Notes & action items from today's meeting
Dear All, Thank you again for participation in today’s meeting. Please find below the notes and action items. I’ll be sharing with you shortly the google doc link to the template. As a reminder, you can use this email address (gnso-rds-pdp-7@icann.org<mailto:gnso-rds-pdp-7@icann.org>) for any further discussion on this topic. Best regards, Marika ============================ DT7 - Criminal Investigation or DNS Abuse Mitigation Meeting 18 October 2017 1) Brief recap of DT7 goals and due date – Marika * To enable better understanding of existing purposes for WHOIS data, small drafting teams composed of WG members with diverse points of view were chosen to define each identified purpose. * This drafting team should discuss the tasks supported by the purpose “Criminal Investigation of DNS Abuse Mitigation,” the parties involved in this purpose, and the data often used to fulfill this purpose. * It is hoped that fleshing out purpose definitions will improve communication and help the WG conduct informed discussion about all identified purposes before trying to agreement on legitimacy, etc * Our drafting team is asked to discuss our assigned purpose by phone and email over the next week, producing a draft purpose definition to be shared on the full WG mailing list no later than 26 October, for discussion during the WG’s F2F meetings at ICANN60. * A substantial amount of additional use cases & circumstances could be developed for this and probably for others. Is this the objective? 2) All team members to share their level of experience with Criminal Investigation or DNS Abuse Mitigation * Ayden Ferdeline - No experience with LE or criminal investigation. Newcomer to this purpose. Member of the NCSG, works for Internet Society. * Dic Leaning - ex law enforcement officer (retirement), Europol and Scotland Yard, deep knowledge of criminal investigation. Many different tools used by LE to investigate cybercrime, DNS is just one of the tools. Now working for RIPE. Definition in template seems accurate. * Marc Anderson - employed by Verisign, registry operator. No detailed knowledge in this purpose as it is handled by others at Verisign. * Rod Rasmussen - deep subject matter expert. Involved in the EWG. Has been doing security in private sector but also investigation, to designing software and systems to bring in data and work with data to glean information that is put into different products. * Raoul Plommer - a digital rights activist for 10 yrs now and the VC of NPOC. Been working for the pirate party, which is an international political movement. Action item #1: DT members not on the call are encouraged to share their experience and review meeting notes & recording. 3) Introduce EWG's definition of this purpose, as starting point for discussion 4) Team members less familiar with this purpose to ask general questions 5) Team members more familiar with this purpose to give real-world examples of this purpose, drawn from their own experiences * See template distributed. * Excerpts included from EWG report. EWG went into a lot of detail and background re. the various use cases. In order to make it digestible, this was rolled up into these broader categories as included in the template. DNS is used in many cases directly or indirectly to facilitate abuse, e.g. confidence scams, child pornography. Off-line crime may also include evidence connected to emails & web-sites. Criminal category. * Abuse/civil/annoying (e.g. spam) category. * Infrastructure related like command and control, botnet. DNS is also infrastructure for illegitimate purposes. * Unintended infrastructure - compromised domains/web-sites. Compromised registrar accounts which could result in the creation of new sub-domains. * Range of different things that fall within these five use cases listed. * Broad buckets from an investigation perspective: single person, group, automation (e.g. analysis tool). Starting point from which further determinations are made: is a DNS resource complicit or not in the criminal activity? From there, investigator will undertake action - e.g. reach out to someone who is compromised, reach out to registrar to delete registration if it was fraudulently registered. Then, what information can be gleaned from this info: are other registrations involved, what is the scale / scope involved. * Automation side: reputation services - make real time decisions about connectivity. Should a user on my network be able to connect to this domain name? Need to have capability to make decision on whether to connect to another network. Same for spam - do you accept email? Consideration of domain from which it emanates will factor into that consideration. * Consider developing a matrix that would outline the needs and what is needed and at what scale. * Abuse contact would be helpful in these kinds of cases - what would be more efficient for the system to do going forward. * Domain Name Generation Algorithm (DGA) - as part of running a bot-net (infected computers that talk to a central source to give them instructions). What has been developed by 'bad guys' over the last 10 years to keep infrastructure working is to create algorithms to create rendezvous domains. May or may not exist in the actual DNS but infected computers would try to connect to these domains where something could potentially happen. If that info is known, it can be used to block access to those registrations, look up domains to see who has registered those, identify potential collision, etc. * How are criminal investigations and abuse investigations typically started? From the OpsSec side, it often starts with reports of spam. Even where someone is reporting to a brand (phishing), or download of virus. Typically come in from victims or potential victims. Reverse engineering may show domain name. DDOS - domain name may be used to fire ammunition and bring down service. Scams - fake businesses set up for job recruiting or escrow services. Fairly similar for LE - any crime you can think of happening in the real world, happens in the online world, and it requires a domain name. That is why it is so important to have info on who has which domain name. * If there would be no WHOIS, how would an investigation take place? Would require going to the registrar or registry directly. Same applies currently for IP addresses. Could also go to hosting provider - whoever is providing the service. In some cases it may not matter who owns the domain name registration, but it is a starting point. Most useful in the compromised domain name registration as direct outreach can be done to the victim. Knowing that certain domain name registrations are owned by the same entity is also valuable information. * The other important bit which is sometimes is overlooked is that a potential customer can look up the WHOIS and make an informed decision if they want to hand there money over to them. 6) Divvy up drafting and agree upon plan to flesh out template by 26 October * Who needs what data for which purpose? May need to modify the template to ensure all that info is covered. * In terms of user types, try to include more granularity. Private entities do not have the same status as LE. There may be overlap, but important to distinguish between the two. Action item #2: Staff to post template as a google doc Action item #3: Rod to take a first stab at adding to the template and add matrix as outlined during the call Action item #4: Staff to circulate doodle poll with objective to find a possible meeting time/date either next Monday or Tuesday, recognising that availability may be limited. Marika Konings Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN) Email: marika.konings@icann.org<mailto:marika.konings@icann.org> Follow the GNSO via Twitter @ICANN_GNSO Find out more about the GNSO by taking our interactive courses<http://learn.icann.org/courses/gnso> and visiting the GNSO Newcomer pages<http://gnso.icann.org/sites/gnso.icann.org/files/gnso/presentations/policy-e...>.
Hi everyone, I’ve started filling out the template as I proposed during the call yesterday. I’ve put together an overview of how we are grouping the various types of use cases and detailed purposes for accessing RDS data for this broad swath of items that come under this abuse topic. I’ve put in the outlines and one example of how a break-down might look. I will work up more of these examples to flesh out the data needs (Dick could help here as well - hint, hint), but this would be a good time to get feedback on the overall approach as well as the approach for the individual cases before I put a lot of time into the write-ups if people have any issues with the format or approach to laying this out. Thanks much for your input! Cheers, Rod
On Oct 18, 2017, at 11:09 AM, Marika Konings <marika.konings@icann.org> wrote:
Dear All,
Thank you again for participation in today’s meeting. Please find below the notes and action items. I’ll be sharing with you shortly the google doc link to the template. As a reminder, you can use this email address (gnso-rds-pdp-7@icann.org <mailto:gnso-rds-pdp-7@icann.org>) for any further discussion on this topic.
Best regards,
Marika
============================
DT7 - Criminal Investigation or DNS Abuse Mitigation Meeting 18 October 2017
1) Brief recap of DT7 goals and due date – Marika To enable better understanding of existing purposes for WHOIS data, small drafting teams composed of WG members with diverse points of view were chosen to define each identified purpose. This drafting team should discuss the tasks supported by the purpose “Criminal Investigation of DNS Abuse Mitigation,” the parties involved in this purpose, and the data often used to fulfill this purpose. It is hoped that fleshing out purpose definitions will improve communication and help the WG conduct informed discussion about all identified purposes before trying to agreement on legitimacy, etc Our drafting team is asked to discuss our assigned purpose by phone and email over the next week, producing a draft purpose definition to be shared on the full WG mailing list no later than 26 October, for discussion during the WG’s F2F meetings at ICANN60. A substantial amount of additional use cases & circumstances could be developed for this and probably for others. Is this the objective?
2) All team members to share their level of experience with Criminal Investigation or DNS Abuse Mitigation Ayden Ferdeline - No experience with LE or criminal investigation. Newcomer to this purpose. Member of the NCSG, works for Internet Society. Dic Leaning - ex law enforcement officer (retirement), Europol and Scotland Yard, deep knowledge of criminal investigation. Many different tools used by LE to investigate cybercrime, DNS is just one of the tools. Now working for RIPE. Definition in template seems accurate. Marc Anderson - employed by Verisign, registry operator. No detailed knowledge in this purpose as it is handled by others at Verisign. Rod Rasmussen - deep subject matter expert. Involved in the EWG. Has been doing security in private sector but also investigation, to designing software and systems to bring in data and work with data to glean information that is put into different products. Raoul Plommer - a digital rights activist for 10 yrs now and the VC of NPOC. Been working for the pirate party, which is an international political movement.
Action item #1: DT members not on the call are encouraged to share their experience and review meeting notes & recording.
3) Introduce EWG's definition of this purpose, as starting point for discussion 4) Team members less familiar with this purpose to ask general questions 5) Team members more familiar with this purpose to give real-world examples of this purpose, drawn from their own experiences
See template distributed. Excerpts included from EWG report. EWG went into a lot of detail and background re. the various use cases. In order to make it digestible, this was rolled up into these broader categories as included in the template. DNS is used in many cases directly or indirectly to facilitate abuse, e.g. confidence scams, child pornography. Off-line crime may also include evidence connected to emails & web-sites. Criminal category. Abuse/civil/annoying (e.g. spam) category. Infrastructure related like command and control, botnet. DNS is also infrastructure for illegitimate purposes. Unintended infrastructure - compromised domains/web-sites. Compromised registrar accounts which could result in the creation of new sub-domains. Range of different things that fall within these five use cases listed. Broad buckets from an investigation perspective: single person, group, automation (e.g. analysis tool). Starting point from which further determinations are made: is a DNS resource complicit or not in the criminal activity? From there, investigator will undertake action - e.g. reach out to someone who is compromised, reach out to registrar to delete registration if it was fraudulently registered. Then, what information can be gleaned from this info: are other registrations involved, what is the scale / scope involved. Automation side: reputation services - make real time decisions about connectivity. Should a user on my network be able to connect to this domain name? Need to have capability to make decision on whether to connect to another network. Same for spam - do you accept email? Consideration of domain from which it emanates will factor into that consideration. Consider developing a matrix that would outline the needs and what is needed and at what scale. Abuse contact would be helpful in these kinds of cases - what would be more efficient for the system to do going forward. Domain Name Generation Algorithm (DGA) - as part of running a bot-net (infected computers that talk to a central source to give them instructions). What has been developed by 'bad guys' over the last 10 years to keep infrastructure working is to create algorithms to create rendezvous domains. May or may not exist in the actual DNS but infected computers would try to connect to these domains where something could potentially happen. If that info is known, it can be used to block access to those registrations, look up domains to see who has registered those, identify potential collision, etc. How are criminal investigations and abuse investigations typically started? From the OpsSec side, it often starts with reports of spam. Even where someone is reporting to a brand (phishing), or download of virus. Typically come in from victims or potential victims. Reverse engineering may show domain name. DDOS - domain name may be used to fire ammunition and bring down service. Scams - fake businesses set up for job recruiting or escrow services. Fairly similar for LE - any crime you can think of happening in the real world, happens in the online world, and it requires a domain name. That is why it is so important to have info on who has which domain name. If there would be no WHOIS, how would an investigation take place? Would require going to the registrar or registry directly. Same applies currently for IP addresses. Could also go to hosting provider - whoever is providing the service. In some cases it may not matter who owns the domain name registration, but it is a starting point. Most useful in the compromised domain name registration as direct outreach can be done to the victim. Knowing that certain domain name registrations are owned by the same entity is also valuable information. The other important bit which is sometimes is overlooked is that a potential customer can look up the WHOIS and make an informed decision if they want to hand there money over to them.
