It’s 2014. Does anyone in the domain name business still fall for phishing attacks?
Apparently, yes, ICANN staff do.
ICANN has revealed that “several” staff members fell prey to a spear-phishing attack last month, resulting in the theft of potentially hundreds of user credentials and unauthorized access to at least one Governmental Advisory Committee web page.
According to ICANN, the phishers were able to gather the email passwords of staff members, then used them to access the Centralized Zone Data Service.
CZDS is the clearinghouse for all zone files belonging to new gTLD registries. The data it stores isn’t especially sensitive — the files are archives, not live, functional copies — and the barrier to signing up for access legitimately is pretty low.
But CZDS users’ contact information and login credentials — including, as a matter of disclosure, mine — were also accessed.
While the stolen passwords were encrypted, ICANN is still forcing all CZDS users to reset their passwords as a precaution. The organization said in a statement:
The attacker obtained administrative access to all files in the CZDS. This included copies of the zone files in the system, as well as information entered by users such as name, postal address, email address, fax and telephone numbers, username, and password. Although the passwords were stored as salted cryptographic hashes, we have deactivated all CZDS passwords as a precaution. Users may request a new password at czds.icann.org. We suggest that CZDS users take appropriate steps to protect any other online accounts for which they might have used the same username and/or password. ICANN is providing notices to the CZDS users whose personal information may have been compromised.
As a victim, this doesn’t worry me a lot. My contact details are all in the public Whois and published on this very web site, but I can imagine other victims might not want their home address, phone number and the like in the hands of ne’er-do-wells.
It’s the second time CZDS has been compromised this year. Back in April, a coding error led to a privilege escalation vulnerability that was exploited to view requests by users to new gTLD registries.
Also accessed by the phishers this time around were several pages on the GAC wiki, which is about as interesting as it sounds (ie, not very). ICANN said the only non-public information that was viewed was a “members-only index page”.
User accounts on the ICANN blog and its Whois information portal were also accessed, but apparently no damage was caused.
In summary, the hackers seem to have stolen quite a lot of information they could have easily obtained legitimately, along with some passwords that may allow them to cause further mischief if they can be decrypted.
It’s embarrassing for ICANN, of course, especially for the staff members gullible enough to fall for the attack.
While the phishers made their emails appear to come from ICANN’s own domain, presumably their victims would have had to click through to a web page with a non-ICANN domain in the address bar order to hand over their passwords.
That’s not the kind of practice you’d expect from the people tasked with running the domain name industry.
ICANN’s board of directors has decided to formally disagree with its Governmental Advisory Committee for what I believe is only the second time in the organization’s history.
In a letter to new GAC chair Thomas Schneider today, ICANN chair Steve Crocker took issue with the fact that the GAC recently advised the board to cut the GNSO from a policy-making decision.
The letter kick-starts a formal “Consultation Procedure” in which the board and GAC try to reconcile their differences.
It’s only the second time, I believe, that this kind of procedure — which has been alluded to in the ICANN bylaws since the early days of the organization — has been invoked by the board.
The first time was in 2010, when the board initiated a consultation with the GAC when they disagreed about approval of the .xxx gTLD.
It was all a bit slapdash back then, but the procedure has since been formalized somewhat into a seven-step process that Crocker outlined in an attachment to his letter (pdf) today.
The actual substance of the disagreement is a bit “inside baseball”, relating to the long-running (embarrassing, time-wasting) saga over protection for Red Cross/Red Crescent names in new gTLDs.
Back in June at the ICANN 50 public meeting in London, the GAC issued advice stating:
the protections due to the Red Cross and Red Crescent terms and names should not be subjected to, or conditioned upon, a policy development process
A Policy Development Process is the mechanism through which the multi-stakeholder GNSO creates new ICANN policies. Generally, a PDP takes a really long time.
The GNSO had already finished a PDP that granted protection to the names of the Red Cross and Red Crescent in multiple scripts across all new gTLDs, but the GAC suddenly decided earlier this year that it wanted the names of 189 national Red Cross organizations protected too.
And it wasn’t prepared to wait for another PDP to get it.
So, in its haste to get its changing RC/RC demands met by ICANN, the GAC basically told ICANN’s board to ignore the GNSO.
That was obviously totally uncool — a slap in the face for the rest of the ICANN community and a bit of an admission that the GAC doesn’t like to play nicely in a multi-stakeholder context.
But it would also be, Crocker told Schneider today, a violation of ICANN’s bylaws:
The Board has concerns about the advice in the London Communiqué because it appears to be inconsistent with the framework established in the Bylaws granting the GNSO authority to recommend consensus policies to the Board, and the Board to appropriately act upon policies developed through the bottom-up consensus policy developed by the GNSO.
