring in data and work with data to glean information that is put into different products.
• Raoul Plommer - a digital rights activist for 10 yrs now and the VC of NPOC. Been working for the pirate party, which is an international political movement.

 

Action item #1: DT members not on the call are encouraged to share their experience and review meeting notes & recording.

 

3) Introduce EWG's definition of this purpose, as starting point for discussion

4) Team members less familiar with this purpose to ask general questions

5) Team members more familiar with this purpose to give real-world examples of this purpose, drawn from their own experiences

 

• See template distributed.
• Excerpts included from EWG report. EWG went into a lot of detail and background re. the various use cases. In order to make it digestible, this was rolled up into these broader categories as included in the template. DNS is used in many cases directly or indirectly to facilitate abuse, e.g. confidence scams, child pornography. Off-line crime may also include evidence connected to emails & web-sites. Criminal category.
• Abuse/civil/annoying (e.g. spam) category.
• Infrastructure related like command and control, botnet. DNS is also infrastructure for illegitimate purposes.
• Unintended infrastructure - compromised domains/web-sites. Compromised registrar accounts which could result in the creation of new sub-domains.
• Range of different things that fall within these five use cases listed.
• Broad buckets from an investigation perspective: single person, group, automation (e.g. analysis tool). Starting point from which further determinations are made: is a DNS resource complicit or not in the criminal activity? From there, investigator will undertake action - e.g. reach out to someone who is compromised, reach out to registrar to delete registration if it was fraudulently registered. Then, what information can be gleaned from this info: are other registrations involved, what is the scale / scope involved.
• Automation side: reputation services - make real time decisions about connectivity. Should a user on my network be able to connect to this domain name? Need to have capability to make decision on whether to connect to another network. Same for spam - do you accept email? Consideration of domain from which it emanates will factor into that consideration.
• Consider developing a matrix that would outline the needs and what is needed and at what scale.
• Abuse contact would be helpful in these kinds of cases - what would be more efficient for the system to do going forward.
• Domain Name Generation Algorithm (DGA) - as part of running a bot-net (infected computers that talk to a central source to give them instructions). What has been developed by 'bad guys' over the last 10 years to keep infrastructure working is to create algorithms to create rendezvous domains. May or may not exist in the actual DNS but infected computers would try to connect to these domains where something could potentially happen. If that info is known, it can be used to block access to those registrations, look up domains to see who has registered those, identify potential collision, etc.
• How are criminal investigations and abuse investigations typically started? From the OpsSec side, it often starts with reports of spam. Even where someone is reporting to a brand (phishing), or download of virus. Typically come in from victims or potential victims. Reverse engineering may show domain name. DDOS - domain name may be used to fire ammunition and bring down service. Scams - fake businesses set up for job recruiting or escrow services. Fairly similar for LE - any crime you can think of happening in the real world, happens in the online world, and it requires a domain name. That is why it is so important to have info on who has which domain name.
• If there would be no WHOIS, how would an investigation take place? Would require going to the registrar or registry directly. Same applies currently for IP addresses. Could also go to hosting provider - whoever is providing the service. In some cases it may not matter who owns the domain name registration, but it is a starting point. Most useful in the compromised domain name registration as direct outreach can be done to the victim. Knowing that certain domain name registrations are owned by the same entity is also valuable information. 
• The other important bit which is sometimes is overlooked is that a potential customer can look up the WHOIS and make an informed decision if they want to hand there money over to them.

 

6) Divvy up drafting and agree upon plan to flesh out template by 26 October

• Who needs what data for which purpose? May need to modify the template to ensure all that info is covered.
• In terms of user types, try to include more granularity. Private entities do not have the same status as LE. There may be overlap, but important to distinguish between the two.

 

Action item #2: Staff to post template as a google doc

Action item #3: Rod to take a first stab at adding to the template and add matrix as outlined during the call

Action item #4: Staff to circulate doodle poll with objective to find a possible meeting time/date either next Monday or Tuesday, recognising that availability may be limited.

 

Marika Konings

Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN) 

Email: marika.konings@icann.org  

 

Follow the GNSO via Twitter @ICANN_GNSO

Find out more about the GNSO by taking our interactive courses and visiting the GNSO Newcomer pages.