6) Divvy up drafting and agree upon plan to flesh out template by 26 October Who needs what data for which purpose? May need to modify the template to ensure all that info is covered. In terms of user types, try to include more granularity. Private entities do not have the same status as LE. There may be overlap, but important to distinguish between the two.
Action item #2: Staff to post template as a google doc Action item #3: Rod to take a first stab at adding to the template and add matrix as outlined during the call Action item #4: Staff to circulate doodle poll with objective to find a possible meeting time/date either next Monday or Tuesday, recognising that availability may be limited.
Marika Konings Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN) Email: marika.konings@icann.org <mailto:marika.konings@icann.org>
Follow the GNSO via Twitter @ICANN_GNSO Find out more about the GNSO by taking our interactive courses <http://learn.icann.org/courses/gnso> and visiting the GNSO Newcomer pages <http://gnso.icann.org/sites/gnso.icann.org/files/gnso/presentations/policy-e...>.
_______________________________________________ Gnso-rds-pdp-7 mailing list Gnso-rds-pdp-7@icann.org <mailto:Gnso-rds-pdp-7@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7 <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7>
Thanks, Rod, much appreciated. All, as a reminder, you can find the google doc here: https://docs.google.com/document/d/19fUlV3HEyZ0IYFOY-r4KGoN25ICHPf1wDjUA_ZMx.... Please share with the list by COB today if you have any concerns about the overall approach as outlined by Rod. Also, if you have any comments and/or proposed edits to the document, please feel free to add these directly to the document. As another reminder, please complete the doodle poll as soon as possible so we can hopefully confirm a next meeting for coming Monday or Tuesday (doodle poll: http://doodle.com/poll/4rgiwi89d63crebq). Thanks, Marika From: Rod Rasmussen <rod@rodrasmussen.com> Date: Thursday, October 19, 2017 at 06:02 To: Marika Konings <marika.konings@icann.org> Cc: "gnso-rds-pdp-7@icann.org" <gnso-rds-pdp-7@icann.org> Subject: [Ext] Re: [Gnso-rds-pdp-7] Notes & action items from today's meeting Hi everyone, I’ve started filling out the template as I proposed during the call yesterday. I’ve put together an overview of how we are grouping the various types of use cases and detailed purposes for accessing RDS data for this broad swath of items that come under this abuse topic. I’ve put in the outlines and one example of how a break-down might look. I will work up more of these examples to flesh out the data needs (Dick could help here as well - hint, hint), but this would be a good time to get feedback on the overall approach as well as the approach for the individual cases before I put a lot of time into the write-ups if people have any issues with the format or approach to laying this out. Thanks much for your input! Cheers, Rod On Oct 18, 2017, at 11:09 AM, Marika Konings <marika.konings@icann.org<mailto:marika.konings@icann.org>> wrote: Dear All, Thank you again for participation in today’s meeting. Please find below the notes and action items. I’ll be sharing with you shortly the google doc link to the template. As a reminder, you can use this email address (gnso-rds-pdp-7@icann.org<mailto:gnso-rds-pdp-7@icann.org>) for any further discussion on this topic. Best regards, Marika ============================ DT7 - Criminal Investigation or DNS Abuse Mitigation Meeting 18 October 2017 1) Brief recap of DT7 goals and due date – Marika * To enable better understanding of existing purposes for WHOIS data, small drafting teams composed of WG members with diverse points of view were chosen to define each identified purpose. * This drafting team should discuss the tasks supported by the purpose “Criminal Investigation of DNS Abuse Mitigation,” the parties involved in this purpose, and the data often used to fulfill this purpose. * It is hoped that fleshing out purpose definitions will improve communication and help the WG conduct informed discussion about all identified purposes before trying to agreement on legitimacy, etc * Our drafting team is asked to discuss our assigned purpose by phone and email over the next week, producing a draft purpose definition to be shared on the full WG mailing list no later than 26 October, for discussion during the WG’s F2F meetings at ICANN60. * A substantial amount of additional use cases & circumstances could be developed for this and probably for others. Is this the objective? 2) All team members to share their level of experience with Criminal Investigation or DNS Abuse Mitigation * Ayden Ferdeline - No experience with LE or criminal investigation. Newcomer to this purpose. Member of the NCSG, works for Internet Society. * Dic Leaning - ex law enforcement officer (retirement), Europol and Scotland Yard, deep knowledge of criminal investigation. Many different tools used by LE to investigate cybercrime, DNS is just one of the tools. Now working for RIPE. Definition in template seems accurate. * Marc Anderson - employed by Verisign, registry operator. No detailed knowledge in this purpose as it is handled by others at Verisign. * Rod Rasmussen - deep subject matter expert. Involved in the EWG. Has been doing security in private sector but also investigation, to designing software and systems to bring in data and work with data to glean information that is put into different products. * Raoul Plommer - a digital rights activist for 10 yrs now and the VC of NPOC. Been working for the pirate party, which is an international political movement. Action item #1: DT members not on the call are encouraged to share their experience and review meeting notes & recording. 3) Introduce EWG's definition of this purpose, as starting point for discussion 4) Team members less familiar with this purpose to ask general questions 5) Team members more familiar with this purpose to give real-world examples of this purpose, drawn from their own experiences * See template distributed. * Excerpts included from EWG report. EWG went into a lot of detail and background re. the various use cases. In order to make it digestible, this was rolled up into these broader categories as included in the template. DNS is used in many cases directly or indirectly to facilitate abuse, e.g. confidence scams, child pornography. Off-line crime may also include evidence connected to emails & web-sites. Criminal category. * Abuse/civil/annoying (e.g. spam) category. * Infrastructure related like command and control, botnet. DNS is also infrastructure for illegitimate purposes. * Unintended infrastructure - compromised domains/web-sites. Compromised registrar accounts which could result in the creation of new sub-domains. * Range of different things that fall within these five use cases listed. * Broad buckets from an investigation perspective: single person, group, automation (e.g. analysis tool). Starting point from which further determinations are made: is a DNS resource complicit or not in the criminal activity? From there, investigator will undertake action - e.g. reach out to someone who is compromised, reach out to registrar to delete registration if it was fraudulently registered. Then, what information can be gleaned from this info: are other registrations involved, what is the scale / scope involved. * Automation side: reputation services - make real time decisions about connectivity. Should a user on my network be able to connect to this domain name? Need to have capability to make decision on whether to connect to another network. Same for spam - do you accept email? Consideration of domain from which it emanates will factor into that consideration. * Consider developing a matrix that would outline the needs and what is needed and at what scale. * Abuse contact would be helpful in these kinds of cases - what would be more efficient for the system to do going forward. * Domain Name Generation Algorithm (DGA) - as part of running a bot-net (infected computers that talk to a central source to give them instructions). What has been developed by 'bad guys' over the last 10 years to keep infrastructure working is to create algorithms to create rendezvous domains. May or may not exist in the actual DNS but infected computers would try to connect to these domains where something could potentially happen. If that info is known, it can be used to block access to those registrations, look up domains to see who has registered those, identify potential collision, etc. * How are criminal investigations and abuse investigations typically started? From the OpsSec side, it often starts with reports of spam. Even where someone is reporting to a brand (phishing), or download of virus. Typically come in from victims or potential victims. Reverse engineering may show domain name. DDOS - domain name may be used to fire ammunition and bring down service. Scams - fake businesses set up for job recruiting or escrow services. Fairly similar for LE - any crime you can think of happening in the real world, happens in the online world, and it requires a domain name. That is why it is so important to have info on who has which domain name. * If there would be no WHOIS, how would an investigation take place? Would require going to the registrar or registry directly. Same applies currently for IP addresses. Could also go to hosting provider - whoever is providing the service. In some cases it may not matter who owns the domain name registration, but it is a starting point. Most useful in the compromised domain name registration as direct outreach can be done to the victim. Knowing that certain domain name registrations are owned by the same entity is also valuable information. * The other important bit which is sometimes is overlooked is that a potential customer can look up the WHOIS and make an informed decision if they want to hand there money over to them. 6) Divvy up drafting and agree upon plan to flesh out template by 26 October * Who needs what data for which purpose? May need to modify the template to ensure all that info is covered. * In terms of user types, try to include more granularity. Private entities do not have the same status as LE. There may be overlap, but important to distinguish between the two. Action item #2: Staff to post template as a google doc Action item #3: Rod to take a first stab at adding to the template and add matrix as outlined during the call Action item #4: Staff to circulate doodle poll with objective to find a possible meeting time/date either next Monday or Tuesday, recognising that availability may be limited. Marika Konings Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN) Email: marika.konings@icann.org<mailto:marika.konings@icann.org> Follow the GNSO via Twitter @ICANN_GNSO Find out more about the GNSO by taking our interactive courses<http://learn.icann.org/courses/gnso> and visiting the GNSO Newcomer pages<http://gnso.icann.org/sites/gnso.icann.org/files/gnso/presentations/policy-e...>. _______________________________________________ Gnso-rds-pdp-7 mailing list Gnso-rds-pdp-7@icann.org<mailto:Gnso-rds-pdp-7@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7