Now that Crocker has formally initiated the Consultation Procedure, the process now calls for a series of written and face-to-face interactions that could last as long as six months.
While the GAC may not be getting the speedy resolution it so wanted, the ICANN board’s New gTLD Program Committee has nevertheless already voted to give the Red Cross and Red Crescent the additional protections the GAC wanted, albeit only on a temporary basis.
New gTLD registries will be able to release all two-character strings in their zones, following an ICANN decision last week.
The ICANN board of directors voted on Thursday to instruct ICANN’s executive to
develop and implement an efficient procedure for the release of two-character domains currently required to be reserved in the New gTLD Registry Agreement
The procedure will have to take into account the advice of the Governmental Advisory Committee issued at the end of last week’s ICANN 51 meeting in Los Angeles.
But that advice merely asks that governments are informed when a registry requests the release of two-character names.
All two-character strings were initially reserved due to the potential for confusion with two-letter ccTLDs.
But the GAC decided in LA that it doesn’t really have a problem with such strings being released, with some governments noting that ccTLD second-levels such as us.com and uk.com haven’t caused a problem to date.
The board’s decision is particularly good news for dot-brand applicants that may want to run domains such as uk.google or de.bmw to service specific regions where they operate.
Registries representing over 200 new gTLDs have already filed Registry Service Evaluation Process requests for the release of some two-character strings (some including ccTLD matches, some not).
It’s not yet clear how ICANN will go about removing the two-character restriction.
It may be more efficient to offer all registries a blanket amendment to the RA rather than process each RSEP request individually as it is today.
However, because the GAC has asked for notification on a case-by-case basis, ICANN may be forced to stick to the something along the lines of the existing procedure.
Campaigns in Bulgaria and Greece to get ICANN to un-reject their Cyrillic and Greek-script ccTLD requests have proven successful.
The first decisions handed down by ICANN’s new Extended Process Similarity Review Panel this week said Bulgaria’s .бг and Greece’s .ελ are not “confusingly similar” to other ccTLDs after all.
However, a third appeal by the European Union over the Greek .ευ was rejected on the grounds that the string is too confusingly similar to .EV and .EY when in upper case.
Confusing strings should not be delegated, under ICANN rules, due to the risk of exacerbating the prevalence of security risks such as phishing attacks.
Bulgaria’s initial request for .бг was turned down in 2010 after a panel found it looks too similar to Brazil’s existing ccTLD, .br.
Greece’s bid for .ελ had been blocked for looking too much like .EA, a non-existent ccTLD that could be delegated to a new country in future.
While the initial panel’s process was pretty opaque, the newly published “extended” reviews appear to have employed a fairly scientific methodology to determine similarity.
Twenty American undergraduate student volunteers were shown pairs of strings briefly on screens designed to simulate web browsing. They then had to pick out which one they’d seen.
The volunteers were also shown pairs of similar-looking Latin-script ccTLDs that already exist, in order to establish a baseline for what should be considered an acceptable level of confusability.
The Greek and Bulgarian strings were both found to be less confusing than existing pairs of Latin-script ccTLDs and were therefore given the thumbs-up. The EU string flunked in upper case.
Under ICANN’s rules, it appears that .бг and .ελ can now proceed to delegation, while .ευ has been forever rejected.
The three reports can be downloaded here.
It will be interesting to see how the ICANN Governmental Advisory Committee will react to this.
It was pressure from the GAC — driven by the European Commission and Greece — back in 2012 that forced ICANN into creating the appeals process.
At ICANN’s meeting in Prague that year, the GAC said:
The GAC is of the view that decisions may have erred on the too-conservative side, in effect applying a more stringent test of confusability between Latin and non-Latin scripts than when undertaking a side by side comparison of Latin strings.
Now the EU seems to have been told that it still can’t have its requested ccTLD, and the standard applied was exactly the same standard as applies to Latin ccTLDs.
Will the GAC accept this determination, or stomp its feet?
ICANN’s Governmental Advisory Committee has elected Thomas Schneider of the Swiss government as its new chair.
The unprecedented, one-nation-one-vote secret ballot election at the ICANN 51 public meeting in Los Angeles today saw Schneider beat Lebanon’s Imad Hoballah by 61 votes to 37.
He will take over from Canadian incumbent Heather Dryden at the end of the week.
Schneider is deputy head of international affairs at the Swiss Federal Office of Communications (Ofcom).
He currently serves as one of the GAC’s three vice chairs.
The election was overseen by the Australian Continuous Improvement Group, which provides the GAC with ICANN-independent secretariat services.