It’s 2014. Does anyone in the domain name business still fall for phishing attacks?
Apparently, yes, ICANN staff do.
ICANN has revealed that “several” staff members fell prey to a spear-phishing attack last month, resulting in the theft of potentially hundreds of user credentials and unauthorized access to at least one Governmental Advisory Committee web page.
According to ICANN, the phishers were able to gather the email passwords of staff members, then used them to access the Centralized Zone Data Service.
CZDS is the clearinghouse for all zone files belonging to new gTLD registries. The data it stores isn’t especially sensitive — the files are archives, not live, functional copies — and the barrier to signing up for access legitimately is pretty low.
But CZDS users’ contact information and login credentials — including, as a matter of disclosure, mine — were also accessed.
While the stolen passwords were encrypted, ICANN is still forcing all CZDS users to reset their passwords as a precaution. The organization said in a statement:
The attacker obtained administrative access to all files in the CZDS. This included copies of the zone files in the system, as well as information entered by users such as name, postal address, email address, fax and telephone numbers, username, and password. Although the passwords were stored as salted cryptographic hashes, we have deactivated all CZDS passwords as a precaution. Users may request a new password at czds.icann.org. We suggest that CZDS users take appropriate steps to protect any other online accounts for which they might have used the same username and/or password. ICANN is providing notices to the CZDS users whose personal information may have been compromised.
As a victim, this doesn’t worry me a lot. My contact details are all in the public Whois and published on this very web site, but I can imagine other victims might not want their home address, phone number and the like in the hands of ne’er-do-wells.
It’s the second time CZDS has been compromised this year. Back in April, a coding error led to a privilege escalation vulnerability that was exploited to view requests by users to new gTLD registries.
Also accessed by the phishers this time around were several pages on the GAC wiki, which is about as interesting as it sounds (ie, not very). ICANN said the only non-public information that was viewed was a “members-only index page”.
User accounts on the ICANN blog and its Whois information portal were also accessed, but apparently no damage was caused.
In summary, the hackers seem to have stolen quite a lot of information they could have easily obtained legitimately, along with some passwords that may allow them to cause further mischief if they can be decrypted.
It’s embarrassing for ICANN, of course, especially for the staff members gullible enough to fall for the attack.
While the phishers made their emails appear to come from ICANN’s own domain, presumably their victims would have had to click through to a web page with a non-ICANN domain in the address bar order to hand over their passwords.
That’s not the kind of practice you’d expect from the people tasked with running the domain name industry.
The nascent NETmundial Initiative appears to be in dire straits already, just weeks into its existence, after another influential internet governance body decided against joining.
The Internet Architecture Board, which holds ultimate responsibility for the Request For Comment standards that help the internet remain interoperable, said yesterday that it will not join NetMundial, saying it is “not needed”.
The IAB’s rejection of the initiative follows that of the Internet Society, which said last month that the way NETmundial was being formed was not transparent, bottom-up or decentralized.
NETmundial is deliberately and self-consciously not related to domain names, which is why I’ve paid it scant attention recently, but I think it’s worth a mention because it is the brainchild in part of ICANN CEO Fadi Chehade and the subject of some discussion at ICANN meetings.
The idea behind the initiative is to create a policy body that can look at cross-border internet governance issues not already dealt with in fora such as ICANN or the IETF.
Chehade has been particularly enthusiastic about it as it could create a way to prevent special interests attempting to strong-arm ICANN, as the only “internet governance” entity out there with any real power, into making policies outside of its narrow remit.
The group was founded by ICANN, the government-linked Brazilian Internet Steering Committee and the World Economic Forum. Its name is borrowed from the NETmundial meeting, a policy talking shop that took place in Sao Paolo with the support of the Brazilian government this April.
But it’s come in for criticism for lacking true bottom-up organization.
The original plan was for a Coordinating Council to be created, comprising 20 people from four sectors and five geographic regions, to be selected by ICANN, the WEF and Brazil from a raft of self-nominated individuals.
There were to be another five permanent seats — three for the three organizers, one for the I* technical standards bodies and one for the Internet Governance Forum — but this was reportedly abandoned after ISOC expressed its disapproval of the plan.
Indeed, with the IGF also expressing misgivings about the Council’s make-up, there was the very real possibility of two of the five permanent seats sitting empty.
So far, just 10 days shy of the December 15 deadline, only 20 nominations have been received for the regular council. Four seats currently have no volunteers and four are contested by two people.
There hasn’t been much in the way of contributions to policy discussions either (though this is perhaps understandable for such a young initiative). So far, only two people have put forward ideas for discussion topics. On relates to brain-computer interfaces and the other to cyberbullying.
The process of removing the US government from management of the DNS root system took a significant step forward today, with the publication of a community proposal for a transition.
The Cross Community Working Group, which convened itself earlier this year, has published a proposal to replace the US with a new contracting company and a bunch of committees.
The DNS community has been tasked with coming up with a way to transition stewardship of the IANA functions from the US National Telecommunications and Information administration, which said in March this year that it intends to relinquish its historic, but largely symbolic, Damoclean role.
After discussions which by any measure of ICANN policy-making have been forcibly swift, the 119-member CWG has now presented two broad options.
The first, a description of which forms the bulk of its report, would see ICANN overseen by a new, lightweight non-profit company managed by multi-stakeholder committees.
The other, which doesn’t get much airplay in the document, would see ICANN simply take over the NTIA’s responsibilities entirely. Accountability would be provided by enhanced accountability processes within the existing ICANN structure.
