Re: [dssa] Interesting article -- probably out of scope for us, but FYI

[Disspain Chris <ceo@xxxxxxxxxxx>]

.

Greetings All,

As a lurker on this list I generally won't post but I think James is spot on 
with this analysis. 

Cheers, 

Chris Disspain | Chief Executive Officer

.au Domain Administration Ltd

T: +61 3 8341 4111 | F: +61 3 8341 4112

E: ceo@xxxxxxxxxxx | W: www.auda.org.au

auDA – Australia’s Domain Name Administrator

Important Notice - This email may contain information which is confidential 
and/or subject to legal privilege, and is intended for the use of the named 
addressee only. If you are not the intended recipient, you must not use, 
disclose or copy any part of this email. If you have received this email by 
mistake, please notify the sender and delete this message immediately. Please 
consider the environment before printing this email.


On 14/09/2011, at 16:11 , James M Galvin wrote:

> 
> This is not a "don't go down too deep issue", it really is out of scope.
> 
> The distinction that I think is important is that we are chartered to 
> consider DNS security and stability issues, not issues for which the DNS can 
> be used for nefarious or malicious purposes.  The fact that one can do bad 
> things with the DNS does not make the DNS bad.  Even DNSSEC does not help the 
> problem being described because it's not a DNS problem.
> 
> It might be worth a short discussion of this distinction in our final report.
> 
> Jim
> 
> 
> 
> -- On September 13, 2011 3:31:31 PM -0500 Mike O'Connor <mike@xxxxxxxxxx> 
> wrote regarding Re: [dssa] Interesting article -- probably out of scope for 
> us, but FYI --
> 
>> 
>> yep,  i get that.
>> 
>> i think one thing we might want to consider is building out a list of
>> attack vectors that infrastructure-providers might want to apply
>> best-practices to.  this fits with Cheryl's "not following
>> best-practices" bucket that we created in the Vulnerabilities draft a
>> few calls back.  it also kinda takes me back to the best-practices
>> discussion we had on the RAP working group and the notion that ICANN
>> might be a good place to call attention to these sorts of things, and
>> keep track of good resources/standards/models etc.
>> 
>> but i agree -- we don't want to go too deep down these issues or
>> we'll never finish.
>> 
>> mikey
>> 
>> On Sep 13, 2011, at 11:22 AM, Greg Aaron wrote:
>> 
>> >
>> > Hi, Mikey.  I think typosquatting's out of scope, full stop.  By
>> > allowing that example in, we'd be allowing virtually any kind
>> > security problem or threat vector back into scope again, simply if
>> > it was directed against a registry operator.  That is too much; a
>> > rabbit hole we'd never emerge from.
>> >
>> > A lot of things come down to following good IT and administrative
>> > practices, like: having a fundamentally sound network architecture,
>> > not losing one's passwords, and using the UDRP or legal mechanisms
>> > when you need to.  There are bodies who do IT best practices better
>> > than we do, and ICANN's not in a position to explore all that kind
>> > of stuff.
>> >
>> > All best,
>> > --Greg
>> >
>> >
>> >
>> >
>> > -----Original Message-----
>> > From: Mike O'Connor [mailto:mike@xxxxxxxxxx]
>> > Sent: Tuesday, September 13, 2011 8:31 AM
>> > To: dssa@xxxxxxxxx
>> > Subject: [dssa] Interesting article -- probably out of scope for
>> > us, but FYI
>> >
>> >
>> > hi all,
>> >
>> > i thought some of you (being that we're a gaggle of security type
>> > people) might be interested in this article about typosquatting
>> > domain names as a way to passively harvest sensitive email.
>> >
>> >    
>> > http://arstechnica.com/business/news/2011/09/researchers-typosquatt
>> > ing-sna rfed-20gb-worth-of-fortune-500-e-mails.ars
>> >
>> > given that we're testing our "scope" rules this week, i thought i'd
>> > also use this as a test case.  i would think that the general
>> > use-case of this would be out of scope (malicious use of a domain
>> > name).  but it would be in scope if it were used as an attack
>> > vector on a registry or registrar. right?
>> >
>> > so does that mean that we should build a section of our report that
>> > collects these attack-vectors for possible inclusion in a "best
>> > practices" section?
>> >
>> > food for thought, low priority.
>> >
>> > mikey
>> >
>> > PS -- i have the corp.com domain, which started getting masses of
>> > this kind of email as soon as i registered it in the mid-'90's.  i
>> > didn't realize it until i wildcarded the MX for the domain one day
>> > and immediately crashed my server.  for example, somebody would
>> > mis-address mail to HRDept@xxxxxxxxxxxx rather than the correct
>> > HRDept@xxxxxxxxxxxx. so there are other variants of this
>> > vulnerability and perhaps an opportunity for somebody to do a great
>> > good deed by educating folks about this.  btw, i immediately
>> > dropped the MX record out of that domain.  :-)
>> >
>> > - - - - - - - - -
>> > phone      651-647-6109
>> > fax                866-280-2356
>> > web        http://www.haven2.com
>> > handle     OConnorStP (ID for public places like Twitter, Facebook,
>> > Google, etc.)
>> 
>> - - - - - - - - -
>> phone        651-647-6109
>> fax                  866-280-2356
>> web  http://www.haven2.com
>> handle       OConnorStP (ID for public places like Twitter, Facebook,
>> Google, etc.)
>> 
>> 
> 
>