All, note that our next meeting has been scheduled for Tuesday at 17.00 UTC. Unfortunately, it was not possible to find a time that would work for all, but hopefully those that are not able to attend the meeting, will provide their input via the mailing list in advance. Rod, I have not seen any concerns about the overall approach you’ve proposed so hopefully you have an opportunity to add further detail to the Google Doc. All, if you have any further comments, suggestions, add those to the google doc or share on the mailing list. Thanks, Marika From: <gnso-rds-pdp-7-bounces@icann.org> on behalf of Marika Konings <marika.konings@icann.org> Date: Thursday, October 19, 2017 at 06:08 To: Rod Rasmussen <rod@rodrasmussen.com> Cc: "gnso-rds-pdp-7@icann.org" <gnso-rds-pdp-7@icann.org> Subject: Re: [Gnso-rds-pdp-7] [Ext] Re: Notes & action items from today's meeting Thanks, Rod, much appreciated. All, as a reminder, you can find the google doc here: https://docs.google.com/document/d/19fUlV3HEyZ0IYFOY-r4KGoN25ICHPf1wDjUA_ZMx3yc/edit?usp=sharing[docs.google.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com_document_d_19fUlV3HEyZ0IYFOY-2Dr4KGoN25ICHPf1wDjUA-5FZMx3yc_edit-3Fusp-3Dsharing&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=hHhBpT7bdWIkRMyKtQ0g4JRxPFrfp9iNtMwGg78rEAw&s=oBGzXAcbP_MoykCx4emqVF4Ib6kNLyPRiY_s3EWrt7E&e=>. Please share with the list by COB today if you have any concerns about the overall approach as outlined by Rod. Also, if you have any comments and/or proposed edits to the document, please feel free to add these directly to the document. As another reminder, please complete the doodle poll as soon as possible so we can hopefully confirm a next meeting for coming Monday or Tuesday (doodle poll: http://doodle.com/poll/4rgiwi89d63crebq[doodle.com]<https://urldefense.proofpoint.com/v2/url?u=http-3A__doodle.com_poll_4rgiwi89d63crebq&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=hHhBpT7bdWIkRMyKtQ0g4JRxPFrfp9iNtMwGg78rEAw&s=OwWVlVkK6Gz_K--e9GMtKST91kImX0BKlGPCJ0ipWXc&e=>). Thanks, Marika From: Rod Rasmussen <rod@rodrasmussen.com> Date: Thursday, October 19, 2017 at 06:02 To: Marika Konings <marika.konings@icann.org> Cc: "gnso-rds-pdp-7@icann.org" <gnso-rds-pdp-7@icann.org> Subject: [Ext] Re: [Gnso-rds-pdp-7] Notes & action items from today's meeting Hi everyone, I’ve started filling out the template as I proposed during the call yesterday. I’ve put together an overview of how we are grouping the various types of use cases and detailed purposes for accessing RDS data for this broad swath of items that come under this abuse topic. I’ve put in the outlines and one example of how a break-down might look. I will work up more of these examples to flesh out the data needs (Dick could help here as well - hint, hint), but this would be a good time to get feedback on the overall approach as well as the approach for the individual cases before I put a lot of time into the write-ups if people have any issues with the format or approach to laying this out. Thanks much for your input! Cheers, Rod On Oct 18, 2017, at 11:09 AM, Marika Konings <marika.konings@icann.org<mailto:marika.konings@icann.org>> wrote: Dear All, Thank you again for participation in today’s meeting. Please find below the notes and action items. I’ll be sharing with you shortly the google doc link to the template. As a reminder, you can use this email address (gnso-rds-pdp-7@icann.org<mailto:gnso-rds-pdp-7@icann.org>) for any further discussion on this topic. Best regards, Marika ============================ DT7 - Criminal Investigation or DNS Abuse Mitigation Meeting 18 October 2017 1) Brief recap of DT7 goals and due date – Marika * To enable better understanding of existing purposes for WHOIS data, small drafting teams composed of WG members with diverse points of view were chosen to define each identified purpose. * This drafting team should discuss the tasks supported by the purpose “Criminal Investigation of DNS Abuse Mitigation,” the parties involved in this purpose, and the data often used to fulfill this purpose. * It is hoped that fleshing out purpose definitions will improve communication and help the WG conduct informed discussion about all identified purposes before trying to agreement on legitimacy, etc * Our drafting team is asked to discuss our assigned purpose by phone and email over the next week, producing a draft purpose definition to be shared on the full WG mailing list no later than 26 October, for discussion during the WG’s F2F meetings at ICANN60. * A substantial amount of additional use cases & circumstances could be developed for this and probably for others. Is this the objective? 2) All team members to share their level of experience with Criminal Investigation or DNS Abuse Mitigation * Ayden Ferdeline - No experience with LE or criminal investigation. Newcomer to this purpose. Member of the NCSG, works for Internet Society. * Dic Leaning - ex law enforcement officer (retirement), Europol and Scotland Yard, deep knowledge of criminal investigation. Many different tools used by LE to investigate cybercrime, DNS is just one of the tools. Now working for RIPE. Definition in template seems accurate. * Marc Anderson - employed by Verisign, registry operator. No detailed knowledge in this purpose as it is handled by others at Verisign. * Rod Rasmussen - deep subject matter expert. Involved in the EWG. Has been doing security in private sector but also investigation, to designing software and systems to bring in data and work with data to glean information that is put into different products. * Raoul Plommer - a digital rights activist for 10 yrs now and the VC of NPOC. Been working for the pirate party, which is an international political movement. Action item #1: DT members not on the call are encouraged to share their experience and review meeting notes & recording. 3) Introduce EWG's definition of this purpose, as starting point for discussion 4) Team members less familiar with this purpose to ask general questions 5) Team members more familiar with this purpose to give real-world examples of this purpose, drawn from their own experiences * See template distributed. * Excerpts included from EWG report. EWG went into a lot of detail and background re. the various use cases. In order to make it digestible, this was rolled up into these broader categories as included in the template. DNS is used in many cases directly or indirectly to facilitate abuse, e.g. confidence scams, child pornography. Off-line crime may also include evidence connected to emails & web-sites. Criminal category. * Abuse/civil/annoying (e.g. spam) category. * Infrastructure related like command and control, botnet. DNS is also infrastructure for illegitimate purposes. * Unintended infrastructure - compromised domains/web-sites. Compromised registrar accounts which could result in the creation of new sub-domains. * Range of different things that fall within these five use cases listed. * Broad buckets from an investigation perspective: single person, group, automation (e.g. analysis tool). Starting point from which further determinations are made: is a DNS resource complicit or not in the criminal activity? From there, investigator will undertake action - e.g. reach out to someone who is compromised, reach out to registrar to delete registration if it was fraudulently registered. Then, what information can be gleaned from this info: are other registrations involved, what is the scale / scope involved. * Automation side: reputation services - make real time decisions about connectivity. Should a user on my network be able to connect to this domain name? Need to have capability to make decision on whether to connect to another network. Same for spam - do you accept email? Consideration of domain from which it emanates will factor into that consideration. * Consider developing a matrix that would outline the needs and what is needed and at what scale. * Abuse contact would be helpful in these kinds of cases - what would be more efficient for the system to do going forward. * Domain Name Generation Algorithm (DGA) - as part of running a bot-net (infected computers that talk to a central source to give them instructions). What has been developed by 'bad guys' over the last 10 years to keep infrastructure working is to create algorithms to create rendezvous domains. May or may not exist in the actual DNS but infected computers would try to connect to these domains where something could potentially happen. If that info is known, it can be used to block access to those registrations, look up domains to see who has registered those, identify potential collision, etc. * How are criminal investigations and abuse investigations typically started? From the OpsSec side, it often starts with reports of spam. Even where someone is reporting to a brand (phishing), or download of virus. Typically come in from victims or potential victims. Reverse engineering may show domain name. DDOS - domain name may be used to fire ammunition and bring down service. Scams - fake businesses set up for job recruiting or escrow services. Fairly similar for LE - any crime you can think of happening in the real world, happens in the online world, and it requires a domain name. That is why it is so important to have info on who has which domain name. * If there would be no WHOIS, how would an investigation take place? Would require going to the registrar or registry directly. Same applies currently for IP addresses. Could also go to hosting provider - whoever is providing the service. In some cases it may not matter who owns the domain name registration, but it is a starting point. Most useful in the compromised domain name registration as direct outreach can be done to the victim. Knowing that certain domain name registrations are owned by the same entity is also valuable information. * The other important bit which is sometimes is overlooked is that a potential customer can look up the WHOIS and make an informed decision if they want to hand there money over to them. 6) Divvy up drafting and agree upon plan to flesh out template by 26 October * Who needs what data for which purpose? May need to modify the template to ensure all that info is covered. * In terms of user types, try to include more granularity. Private entities do not have the same status as LE. There may be overlap, but important to distinguish between the two. Action item #2: Staff to post template as a google doc Action item #3: Rod to take a first stab at adding to the template and add matrix as outlined during the call Action item #4: Staff to circulate doodle poll with objective to find a possible meeting time/date either next Monday or Tuesday, recognising that availability may be limited. Marika Konings Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN) Email: marika.konings@icann.org<mailto:marika.konings@icann.org> Follow the GNSO via Twitter @ICANN_GNSO Find out more about the GNSO by taking our interactive courses[learn.icann.org]<https://urldefense.proofpoint.com/v2/url?u=http-3A__learn.icann.org_courses_...> and visiting the GNSO Newcomer pages[gnso.icann.org]<https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_sites_gns...>. _______________________________________________ Gnso-rds-pdp-7 mailing list Gnso-rds-pdp-7@icann.org<mailto:Gnso-rds-pdp-7@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7
Just a quick update - I will endeavor to make that call on Tuesday, but am attending the APWG EU meeting this coming week, so may be a challenge to be online as well as audio. I haven’t been able to add to the Google Doc yet, as I’ve been in full tourist mode for the past 48 hours or so, visiting Lisbon with my wife for the first time ever. On a train to Porto right now and I’ll try to add some more scenarios to flesh out that “table” with as wide a variety of examples as possible. Cheers, Rod
On Oct 20, 2017, at 9:21 AM, Marika Konings <marika.konings@icann.org <mailto:marika.konings@icann.org>> wrote:
All, note that our next meeting has been scheduled for Tuesday at 17.00 UTC. Unfortunately, it was not possible to find a time that would work for all, but hopefully those that are not able to attend the meeting, will provide their input via the mailing list in advance.
Rod, I have not seen any concerns about the overall approach you’ve proposed so hopefully you have an opportunity to add further detail to the Google Doc. All, if you have any further comments, suggestions, add those to the google doc or share on the mailing list.
Thanks,
Marika
From: <gnso-rds-pdp-7-bounces@icann.org <mailto:gnso-rds-pdp-7-bounces@icann.org>> on behalf of Marika Konings <marika.konings@icann.org <mailto:marika.konings@icann.org>> Date: Thursday, October 19, 2017 at 06:08 To: Rod Rasmussen <rod@rodrasmussen.com <mailto:rod@rodrasmussen.com>> Cc: "gnso-rds-pdp-7@icann.org <mailto:gnso-rds-pdp-7@icann.org>" <gnso-rds-pdp-7@icann.org <mailto:gnso-rds-pdp-7@icann.org>> Subject: Re: [Gnso-rds-pdp-7] [Ext] Re: Notes & action items from today's meeting
Thanks, Rod, much appreciated.
All, as a reminder, you can find the google doc here: https://docs.google.com/document/d/19fUlV3HEyZ0IYFOY-r4KGoN25ICHPf1wDjUA_ZMx3yc/edit?usp=sharing[docs.google.com] <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com_documen...>. Please share with the list by COB today if you have any concerns about the overall approach as outlined by Rod. Also, if you have any comments and/or proposed edits to the document, please feel free to add these directly to the document.