Under the primary proposal, the CWG was keen to avoid creating something ICANN-like to oversee ICANN, due to the complexity and cost, but it also decided that ICANN remains the best place to house the IANA function for the foreseeable future.
It’s proposed a new company, known currently as “Contract Co”, that would be replace the NTIA as the party that contracts with ICANN to run IANA. It would have “little or no staff”.
The contract itself would be developed and overseen by a Multistakeholder Review Team, comprising people drawn from each area of the ICANN community.
The precise make-up of this MRT is still open to discussion and will be, I suspect, the subject of some pretty fierce debate as the various competing interest groups wrestle to have themselves with the strongest possible representation.
Like the NTIA, the MRT would have the power to pick another entity to run IANA in future, should ICANN screw up.
A new Customer Standing Panel would comprise executives from gTLD and ccTLD registries — the “customers” of IANA’s naming functions — and would have the job of relaying the concerns of registries to the MRT, keeping ICANN accountable to its primary users.
Finally, there’d be an Independent Appeals Panel. Any IANA decision — presumably including the delegation or redelegation of a TLD — could be appealed to this IAP. This function would very probably be outsourced on a case-by-case basis to an existing arbitration body.
Is this worrying? Arbitration panels handling new gTLD disputes haven’t exactly inspired confidence in their ability to provide consistent — or even rational — decisions over the last year or so. Should the last word on what goes into or stays out of the DNS root really go to the same folk who think .通販 and .shop are too confusingly similar to coexist on the internet?
There doesn’t appear to be anything massively surprising in the proposal. When ICANN or its community try to solve a problem the answer is usually a new committee, and the ideas of MRTs, CSPs and IAPs do seem to mirror existing structures to an extent.
The whole thing can be downloaded and read over here.
There’s a December 22 deadline for comment. It will be submitted to the IANA Stewardship Transition Coordination Group by the end of January, with a view to getting a final proposal to the US government next summer in time for the hoped-for September 30 handover date.
Could you tolerate an eight-day ICANN meeting?
Could you get all your work done in just four days?
Would you be happy to wait up to nine months between Public Forums?
Do you want to see more regional dancing during ICANN opening ceremonies?
These are question you’re going to have to start asking yourself, because come 2016 ICANN meetings are in for a big change.
Recommendations adopted wholesale by the ICANN board last week would scrap the three six-day meetings schedule and replace it with one six-day meeting at the start of the year, one four-day meeting in the middle and one eight-day meeting towards the end.
The first of the year would be formatted pretty much the same as all meetings are currently.
The second, however, would scrap formalities such as the opening ceremony, as well as the Public Forum and public board meeting. Instead, the focus would be on policy development work within and between advisory committees and supporting organizations.
The final meeting of the year, the AGM, would add two extra days to the regular schedule for outreach sessions and SO/AC policy-making. There would be two Public Forum sessions, one immediately after the opening ceremony on day three, the other on day six as usual.
As this would be the official outreach “event” of the year, the opening ceremony would usually have some display of local culture, such as music or dance. That was once a staple of ICANN meetings, but we haven’t seen much of it the last couple of years.
The third meeting of the year would be “would have a focus on showcasing ICANN’s work to a broader global audience”, according to the report. It would have an anticipated attendance of over 2,000 people and would therefore likely be held in a large hub city.
The smaller (it is anticipated) second meeting, with its reduced focus on formality and outreach, would (contrarily) be able to visit cities with smaller facilities, perhaps in parts of the world ICANN has not been able to visit before, the report says.
To be honest, I’m not really sure whether what’s been adopted will be any better than what’s in place today.
I’m pretty certain of one effect, however: if bombshells are dropped shortly after the first meeting of the year, you’re looking at somewhere between seven and nine months before you’ll be able to stand at a mic and yell at the ICANN board about it in public.
It will soon be much harder for cybersquatters to take flight to another registrar when they’re hit with a UDRP complaint.
From July 31 next year, all ICANN-accredited registrars will be contractually obliged to lock domain names that are subject to a UDRP and trademark owners will no longer have to tip off the registrant they’re targeting.
Many major registrars lock domain names under UDRP review already, but there’s no uniformity across the industry, either in terms of what a lock entails or when it is implemented. Under the amended UDRP policy, a “lock” is now defined as:
a set of measures that a registrar applies to a domain name, which prevents at a minimum any modification to the registrant and registrar information by the Respondent, but does not affect the resolution of the domain name or the renewal of the domain name.
Registrars will have two business days from the time they’re notified about the UDRP to put the lock in place.
Before the lock is active, the registrants themselves will not be aware they’ve been targeted by a complaint — registrars are banned from telling them and complainants no longer have to send them a copy of the complaint.
If the complaint is dismissed or withdrawn, registrars have one business day to remove the lock.
Because these change reduce the 20-day response window, registrants will be able to request an additional four calendar days (to account for weekends, I assume) to file their responses and the request will be automatically granted by the UDRP provider.
The new policy was brought in to stop “cyberflight”, a relatively rare tactic whereby cybersquatters transfer their domains to a new registrar to avoid losing their domains.
The policy was approved by the Generic Names Supporting Organization in August last year and approved by the ICANN board a month later. Since then, ICANN staff has been working on implementation.
The time from the first GNSO preliminary issue report (May 27, 2011) to full implementation of the policy (July 31, 2015) will be 1,526 days.
You can read a redlined version of the UDRP rules here (pdf).