Re: [dssa] Interesting article -- probably out of scope for us, but FYI
- To: dssa@xxxxxxxxx
- Subject: Re: [dssa] Interesting article -- probably out of scope for us, but FYI
- From: James M Galvin <jgalvin@xxxxxxxxxxxx>
- Date: Wed, 14 Sep 2011 07:11:35 +0100
This is not a "don't go down too deep issue", it really is out of scope.
The distinction that I think is important is that we are chartered to
consider DNS security and stability issues, not issues for which the
DNS can be used for nefarious or malicious purposes. The fact that one
can do bad things with the DNS does not make the DNS bad. Even DNSSEC
does not help the problem being described because it's not a DNS
It might be worth a short discussion of this distinction in our final
-- On September 13, 2011 3:31:31 PM -0500 Mike O'Connor
<mike@xxxxxxxxxx> wrote regarding Re: [dssa] Interesting article --
probably out of scope for us, but FYI --
yep, i get that.
i think one thing we might want to consider is building out a list of
attack vectors that infrastructure-providers might want to apply
best-practices to. this fits with Cheryl's "not following
best-practices" bucket that we created in the Vulnerabilities draft a
few calls back. it also kinda takes me back to the best-practices
discussion we had on the RAP working group and the notion that ICANN
might be a good place to call attention to these sorts of things, and
keep track of good resources/standards/models etc.
but i agree -- we don't want to go too deep down these issues or
we'll never finish.
On Sep 13, 2011, at 11:22 AM, Greg Aaron wrote:
> Hi, Mikey. I think typosquatting's out of scope, full stop. By
> allowing that example in, we'd be allowing virtually any kind
> security problem or threat vector back into scope again, simply if
> it was directed against a registry operator. That is too much; a
> rabbit hole we'd never emerge from.
> A lot of things come down to following good IT and administrative
> practices, like: having a fundamentally sound network architecture,
> not losing one's passwords, and using the UDRP or legal mechanisms
> when you need to. There are bodies who do IT best practices better
> than we do, and ICANN's not in a position to explore all that kind
> of stuff.
> All best,
> -----Original Message-----
> From: Mike O'Connor [mailto:mike@xxxxxxxxxx]
> Sent: Tuesday, September 13, 2011 8:31 AM
> To: dssa@xxxxxxxxx
> Subject: [dssa] Interesting article -- probably out of scope for
> us, but FYI
> hi all,
> i thought some of you (being that we're a gaggle of security type
> people) might be interested in this article about typosquatting
> domain names as a way to passively harvest sensitive email.
> ing-sna rfed-20gb-worth-of-fortune-500-e-mails.ars
> given that we're testing our "scope" rules this week, i thought i'd
> also use this as a test case. i would think that the general
> use-case of this would be out of scope (malicious use of a domain
> name). but it would be in scope if it were used as an attack
> vector on a registry or registrar. right?
> so does that mean that we should build a section of our report that
> collects these attack-vectors for possible inclusion in a "best
> practices" section?
> food for thought, low priority.
> PS -- i have the corp.com domain, which started getting masses of
> this kind of email as soon as i registered it in the mid-'90's. i
> didn't realize it until i wildcarded the MX for the domain one day
> and immediately crashed my server. for example, somebody would
> mis-address mail to HRDept@xxxxxxxxxxxx rather than the correct
> HRDept@xxxxxxxxxxxx. so there are other variants of this
> vulnerability and perhaps an opportunity for somebody to do a great
> good deed by educating folks about this. btw, i immediately
> dropped the MX record out of that domain. :-)
> - - - - - - - - -
> phone 651-647-6109
> fax 866-280-2356
> web http://www.haven2.com
> handle OConnorStP (ID for public places like Twitter, Facebook,
> Google, etc.)
- - - - - - - - -
handle OConnorStP (ID for public places like Twitter, Facebook,