As another reminder, please complete the doodle poll as soon as possible so we can hopefully confirm a next meeting for coming Monday or Tuesday (doodle poll:http://doodle.com/poll/4rgiwi89d63crebq[doodle.com] <https://urldefense.proofpoint.com/v2/url?u=http-3A__doodle.com_poll_4rgiwi89...>).
Thanks,
Marika
From: Rod Rasmussen <rod@rodrasmussen.com <mailto:rod@rodrasmussen.com>> Date: Thursday, October 19, 2017 at 06:02 To: Marika Konings <marika.konings@icann.org <mailto:marika.konings@icann.org>> Cc: "gnso-rds-pdp-7@icann.org <mailto:gnso-rds-pdp-7@icann.org>" <gnso-rds-pdp-7@icann.org <mailto:gnso-rds-pdp-7@icann.org>> Subject: [Ext] Re: [Gnso-rds-pdp-7] Notes & action items from today's meeting
Hi everyone,
I’ve started filling out the template as I proposed during the call yesterday. I’ve put together an overview of how we are grouping the various types of use cases and detailed purposes for accessing RDS data for this broad swath of items that come under this abuse topic. I’ve put in the outlines and one example of how a break-down might look. I will work up more of these examples to flesh out the data needs (Dick could help here as well - hint, hint), but this would be a good time to get feedback on the overall approach as well as the approach for the individual cases before I put a lot of time into the write-ups if people have any issues with the format or approach to laying this out.
Thanks much for your input!
Cheers,
Rod
On Oct 18, 2017, at 11:09 AM, Marika Konings <marika.konings@icann.org <mailto:marika.konings@icann.org>> wrote:
Dear All,
Thank you again for participation in today’s meeting. Please find below the notes and action items. I’ll be sharing with you shortly the google doc link to the template. As a reminder, you can use this email address (gnso-rds-pdp-7@icann.org <mailto:gnso-rds-pdp-7@icann.org>) for any further discussion on this topic.
Best regards,
Marika
============================
DT7 - Criminal Investigation or DNS Abuse Mitigation Meeting 18 October 2017
1) Brief recap of DT7 goals and due date – Marika To enable better understanding of existing purposes for WHOIS data, small drafting teams composed of WG members with diverse points of view were chosen to define each identified purpose. This drafting team should discuss the tasks supported by the purpose “Criminal Investigation of DNS Abuse Mitigation,” the parties involved in this purpose, and the data often used to fulfill this purpose. It is hoped that fleshing out purpose definitions will improve communication and help the WG conduct informed discussion about all identified purposes before trying to agreement on legitimacy, etc Our drafting team is asked to discuss our assigned purpose by phone and email over the next week, producing a draft purpose definition to be shared on the full WG mailing list no later than 26 October, for discussion during the WG’s F2F meetings at ICANN60. A substantial amount of additional use cases & circumstances could be developed for this and probably for others. Is this the objective?
2) All team members to share their level of experience with Criminal Investigation or DNS Abuse Mitigation Ayden Ferdeline - No experience with LE or criminal investigation. Newcomer to this purpose. Member of the NCSG, works for Internet Society. Dic Leaning - ex law enforcement officer (retirement), Europol and Scotland Yard, deep knowledge of criminal investigation. Many different tools used by LE to investigate cybercrime, DNS is just one of the tools. Now working for RIPE. Definition in template seems accurate. Marc Anderson - employed by Verisign, registry operator. No detailed knowledge in this purpose as it is handled by others at Verisign. Rod Rasmussen - deep subject matter expert. Involved in the EWG. Has been doing security in private sector but also investigation, to designing software and systems to bring in data and work with data to glean information that is put into different products. Raoul Plommer - a digital rights activist for 10 yrs now and the VC of NPOC. Been working for the pirate party, which is an international political movement.
Action item #1: DT members not on the call are encouraged to share their experience and review meeting notes & recording.
3) Introduce EWG's definition of this purpose, as starting point for discussion 4) Team members less familiar with this purpose to ask general questions 5) Team members more familiar with this purpose to give real-world examples of this purpose, drawn from their own experiences
See template distributed. Excerpts included from EWG report. EWG went into a lot of detail and background re. the various use cases. In order to make it digestible, this was rolled up into these broader categories as included in the template. DNS is used in many cases directly or indirectly to facilitate abuse, e.g. confidence scams, child pornography. Off-line crime may also include evidence connected to emails & web-sites. Criminal category. Abuse/civil/annoying (e.g. spam) category. Infrastructure related like command and control, botnet. DNS is also infrastructure for illegitimate purposes. Unintended infrastructure - compromised domains/web-sites. Compromised registrar accounts which could result in the creation of new sub-domains. Range of different things that fall within these five use cases listed. Broad buckets from an investigation perspective: single person, group, automation (e.g. analysis tool). Starting point from which further determinations are made: is a DNS resource complicit or not in the criminal activity? From there, investigator will undertake action - e.g. reach out to someone who is compromised, reach out to registrar to delete registration if it was fraudulently registered. Then, what information can be gleaned from this info: are other registrations involved, what is the scale / scope involved. Automation side: reputation services - make real time decisions about connectivity. Should a user on my network be able to connect to this domain name? Need to have capability to make decision on whether to connect to another network. Same for spam - do you accept email? Consideration of domain from which it emanates will factor into that consideration. Consider developing a matrix that would outline the needs and what is needed and at what scale. Abuse contact would be helpful in these kinds of cases - what would be more efficient for the system to do going forward. Domain Name Generation Algorithm (DGA) - as part of running a bot-net (infected computers that talk to a central source to give them instructions). What has been developed by 'bad guys' over the last 10 years to keep infrastructure working is to create algorithms to create rendezvous domains. May or may not exist in the actual DNS but infected computers would try to connect to these domains where something could potentially happen. If that info is known, it can be used to block access to those registrations, look up domains to see who has registered those, identify potential collision, etc. How are criminal investigations and abuse investigations typically started? From the OpsSec side, it often starts with reports of spam. Even where someone is reporting to a brand (phishing), or download of virus. Typically come in from victims or potential victims. Reverse engineering may show domain name. DDOS - domain name may be used to fire ammunition and bring down service. Scams - fake businesses set up for job recruiting or escrow services. Fairly similar for LE - any crime you can think of happening in the real world, happens in the online world, and it requires a domain name. That is why it is so important to have info on who has which domain name. If there would be no WHOIS, how would an investigation take place? Would require going to the registrar or registry directly. Same applies currently for IP addresses. Could also go to hosting provider - whoever is providing the service. In some cases it may not matter who owns the domain name registration, but it is a starting point. Most useful in the compromised domain name registration as direct outreach can be done to the victim. Knowing that certain domain name registrations are owned by the same entity is also valuable information. The other important bit which is sometimes is overlooked is that a potential customer can look up the WHOIS and make an informed decision if they want to hand there money over to them.
6) Divvy up drafting and agree upon plan to flesh out template by 26 October Who needs what data for which purpose? May need to modify the template to ensure all that info is covered. In terms of user types, try to include more granularity. Private entities do not have the same status as LE. There may be overlap, but important to distinguish between the two.
Action item #2: Staff to post template as a google doc Action item #3: Rod to take a first stab at adding to the template and add matrix as outlined during the call Action item #4: Staff to circulate doodle poll with objective to find a possible meeting time/date either next Monday or Tuesday, recognising that availability may be limited.
Marika Konings Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN) Email: marika.konings@icann.org <mailto:marika.konings@icann.org>
Follow the GNSO via Twitter @ICANN_GNSO Find out more about the GNSO by taking our interactive courses[learn.icann.org] <https://urldefense.proofpoint.com/v2/url?u=http-3A__learn.icann.org_courses_...> and visiting the GNSO Newcomer pages[gnso.icann.org] <https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_sites_gns...>.
_______________________________________________ Gnso-rds-pdp-7 mailing list Gnso-rds-pdp-7@icann.org <mailto:Gnso-rds-pdp-7@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7 <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7>
_______________________________________________ Gnso-rds-pdp-7 mailing list Gnso-rds-pdp-7@icann.org <mailto:Gnso-rds-pdp-7@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7 <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7>
I have been reading the mails on this list and noted the friendly prod from Rod ;-) As i mentioned last week, we deep into our own conference (RIPE) and as usual, its full on. i will try and find the time to have a look at the document today. Richard Leaning External Relations RIPE NCC
On 23 Oct 2017, at 03:47, Rod Rasmussen <rod@rodrasmussen.com> wrote:
Just a quick update - I will endeavor to make that call on Tuesday, but am attending the APWG EU meeting this coming week, so may be a challenge to be online as well as audio. I haven’t been able to add to the Google Doc yet, as I’ve been in full tourist mode for the past 48 hours or so, visiting Lisbon with my wife for the first time ever. On a train to Porto right now and I’ll try to add some more scenarios to flesh out that “table” with as wide a variety of examples as possible.
Cheers,
Rod
On Oct 20, 2017, at 9:21 AM, Marika Konings <marika.konings@icann.org <mailto:marika.konings@icann.org>> wrote:
All, note that our next meeting has been scheduled for Tuesday at 17.00 UTC. Unfortunately, it was not possible to find a time that would work for all, but hopefully those that are not able to attend the meeting, will provide their input via the mailing list in advance.
Rod, I have not seen any concerns about the overall approach you’ve proposed so hopefully you have an opportunity to add further detail to the Google Doc. All, if you have any further comments, suggestions, add those to the google doc or share on the mailing list.
Thanks,
Marika
From: <gnso-rds-pdp-7-bounces@icann.org <mailto:gnso-rds-pdp-7-bounces@icann.org>> on behalf of Marika Konings <marika.konings@icann.org <mailto:marika.konings@icann.org>> Date: Thursday, October 19, 2017 at 06:08 To: Rod Rasmussen <rod@rodrasmussen.com <mailto:rod@rodrasmussen.com>> Cc: "gnso-rds-pdp-7@icann.org <mailto:gnso-rds-pdp-7@icann.org>" <gnso-rds-pdp-7@icann.org <mailto:gnso-rds-pdp-7@icann.org>> Subject: Re: [Gnso-rds-pdp-7] [Ext] Re: Notes & action items from today's meeting
Thanks, Rod, much appreciated.
All, as a reminder, you can find the google doc here: https://docs.google.com/document/d/19fUlV3HEyZ0IYFOY-r4KGoN25ICHPf1wDjUA_ZMx3yc/edit?usp=sharing[docs.google.com] <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com_documen...>. Please share with the list by COB today if you have any concerns about the overall approach as outlined by Rod. Also, if you have any comments and/or proposed edits to the document, please feel free to add these directly to the document.
As another reminder, please complete the doodle poll as soon as possible so we can hopefully confirm a next meeting for coming Monday or Tuesday (doodle poll:http://doodle.com/poll/4rgiwi89d63crebq[doodle.com] <https://urldefense.proofpoint.com/v2/url?u=http-3A__doodle.com_poll_4rgiwi89...>).
