Re: [dssa] Interesting article -- probably out of scope for us, but FYI

["Mike O'Connor" <mike@xxxxxxxxxx>]

yep,  i get that.

i think one thing we might want to consider is building out a list of attack 
vectors that infrastructure-providers might want to apply best-practices to.  
this fits with Cheryl's "not following best-practices" bucket that we created 
in the Vulnerabilities draft a few calls back.  it also kinda takes me back to 
the best-practices discussion we had on the RAP working group and the notion 
that ICANN might be a good place to call attention to these sorts of things, 
and keep track of good resources/standards/models etc.

but i agree -- we don't want to go too deep down these issues or we'll never 
finish.

mikey

On Sep 13, 2011, at 11:22 AM, Greg Aaron wrote:

> 
> Hi, Mikey.  I think typosquatting's out of scope, full stop.  By allowing
> that example in, we'd be allowing virtually any kind security problem or
> threat vector back into scope again, simply if it was directed against a
> registry operator.  That is too much; a rabbit hole we'd never emerge
> from.
> 
> A lot of things come down to following good IT and administrative
> practices, like: having a fundamentally sound network architecture, not
> losing one's passwords, and using the UDRP or legal mechanisms when you
> need to.  There are bodies who do IT best practices better than we do, and
> ICANN's not in a position to explore all that kind of stuff.
> 
> All best,
> --Greg
> 
> 
> 
> 
> -----Original Message-----
> From: Mike O'Connor [mailto:mike@xxxxxxxxxx]
> Sent: Tuesday, September 13, 2011 8:31 AM
> To: dssa@xxxxxxxxx
> Subject: [dssa] Interesting article -- probably out of scope for us, but
> FYI
> 
> 
> hi all,
> 
> i thought some of you (being that we're a gaggle of security type people)
> might be interested in this article about typosquatting domain names as a
> way to passively harvest sensitive email.
> 
>       
> http://arstechnica.com/business/news/2011/09/researchers-typosquatting-sna
> rfed-20gb-worth-of-fortune-500-e-mails.ars
> 
> given that we're testing our "scope" rules this week, i thought i'd also
> use this as a test case.  i would think that the general use-case of this
> would be out of scope (malicious use of a domain name).  but it would be
> in scope if it were used as an attack vector on a registry or registrar.
> right?
> 
> so does that mean that we should build a section of our report that
> collects these attack-vectors for possible inclusion in a "best practices"
> section?
> 
> food for thought, low priority.
> 
> mikey
> 
> PS -- i have the corp.com domain, which started getting masses of this
> kind of email as soon as i registered it in the mid-'90's.  i didn't
> realize it until i wildcarded the MX for the domain one day and
> immediately crashed my server.  for example, somebody would mis-address
> mail to HRDept@xxxxxxxxxxxx rather than the correct HRDept@xxxxxxxxxxxx.
> so there are other variants of this vulnerability and perhaps an
> opportunity for somebody to do a great good deed by educating folks about
> this.  btw, i immediately dropped the MX record out of that domain.  :-)
> 
> - - - - - - - - -
> phone         651-647-6109
> fax           866-280-2356
> web   http://www.haven2.com
> handle        OConnorStP (ID for public places like Twitter, Facebook, Google,
> etc.)

- - - - - - - - -
phone   651-647-6109  
fax             866-280-2356  
web     http://www.haven2.com
handle  OConnorStP (ID for public places like Twitter, Facebook, Google, etc.)