Thanks,
Marika
From: Rod Rasmussen <rod@rodrasmussen.com <mailto:rod@rodrasmussen.com>> Date: Thursday, October 19, 2017 at 06:02 To: Marika Konings <marika.konings@icann.org <mailto:marika.konings@icann.org>> Cc: "gnso-rds-pdp-7@icann.org <mailto:gnso-rds-pdp-7@icann.org>" <gnso-rds-pdp-7@icann.org <mailto:gnso-rds-pdp-7@icann.org>> Subject: [Ext] Re: [Gnso-rds-pdp-7] Notes & action items from today's meeting
Hi everyone,
I’ve started filling out the template as I proposed during the call yesterday. I’ve put together an overview of how we are grouping the various types of use cases and detailed purposes for accessing RDS data for this broad swath of items that come under this abuse topic. I’ve put in the outlines and one example of how a break-down might look. I will work up more of these examples to flesh out the data needs (Dick could help here as well - hint, hint), but this would be a good time to get feedback on the overall approach as well as the approach for the individual cases before I put a lot of time into the write-ups if people have any issues with the format or approach to laying this out.
Thanks much for your input!
Cheers,
Rod
On Oct 18, 2017, at 11:09 AM, Marika Konings <marika.konings@icann.org <mailto:marika.konings@icann.org>> wrote:
Dear All,
Thank you again for participation in today’s meeting. Please find below the notes and action items. I’ll be sharing with you shortly the google doc link to the template. As a reminder, you can use this email address (gnso-rds-pdp-7@icann.org <mailto:gnso-rds-pdp-7@icann.org>) for any further discussion on this topic.
Best regards,
Marika
============================
DT7 - Criminal Investigation or DNS Abuse Mitigation Meeting 18 October 2017
1) Brief recap of DT7 goals and due date – Marika To enable better understanding of existing purposes for WHOIS data, small drafting teams composed of WG members with diverse points of view were chosen to define each identified purpose. This drafting team should discuss the tasks supported by the purpose “Criminal Investigation of DNS Abuse Mitigation,” the parties involved in this purpose, and the data often used to fulfill this purpose. It is hoped that fleshing out purpose definitions will improve communication and help the WG conduct informed discussion about all identified purposes before trying to agreement on legitimacy, etc Our drafting team is asked to discuss our assigned purpose by phone and email over the next week, producing a draft purpose definition to be shared on the full WG mailing list no later than 26 October, for discussion during the WG’s F2F meetings at ICANN60. A substantial amount of additional use cases & circumstances could be developed for this and probably for others. Is this the objective?
2) All team members to share their level of experience with Criminal Investigation or DNS Abuse Mitigation Ayden Ferdeline - No experience with LE or criminal investigation. Newcomer to this purpose. Member of the NCSG, works for Internet Society. Dic Leaning - ex law enforcement officer (retirement), Europol and Scotland Yard, deep knowledge of criminal investigation. Many different tools used by LE to investigate cybercrime, DNS is just one of the tools. Now working for RIPE. Definition in template seems accurate. Marc Anderson - employed by Verisign, registry operator. No detailed knowledge in this purpose as it is handled by others at Verisign. Rod Rasmussen - deep subject matter expert. Involved in the EWG. Has been doing security in private sector but also investigation, to designing software and systems to bring in data and work with data to glean information that is put into different products. Raoul Plommer - a digital rights activist for 10 yrs now and the VC of NPOC. Been working for the pirate party, which is an international political movement.
Action item #1: DT members not on the call are encouraged to share their experience and review meeting notes & recording.
3) Introduce EWG's definition of this purpose, as starting point for discussion 4) Team members less familiar with this purpose to ask general questions 5) Team members more familiar with this purpose to give real-world examples of this purpose, drawn from their own experiences
See template distributed. Excerpts included from EWG report. EWG went into a lot of detail and background re. the various use cases. In order to make it digestible, this was rolled up into these broader categories as included in the template. DNS is used in many cases directly or indirectly to facilitate abuse, e.g. confidence scams, child pornography. Off-line crime may also include evidence connected to emails & web-sites. Criminal category. Abuse/civil/annoying (e.g. spam) category. Infrastructure related like command and control, botnet. DNS is also infrastructure for illegitimate purposes. Unintended infrastructure - compromised domains/web-sites. Compromised registrar accounts which could result in the creation of new sub-domains. Range of different things that fall within these five use cases listed. Broad buckets from an investigation perspective: single person, group, automation (e.g. analysis tool). Starting point from which further determinations are made: is a DNS resource complicit or not in the criminal activity? From there, investigator will undertake action - e.g. reach out to someone who is compromised, reach out to registrar to delete registration if it was fraudulently registered. Then, what information can be gleaned from this info: are other registrations involved, what is the scale / scope involved. Automation side: reputation services - make real time decisions about connectivity. Should a user on my network be able to connect to this domain name? Need to have capability to make decision on whether to connect to another network. Same for spam - do you accept email? Consideration of domain from which it emanates will factor into that consideration. Consider developing a matrix that would outline the needs and what is needed and at what scale. Abuse contact would be helpful in these kinds of cases - what would be more efficient for the system to do going forward. Domain Name Generation Algorithm (DGA) - as part of running a bot-net (infected computers that talk to a central source to give them instructions). What has been developed by 'bad guys' over the last 10 years to keep infrastructure working is to create algorithms to create rendezvous domains. May or may not exist in the actual DNS but infected computers would try to connect to these domains where something could potentially happen. If that info is known, it can be used to block access to those registrations, look up domains to see who has registered those, identify potential collision, etc. How are criminal investigations and abuse investigations typically started? From the OpsSec side, it often starts with reports of spam. Even where someone is reporting to a brand (phishing), or download of virus. Typically come in from victims or potential victims. Reverse engineering may show domain name. DDOS - domain name may be used to fire ammunition and bring down service. Scams - fake businesses set up for job recruiting or escrow services. Fairly similar for LE - any crime you can think of happening in the real world, happens in the online world, and it requires a domain name. That is why it is so important to have info on who has which domain name. If there would be no WHOIS, how would an investigation take place? Would require going to the registrar or registry directly. Same applies currently for IP addresses. Could also go to hosting provider - whoever is providing the service. In some cases it may not matter who owns the domain name registration, but it is a starting point. Most useful in the compromised domain name registration as direct outreach can be done to the victim. Knowing that certain domain name registrations are owned by the same entity is also valuable information. The other important bit which is sometimes is overlooked is that a potential customer can look up the WHOIS and make an informed decision if they want to hand there money over to them.
6) Divvy up drafting and agree upon plan to flesh out template by 26 October Who needs what data for which purpose? May need to modify the template to ensure all that info is covered. In terms of user types, try to include more granularity. Private entities do not have the same status as LE. There may be overlap, but important to distinguish between the two.
Action item #2: Staff to post template as a google doc Action item #3: Rod to take a first stab at adding to the template and add matrix as outlined during the call Action item #4: Staff to circulate doodle poll with objective to find a possible meeting time/date either next Monday or Tuesday, recognising that availability may be limited.
Marika Konings Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN) Email: marika.konings@icann.org <mailto:marika.konings@icann.org>
Follow the GNSO via Twitter @ICANN_GNSO Find out more about the GNSO by taking our interactive courses[learn.icann.org] <https://urldefense.proofpoint.com/v2/url?u=http-3A__learn.icann.org_courses_...> and visiting the GNSO Newcomer pages[gnso.icann.org] <https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_sites_gns...>.
_______________________________________________ Gnso-rds-pdp-7 mailing list Gnso-rds-pdp-7@icann.org <mailto:Gnso-rds-pdp-7@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7 <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7>
_______________________________________________ Gnso-rds-pdp-7 mailing list Gnso-rds-pdp-7@icann.org <mailto:Gnso-rds-pdp-7@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7 <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7>
Gnso-rds-pdp-7 mailing list Gnso-rds-pdp-7@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7
Made some minor changes last night but have much more to do. Nothing significant to review if you had already looked at the first draft I made. Blocking out a couple hours tonight to move this along but have all day in Porto today prior. Cheers, Rod Sent from Rod Rasmussen's iPhone
On Oct 23, 2017, at 8:29 AM, Richard Leaning <rleaning@ripe.net> wrote:
I have been reading the mails on this list and noted the friendly prod from Rod ;-)
As i mentioned last week, we deep into our own conference (RIPE) and as usual, its full on. i will try and find the time to have a look at the document today.
Richard Leaning External Relations RIPE NCC
On 23 Oct 2017, at 03:47, Rod Rasmussen <rod@rodrasmussen.com> wrote:
Just a quick update - I will endeavor to make that call on Tuesday, but am attending the APWG EU meeting this coming week, so may be a challenge to be online as well as audio. I haven’t been able to add to the Google Doc yet, as I’ve been in full tourist mode for the past 48 hours or so, visiting Lisbon with my wife for the first time ever. On a train to Porto right now and I’ll try to add some more scenarios to flesh out that “table” with as wide a variety of examples as possible.
Cheers,
Rod
On Oct 20, 2017, at 9:21 AM, Marika Konings <marika.konings@icann.org> wrote:
All, note that our next meeting has been scheduled for Tuesday at 17.00 UTC. Unfortunately, it was not possible to find a time that would work for all, but hopefully those that are not able to attend the meeting, will provide their input via the mailing list in advance.
Rod, I have not seen any concerns about the overall approach you’ve proposed so hopefully you have an opportunity to add further detail to the Google Doc. All, if you have any further comments, suggestions, add those to the google doc or share on the mailing list.
Thanks,
Marika
From: <gnso-rds-pdp-7-bounces@icann.org> on behalf of Marika Konings <marika.konings@icann.org> Date: Thursday, October 19, 2017 at 06:08 To: Rod Rasmussen <rod@rodrasmussen.com> Cc: "gnso-rds-pdp-7@icann.org" <gnso-rds-pdp-7@icann.org> Subject: Re: [Gnso-rds-pdp-7] [Ext] Re: Notes & action items from today's meeting
Thanks, Rod, much appreciated.
All, as a reminder, you can find the google doc here: https://docs.google.com/document/d/19fUlV3HEyZ0IYFOY-r4KGoN25ICHPf1wDjUA_ZMx3yc/edit?usp=sharing[docs.google.com]. Please share with the list by COB today if you have any concerns about the overall approach as outlined by Rod. Also, if you have any comments and/or proposed edits to the document, please feel free to add these directly to the document.
As another reminder, please complete the doodle poll as soon as possible so we can hopefully confirm a next meeting for coming Monday or Tuesday (doodle poll:http://doodle.com/poll/4rgiwi89d63crebq[doodle.com]).
Thanks,
Marika
From: Rod Rasmussen <rod@rodrasmussen.com> Date: Thursday, October 19, 2017 at 06:02 To: Marika Konings <marika.konings@icann.org> Cc: "gnso-rds-pdp-7@icann.org" <gnso-rds-pdp-7@icann.org> Subject: [Ext] Re: [Gnso-rds-pdp-7] Notes & action items from today's meeting
Hi everyone,
I’ve started filling out the template as I proposed during the call yesterday. I’ve put together an overview of how we are grouping the various types of use cases and detailed purposes for accessing RDS data for this broad swath of items that come under this abuse topic. I’ve put in the outlines and one example of how a break-down might look. I will work up more of these examples to flesh out the data needs (Dick could help here as well - hint, hint), but this would be a good time to get feedback on the overall approach as well as the approach for the individual cases before I put a lot of time into the write-ups if people have any issues with the format or approach to laying this out.
Thanks much for your input!
Cheers,
Rod
On Oct 18, 2017, at 11:09 AM, Marika Konings <marika.konings@icann.org> wrote:
Dear All,
Thank you again for participation in today’s meeting. Please find below the notes and action items. I’ll be sharing with you shortly the google doc link to the template. As a reminder, you can use this email address (gnso-rds-pdp-7@icann.org) for any further discussion on this topic.
Best regards,
Marika
============================
DT7 - Criminal Investigation or DNS Abuse Mitigation Meeting 18 October 2017
1) Brief recap of DT7 goals and due date – Marika To enable better understanding of existing purposes for WHOIS data, small drafting teams composed of WG members with diverse points of view were chosen to define each identified purpose. This drafting team should discuss the tasks supported by the purpose “Criminal Investigation of DNS Abuse Mitigation,” the parties involved in this purpose, and the data often used to fulfill this purpose. It is hoped that fleshing out purpose definitions will improve communication and help the WG conduct informed discussion about all identified purposes before trying to agreement on legitimacy, etc Our drafting team is asked to discuss our assigned purpose by phone and email over the next week, producing a draft purpose definition to be shared on the full WG mailing list no later than 26 October, for discussion during the WG’s F2F meetings at ICANN60. A substantial amount of additional use cases & circumstances could be developed for this and probably for others. Is this the objective?
2) All team members to share their level of experience with Criminal Investigation or DNS Abuse Mitigation Ayden Ferdeline - No experience with LE or criminal investigation. Newcomer to this purpose. Member of the NCSG, works for Internet Society. Dic Leaning - ex law enforcement officer (retirement), Europol and Scotland Yard, deep knowledge of criminal investigation. Many different tools used by LE to investigate cybercrime, DNS is just one of the tools. Now working for RIPE. Definition in template seems accurate. Marc Anderson - employed by Verisign, registry operator. No detailed knowledge in this purpose as it is handled by others at Verisign. Rod Rasmussen - deep subject matter expert. Involved in the EWG. Has been doing security in private sector but also investigation, to designing software and systems to bring in data and work with data to glean information that is put into different products. Raoul Plommer - a digital rights activist for 10 yrs now and the VC of NPOC. Been working for the pirate party, which is an international political movement.
Action item #1: DT members not on the call are encouraged to share their experience and review meeting notes & recording.
3) Introduce EWG's definition of this purpose, as starting point for discussion 4) Team members less familiar with this purpose to ask general questions 5) Team members more familiar with this purpose to give real-world examples of this purpose, drawn from their own experiences
See template distributed. Excerpts included from EWG report. EWG went into a lot of detail and background re. the various use cases. In order to make it digestible, this was rolled up into these broader categories as included in the template. DNS is used in many cases directly or indirectly to facilitate abuse, e.g. confidence scams, child pornography. Off-line crime may also include evidence connected to emails & web-sites. Criminal category. Abuse/civil/annoying (e.g. spam) category. Infrastructure related like command and control, botnet. DNS is also infrastructure for illegitimate purposes. Unintended infrastructure - compromised domains/web-sites. Compromised registrar accounts which could result in the creation of new sub-domains. Range of different things that fall within these five use cases listed. Broad buckets from an investigation perspective: single person, group, automation (e.g. analysis tool). Starting point from which further determinations are made: is a DNS resource complicit or not in the criminal activity? From there, investigator will undertake action - e.g. reach out to someone who is compromised, reach out to registrar to delete registration if it was fraudulently registered. Then, what information can be gleaned from this info: are other registrations involved, what is the scale / scope involved. Automation side: reputation services - make real time decisions about connectivity. Should a user on my network be able to connect to this domain name? Need to have capability to make decision on whether to connect to another network. Same for spam - do you accept email? Consideration of domain from which it emanates will factor into that consideration. Consider developing a matrix that would outline the needs and what is needed and at what scale. Abuse contact would be helpful in these kinds of cases - what would be more efficient for the system to do going forward. Domain Name Generation Algorithm (DGA) - as part of running a bot-net (infected computers that talk to a central source to give them instructions). What has been developed by 'bad guys' over the last 10 years to keep infrastructure working is to create algorithms to create rendezvous domains. May or may not exist in the actual DNS but infected computers would try to connect to these domains where something could potentially happen. If that info is known, it can be used to block access to those registrations, look up domains to see who has registered those, identify potential collision, etc. How are criminal investigations and abuse investigations typically started? From the OpsSec side, it often starts with reports of spam. Even where someone is reporting to a brand (phishing), or download of virus. Typically come in from victims or potential victims. Reverse engineering may show domain name. DDOS - domain name may be used to fire ammunition and bring down service. Scams - fake businesses set up for job recruiting or escrow services. Fairly similar for LE - any crime you can think of happening in the real world, happens in the online world, and it requires a domain name. That is why it is so important to have info on who has which domain name. If there would be no WHOIS, how would an investigation take place? Would require going to the registrar or registry directly. Same applies currently for IP addresses. Could also go to hosting provider - whoever is providing the service. In some cases it may not matter who owns the domain name registration, but it is a starting point. Most useful in the compromised domain name registration as direct outreach can be done to the victim. Knowing that certain domain name registrations are owned by the same entity is also valuable information. The other important bit which is sometimes is overlooked is that a potential customer can look up the WHOIS and make an informed decision if they want to hand there money over to them.
6) Divvy up drafting and agree upon plan to flesh out template by 26 October Who needs what data for which purpose? May need to modify the template to ensure all that info is covered. In terms of user types, try to include more granularity. Private entities do not have the same status as LE. There may be overlap, but important to distinguish between the two.
Action item #2: Staff to post template as a google doc Action item #3: Rod to take a first stab at adding to the template and add matrix as outlined during the call Action item #4: Staff to circulate doodle poll with objective to find a possible meeting time/date either next Monday or Tuesday, recognising that availability may be limited.
Marika Konings Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN) Email: marika.konings@icann.org
Follow the GNSO via Twitter @ICANN_GNSO Find out more about the GNSO by taking our interactive courses[learn.icann.org] and visiting the GNSO Newcomer pages[gnso.icann.org].
_______________________________________________ Gnso-rds-pdp-7 mailing list Gnso-rds-pdp-7@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7
_______________________________________________ Gnso-rds-pdp-7 mailing list Gnso-rds-pdp-7@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7
_______________________________________________ Gnso-rds-pdp-7 mailing list Gnso-rds-pdp-7@icann.org https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7
Thanks, Rod, Dick, and others who have committed to look at this over the next day. You may also find the attached document that was developed in the context of DT5 (Regulatory or Contractual Enforcement) of interest as it touches upon purposes that have also been discussed in the context of this DT. For our meeting tomorrow (Tuesday 23 October at 17.00 UTC), I would like to propose the following agenda: 1. Roll call / Welcome 2. Review, discuss and confirm support and understanding of all input received to date (see https://docs.google.com/document/d/19fUlV3HEyZ0IYFOY-r4KGoN25ICHPf1wDjUA_ZMx...) 3. Confirm what further updates / edits need to be made prior to submission to the full WG (deadline Thursday 26 October) 4. Identify team members who will attend ICANN60 sessions: * Saturday 28 October and Wednesday 1 November * In person or remote * Volunteer to introduce the team's output? 5. AOB Thanks, Marika From: Rod Rasmussen <rod@rodrasmussen.com> Date: Monday, October 23, 2017 at 02:45 To: Richard Leaning <rleaning@ripe.net> Cc: Marika Konings <marika.konings@icann.org>, "gnso-rds-pdp-7@icann.org" <gnso-rds-pdp-7@icann.org> Subject: Re: [Gnso-rds-pdp-7] [Ext] Re: Notes & action items from today's meeting Made some minor changes last night but have much more to do. Nothing significant to review if you had already looked at the first draft I made. Blocking out a couple hours tonight to move this along but have all day in Porto today prior. Cheers, Rod Sent from Rod Rasmussen's iPhone On Oct 23, 2017, at 8:29 AM, Richard Leaning <rleaning@ripe.net<mailto:rleaning@ripe.net>> wrote: I have been reading the mails on this list and noted the friendly prod from Rod ;-) As i mentioned last week, we deep into our own conference (RIPE) and as usual, its full on. i will try and find the time to have a look at the document today. Richard Leaning External Relations RIPE NCC On 23 Oct 2017, at 03:47, Rod Rasmussen <rod@rodrasmussen.com<mailto:rod@rodrasmussen.com>> wrote: Just a quick update - I will endeavor to make that call on Tuesday, but am attending the APWG EU meeting this coming week, so may be a challenge to be online as well as audio. I haven’t been able to add to the Google Doc yet, as I’ve been in full tourist mode for the past 48 hours or so, visiting Lisbon with my wife for the first time ever. On a train to Porto right now and I’ll try to add some more scenarios to flesh out that “table” with as wide a variety of examples as possible. Cheers, Rod On Oct 20, 2017, at 9:21 AM, Marika Konings <marika.konings@icann.org<mailto:marika.konings@icann.org>> wrote: All, note that our next meeting has been scheduled for Tuesday at 17.00 UTC. Unfortunately, it was not possible to find a time that would work for all, but hopefully those that are not able to attend the meeting, will provide their input via the mailing list in advance. Rod, I have not seen any concerns about the overall approach you’ve proposed so hopefully you have an opportunity to add further detail to the Google Doc. All, if you have any further comments, suggestions, add those to the google doc or share on the mailing list. Thanks, Marika From: <gnso-rds-pdp-7-bounces@icann.org<mailto:gnso-rds-pdp-7-bounces@icann.org>> on behalf of Marika Konings <marika.konings@icann.org<mailto:marika.konings@icann.org>> Date: Thursday, October 19, 2017 at 06:08 To: Rod Rasmussen <rod@rodrasmussen.com<mailto:rod@rodrasmussen.com>> Cc: "gnso-rds-pdp-7@icann.org<mailto:gnso-rds-pdp-7@icann.org>" <gnso-rds-pdp-7@icann.org<mailto:gnso-rds-pdp-7@icann.org>> Subject: Re: [Gnso-rds-pdp-7] [Ext] Re: Notes & action items from today's meeting Thanks, Rod, much appreciated. All, as a reminder, you can find the google doc here: https://docs.google.com/document/d/19fUlV3HEyZ0IYFOY-r4KGoN25ICHPf1wDjUA_ZMx3yc/edit?usp=sharing[docs.google.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com_document_d_19fUlV3HEyZ0IYFOY-2Dr4KGoN25ICHPf1wDjUA-5FZMx3yc_edit-3Fusp-3Dsharing&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=hHhBpT7bdWIkRMyKtQ0g4JRxPFrfp9iNtMwGg78rEAw&s=oBGzXAcbP_MoykCx4emqVF4Ib6kNLyPRiY_s3EWrt7E&e=>. Please share with the list by COB today if you have any concerns about the overall approach as outlined by Rod. Also, if you have any comments and/or proposed edits to the document, please feel free to add these directly to the document. As another reminder, please complete the doodle poll as soon as possible so we can hopefully confirm a next meeting for coming Monday or Tuesday (doodle poll:http://doodle.com/poll/4rgiwi89d63crebq[doodle.com]<https://urldefense.proofpoint.com/v2/url?u=http-3A__doodle.com_poll_4rgiwi89d63crebq&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=7_PQAir-9nJQ2uB2cWiTDDDo5Hfy5HL9rSTe65iXLVM&m=hHhBpT7bdWIkRMyKtQ0g4JRxPFrfp9iNtMwGg78rEAw&s=OwWVlVkK6Gz_K--e9GMtKST91kImX0BKlGPCJ0ipWXc&e=>). Thanks, Marika From: Rod Rasmussen <rod@rodrasmussen.com<mailto:rod@rodrasmussen.com>> Date: Thursday, October 19, 2017 at 06:02 To: Marika Konings <marika.konings@icann.org<mailto:marika.konings@icann.org>> Cc: "gnso-rds-pdp-7@icann.org<mailto:gnso-rds-pdp-7@icann.org>" <gnso-rds-pdp-7@icann.org<mailto:gnso-rds-pdp-7@icann.org>> Subject: [Ext] Re: [Gnso-rds-pdp-7] Notes & action items from today's meeting Hi everyone, I’ve started filling out the template as I proposed during the call yesterday. I’ve put together an overview of how we are grouping the various types of use cases and detailed purposes for accessing RDS data for this broad swath of items that come under this abuse topic. I’ve put in the outlines and one example of how a break-down might look. I will work up more of these examples to flesh out the data needs (Dick could help here as well - hint, hint), but this would be a good time to get feedback on the overall approach as well as the approach for the individual cases before I put a lot of time into the write-ups if people have any issues with the format or approach to laying this out. Thanks much for your input! Cheers, Rod On Oct 18, 2017, at 11:09 AM, Marika Konings <marika.konings@icann.org<mailto:marika.konings@icann.org>> wrote: Dear All, Thank you again for participation in today’s meeting. Please find below the notes and action items. I’ll be sharing with you shortly the google doc link to the template. As a reminder, you can use this email address (gnso-rds-pdp-7@icann.org<mailto:gnso-rds-pdp-7@icann.org>) for any further discussion on this topic. Best regards, Marika ============================ DT7 - Criminal Investigation or DNS Abuse Mitigation Meeting 18 October 2017 1) Brief recap of DT7 goals and due date – Marika * To enable better understanding of existing purposes for WHOIS data, small drafting teams composed of WG members with diverse points of view were chosen to define each identified purpose. * This drafting team should discuss the tasks supported by the purpose “Criminal Investigation of DNS Abuse Mitigation,” the parties involved in this purpose, and the data often used to fulfill this purpose. * It is hoped that fleshing out purpose definitions will improve communication and help the WG conduct informed discussion about all identified purposes before trying to agreement on legitimacy, etc * Our drafting team is asked to discuss our assigned purpose by phone and email over the next week, producing a draft purpose definition to be shared on the full WG mailing list no later than 26 October, for discussion during the WG’s F2F meetings at ICANN60. * A substantial amount of additional use cases & circumstances could be developed for this and probably for others. Is this the objective? 2) All team members to share their level of experience with Criminal Investigation or DNS Abuse Mitigation * Ayden Ferdeline - No experience with LE or criminal investigation. Newcomer to this purpose. Member of the NCSG, works for Internet Society. * Dic Leaning - ex law enforcement officer (retirement), Europol and Scotland Yard, deep knowledge of criminal investigation. Many different tools used by LE to investigate cybercrime, DNS is just one of the tools. Now working for RIPE. Definition in template seems accurate. * Marc Anderson - employed by Verisign, registry operator. No detailed knowledge in this purpose as it is handled by others at Verisign. * Rod Rasmussen - deep subject matter expert. Involved in the EWG. Has been doing security in private sector but also investigation, to designing software and systems to bring in data and work with data to glean information that is put into different products. * Raoul Plommer - a digital rights activist for 10 yrs now and the VC of NPOC. Been working for the pirate party, which is an international political movement. Action item #1: DT members not on the call are encouraged to share their experience and review meeting notes & recording. 3) Introduce EWG's definition of this purpose, as starting point for discussion 4) Team members less familiar with this purpose to ask general questions 5) Team members more familiar with this purpose to give real-world examples of this purpose, drawn from their own experiences * See template distributed. * Excerpts included from EWG report. EWG went into a lot of detail and background re. the various use cases. In order to make it digestible, this was rolled up into these broader categories as included in the template. DNS is used in many cases directly or indirectly to facilitate abuse, e.g. confidence scams, child pornography. Off-line crime may also include evidence connected to emails & web-sites. Criminal category. * Abuse/civil/annoying (e.g. spam) category. * Infrastructure related like command and control, botnet. DNS is also infrastructure for illegitimate purposes. * Unintended infrastructure - compromised domains/web-sites. Compromised registrar accounts which could result in the creation of new sub-domains. * Range of different things that fall within these five use cases listed. * Broad buckets from an investigation perspective: single person, group, automation (e.g. analysis tool). Starting point from which further determinations are made: is a DNS resource complicit or not in the criminal activity? From there, investigator will undertake action - e.g. reach out to someone who is compromised, reach out to registrar to delete registration if it was fraudulently registered. Then, what information can be gleaned from this info: are other registrations involved, what is the scale / scope involved. * Automation side: reputation services - make real time decisions about connectivity. Should a user on my network be able to connect to this domain name? Need to have capability to make decision on whether to connect to another network. Same for spam - do you accept email? Consideration of domain from which it emanates will factor into that consideration. * Consider developing a matrix that would outline the needs and what is needed and at what scale. * Abuse contact would be helpful in these kinds of cases - what would be more efficient for the system to do going forward. * Domain Name Generation Algorithm (DGA) - as part of running a bot-net (infected computers that talk to a central source to give them instructions). What has been developed by 'bad guys' over the last 10 years to keep infrastructure working is to create algorithms to create rendezvous domains. May or may not exist in the actual DNS but infected computers would try to connect to these domains where something could potentially happen. If that info is known, it can be used to block access to those registrations, look up domains to see who has registered those, identify potential collision, etc. * How are criminal investigations and abuse investigations typically started? From the OpsSec side, it often starts with reports of spam. Even where someone is reporting to a brand (phishing), or download of virus. Typically come in from victims or potential victims. Reverse engineering may show domain name. DDOS - domain name may be used to fire ammunition and bring down service. Scams - fake businesses set up for job recruiting or escrow services. Fairly similar for LE - any crime you can think of happening in the real world, happens in the online world, and it requires a domain name. That is why it is so important to have info on who has which domain name. * If there would be no WHOIS, how would an investigation take place? Would require going to the registrar or registry directly. Same applies currently for IP addresses. Could also go to hosting provider - whoever is providing the service. In some cases it may not matter who owns the domain name registration, but it is a starting point. Most useful in the compromised domain name registration as direct outreach can be done to the victim. Knowing that certain domain name registrations are owned by the same entity is also valuable information. * The other important bit which is sometimes is overlooked is that a potential customer can look up the WHOIS and make an informed decision if they want to hand there money over to them. 6) Divvy up drafting and agree upon plan to flesh out template by 26 October * Who needs what data for which purpose? May need to modify the template to ensure all that info is covered. * In terms of user types, try to include more granularity. Private entities do not have the same status as LE. There may be overlap, but important to distinguish between the two. Action item #2: Staff to post template as a google doc Action item #3: Rod to take a first stab at adding to the template and add matrix as outlined during the call Action item #4: Staff to circulate doodle poll with objective to find a possible meeting time/date either next Monday or Tuesday, recognising that availability may be limited. Marika Konings Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN) Email: marika.konings@icann.org<mailto:marika.konings@icann.org> Follow the GNSO via Twitter @ICANN_GNSO Find out more about the GNSO by taking our interactive courses[learn.icann.org]<https://urldefense.proofpoint.com/v2/url?u=http-3A__learn.icann.org_courses_...> and visiting the GNSO Newcomer pages[gnso.icann.org]<https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_sites_gns...>. _______________________________________________ Gnso-rds-pdp-7 mailing list Gnso-rds-pdp-7@icann.org<mailto:Gnso-rds-pdp-7@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7 _______________________________________________ Gnso-rds-pdp-7 mailing list Gnso-rds-pdp-7@icann.org<mailto:Gnso-rds-pdp-7@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7 _______________________________________________ Gnso-rds-pdp-7 mailing list Gnso-rds-pdp-7@icann.org<mailto:Gnso-rds-pdp-7@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7
Was able to add a couple major examples to the document tonight - will add more, but there’s some more meat to take a look at now. Rod
On Oct 23, 2017, at 7:29 AM, Marika Konings <marika.konings@icann.org> wrote:
Thanks, Rod, Dick, and others who have committed to look at this over the next day. You may also find the attached document that was developed in the context of DT5 (Regulatory or Contractual Enforcement) of interest as it touches upon purposes that have also been discussed in the context of this DT.
For our meeting tomorrow (Tuesday 23 October at 17.00 UTC), I would like to propose the following agenda:
Roll call / Welcome Review, discuss and confirm support and understanding of all input received to date (seehttps://docs.google.com/document/d/19fUlV3HEyZ0IYFOY-r4KGoN25ICHPf1wDjUA_ZMx... <https://docs.google.com/document/d/19fUlV3HEyZ0IYFOY-r4KGoN25ICHPf1wDjUA_ZMx...>) Confirm what further updates / edits need to be made prior to submission to the full WG (deadline Thursday 26 October) Identify team members who will attend ICANN60 sessions: Saturday 28 October and Wednesday 1 November In person or remote Volunteer to introduce the team's output? AOB
Thanks,
Marika
From: Rod Rasmussen <rod@rodrasmussen.com> Date: Monday, October 23, 2017 at 02:45 To: Richard Leaning <rleaning@ripe.net> Cc: Marika Konings <marika.konings@icann.org>, "gnso-rds-pdp-7@icann.org" <gnso-rds-pdp-7@icann.org> Subject: Re: [Gnso-rds-pdp-7] [Ext] Re: Notes & action items from today's meeting
Made some minor changes last night but have much more to do. Nothing significant to review if you had already looked at the first draft I made. Blocking out a couple hours tonight to move this along but have all day in Porto today prior.
Cheers,
Rod
Sent from Rod Rasmussen's iPhone
On Oct 23, 2017, at 8:29 AM, Richard Leaning <rleaning@ripe.net <mailto:rleaning@ripe.net>> wrote:
I have been reading the mails on this list and noted the friendly prod from Rod ;-)
As i mentioned last week, we deep into our own conference (RIPE) and as usual, its full on. i will try and find the time to have a look at the document today.
Richard Leaning External Relations RIPE NCC
On 23 Oct 2017, at 03:47, Rod Rasmussen <rod@rodrasmussen.com <mailto:rod@rodrasmussen.com>> wrote:
Just a quick update - I will endeavor to make that call on Tuesday, but am attending the APWG EU meeting this coming week, so may be a challenge to be online as well as audio. I haven’t been able to add to the Google Doc yet, as I’ve been in full tourist mode for the past 48 hours or so, visiting Lisbon with my wife for the first time ever. On a train to Porto right now and I’ll try to add some more scenarios to flesh out that “table” with as wide a variety of examples as possible.
Cheers,
Rod
On Oct 20, 2017, at 9:21 AM, Marika Konings <marika.konings@icann.org <mailto:marika.konings@icann.org>> wrote:
All, note that our next meeting has been scheduled for Tuesday at 17.00 UTC. Unfortunately, it was not possible to find a time that would work for all, but hopefully those that are not able to attend the meeting, will provide their input via the mailing list in advance.
Rod, I have not seen any concerns about the overall approach you’ve proposed so hopefully you have an opportunity to add further detail to the Google Doc. All, if you have any further comments, suggestions, add those to the google doc or share on the mailing list.
Thanks,
Marika
From: <gnso-rds-pdp-7-bounces@icann.org <mailto:gnso-rds-pdp-7-bounces@icann.org>> on behalf of Marika Konings <marika.konings@icann.org <mailto:marika.konings@icann.org>> Date: Thursday, October 19, 2017 at 06:08 To: Rod Rasmussen <rod@rodrasmussen.com <mailto:rod@rodrasmussen.com>> Cc: "gnso-rds-pdp-7@icann.org <mailto:gnso-rds-pdp-7@icann.org>" <gnso-rds-pdp-7@icann.org <mailto:gnso-rds-pdp-7@icann.org>> Subject: Re: [Gnso-rds-pdp-7] [Ext] Re: Notes & action items from today's meeting
Thanks, Rod, much appreciated.
All, as a reminder, you can find the google doc here: https://docs.google.com/document/d/19fUlV3HEyZ0IYFOY-r4KGoN25ICHPf1wDjUA_ZMx3yc/edit?usp=sharing[docs.google.com] <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com_documen...>. Please share with the list by COB today if you have any concerns about the overall approach as outlined by Rod. Also, if you have any comments and/or proposed edits to the document, please feel free to add these directly to the document.
As another reminder, please complete the doodle poll as soon as possible so we can hopefully confirm a next meeting for coming Monday or Tuesday (doodle poll:http://doodle.com/poll/4rgiwi89d63crebq[doodle.com] <https://urldefense.proofpoint.com/v2/url?u=http-3A__doodle.com_poll_4rgiwi89...>).
Thanks,
Marika
From: Rod Rasmussen <rod@rodrasmussen.com <mailto:rod@rodrasmussen.com>> Date: Thursday, October 19, 2017 at 06:02 To: Marika Konings <marika.konings@icann.org <mailto:marika.konings@icann.org>> Cc: "gnso-rds-pdp-7@icann.org <mailto:gnso-rds-pdp-7@icann.org>" <gnso-rds-pdp-7@icann.org <mailto:gnso-rds-pdp-7@icann.org>> Subject: [Ext] Re: [Gnso-rds-pdp-7] Notes & action items from today's meeting
Hi everyone,
I’ve started filling out the template as I proposed during the call yesterday. I’ve put together an overview of how we are grouping the various types of use cases and detailed purposes for accessing RDS data for this broad swath of items that come under this abuse topic. I’ve put in the outlines and one example of how a break-down might look. I will work up more of these examples to flesh out the data needs (Dick could help here as well - hint, hint), but this would be a good time to get feedback on the overall approach as well as the approach for the individual cases before I put a lot of time into the write-ups if people have any issues with the format or approach to laying this out.
Thanks much for your input!
Cheers,
Rod
On Oct 18, 2017, at 11:09 AM, Marika Konings <marika.konings@icann.org <mailto:marika.konings@icann.org>> wrote:
Dear All,
Thank you again for participation in today’s meeting. Please find below the notes and action items. I’ll be sharing with you shortly the google doc link to the template. As a reminder, you can use this email address (gnso-rds-pdp-7@icann.org <mailto:gnso-rds-pdp-7@icann.org>) for any further discussion on this topic.
Best regards,
Marika
============================
DT7 - Criminal Investigation or DNS Abuse Mitigation Meeting 18 October 2017
1) Brief recap of DT7 goals and due date – Marika To enable better understanding of existing purposes for WHOIS data, small drafting teams composed of WG members with diverse points of view were chosen to define each identified purpose. This drafting team should discuss the tasks supported by the purpose “Criminal Investigation of DNS Abuse Mitigation,” the parties involved in this purpose, and the data often used to fulfill this purpose. It is hoped that fleshing out purpose definitions will improve communication and help the WG conduct informed discussion about all identified purposes before trying to agreement on legitimacy, etc Our drafting team is asked to discuss our assigned purpose by phone and email over the next week, producing a draft purpose definition to be shared on the full WG mailing list no later than 26 October, for discussion during the WG’s F2F meetings at ICANN60. A substantial amount of additional use cases & circumstances could be developed for this and probably for others. Is this the objective?
2) All team members to share their level of experience with Criminal Investigation or DNS Abuse Mitigation Ayden Ferdeline - No experience with LE or criminal investigation. Newcomer to this purpose. Member of the NCSG, works for Internet Society. Dic Leaning - ex law enforcement officer (retirement), Europol and Scotland Yard, deep knowledge of criminal investigation. Many different tools used by LE to investigate cybercrime, DNS is just one of the tools. Now working for RIPE. Definition in template seems accurate. Marc Anderson - employed by Verisign, registry operator. No detailed knowledge in this purpose as it is handled by others at Verisign. Rod Rasmussen - deep subject matter expert. Involved in the EWG. Has been doing security in private sector but also investigation, to designing software and systems to bring in data and work with data to glean information that is put into different products. Raoul Plommer - a digital rights activist for 10 yrs now and the VC of NPOC. Been working for the pirate party, which is an international political movement.
Action item #1: DT members not on the call are encouraged to share their experience and review meeting notes & recording.
3) Introduce EWG's definition of this purpose, as starting point for discussion 4) Team members less familiar with this purpose to ask general questions 5) Team members more familiar with this purpose to give real-world examples of this purpose, drawn from their own experiences
See template distributed. Excerpts included from EWG report. EWG went into a lot of detail and background re. the various use cases. In order to make it digestible, this was rolled up into these broader categories as included in the template. DNS is used in many cases directly or indirectly to facilitate abuse, e.g. confidence scams, child pornography. Off-line crime may also include evidence connected to emails & web-sites. Criminal category. Abuse/civil/annoying (e.g. spam) category. Infrastructure related like command and control, botnet. DNS is also infrastructure for illegitimate purposes. Unintended infrastructure - compromised domains/web-sites. Compromised registrar accounts which could result in the creation of new sub-domains. Range of different things that fall within these five use cases listed. Broad buckets from an investigation perspective: single person, group, automation (e.g. analysis tool). Starting point from which further determinations are made: is a DNS resource complicit or not in the criminal activity? From there, investigator will undertake action - e.g. reach out to someone who is compromised, reach out to registrar to delete registration if it was fraudulently registered. Then, what information can be gleaned from this info: are other registrations involved, what is the scale / scope involved. Automation side: reputation services - make real time decisions about connectivity. Should a user on my network be able to connect to this domain name? Need to have capability to make decision on whether to connect to another network. Same for spam - do you accept email? Consideration of domain from which it emanates will factor into that consideration. Consider developing a matrix that would outline the needs and what is needed and at what scale. Abuse contact would be helpful in these kinds of cases - what would be more efficient for the system to do going forward. Domain Name Generation Algorithm (DGA) - as part of running a bot-net (infected computers that talk to a central source to give them instructions). What has been developed by 'bad guys' over the last 10 years to keep infrastructure working is to create algorithms to create rendezvous domains. May or may not exist in the actual DNS but infected computers would try to connect to these domains where something could potentially happen. If that info is known, it can be used to block access to those registrations, look up domains to see who has registered those, identify potential collision, etc. How are criminal investigations and abuse investigations typically started? From the OpsSec side, it often starts with reports of spam. Even where someone is reporting to a brand (phishing), or download of virus. Typically come in from victims or potential victims. Reverse engineering may show domain name. DDOS - domain name may be used to fire ammunition and bring down service. Scams - fake businesses set up for job recruiting or escrow services. Fairly similar for LE - any crime you can think of happening in the real world, happens in the online world, and it requires a domain name. That is why it is so important to have info on who has which domain name. If there would be no WHOIS, how would an investigation take place? Would require going to the registrar or registry directly. Same applies currently for IP addresses. Could also go to hosting provider - whoever is providing the service. In some cases it may not matter who owns the domain name registration, but it is a starting point. Most useful in the compromised domain name registration as direct outreach can be done to the victim. Knowing that certain domain name registrations are owned by the same entity is also valuable information. The other important bit which is sometimes is overlooked is that a potential customer can look up the WHOIS and make an informed decision if they want to hand there money over to them.
6) Divvy up drafting and agree upon plan to flesh out template by 26 October Who needs what data for which purpose? May need to modify the template to ensure all that info is covered. In terms of user types, try to include more granularity. Private entities do not have the same status as LE. There may be overlap, but important to distinguish between the two.
Action item #2: Staff to post template as a google doc Action item #3: Rod to take a first stab at adding to the template and add matrix as outlined during the call Action item #4: Staff to circulate doodle poll with objective to find a possible meeting time/date either next Monday or Tuesday, recognising that availability may be limited.
Marika Konings Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN) Email: marika.konings@icann.org <mailto:marika.konings@icann.org>
Follow the GNSO via Twitter @ICANN_GNSO Find out more about the GNSO by taking our interactive courses[learn.icann.org] <https://urldefense.proofpoint.com/v2/url?u=http-3A__learn.icann.org_courses_...> and visiting the GNSO Newcomer pages[gnso.icann.org] <https://urldefense.proofpoint.com/v2/url?u=http-3A__gnso.icann.org_sites_gns...>.
_______________________________________________ Gnso-rds-pdp-7 mailing list Gnso-rds-pdp-7@icann.org <mailto:Gnso-rds-pdp-7@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7 <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7>
_______________________________________________ Gnso-rds-pdp-7 mailing list Gnso-rds-pdp-7@icann.org <mailto:Gnso-rds-pdp-7@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7 <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7>
_______________________________________________ Gnso-rds-pdp-7 mailing list Gnso-rds-pdp-7@icann.org <mailto:Gnso-rds-pdp-7@icann.org> https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7 <https://mm.icann.org/mailman/listinfo/gnso-rds-pdp-7>
<RDS PDP_5 Draft Doc[1].pdf>
participants (3)
-
Marika Konings -
Richard Leaning -
Rod Rasmussen