Latest news of the domain name industry

Recent Posts

.berlin CEO prime suspect in ICANN data breach

dotBerlin CEO Dirk Krischenowski is suspected of using a bug in ICANN’s new gTLD portal to access hundreds of confidential documents, some containing sensitive financial planning data, belonging to competing gTLD applicants.

That’s according to ICANN documents sent by a source to DI today.

Krischenowski, who has through his lawyer “denied acting improperly or unlawfully”, seems to be the only person ICANN thinks abused its portal’s misconfigured search feature to deliberately access rivals’ secret data.

ICANN said last night that “over 60 searches, resulting in the unauthorized access of more than 200 records, were conducted using a limited set of user credentials”.

But ICANN, in private letters to victims, has been pinning all 60 searches and all 200 access incidents on Krischenowski’s user credentials.

Some of the incidents of unauthorized access were against applicants Krischenowski-run companies were competing against in new gTLD contention sets.

The search terms used to find the private documents included the name of the rival applicant on more than one occasion.

In more than once instance, the data accessed using his credentials was a confidential portion of a rival application explaining the applicant’s “worst case scenario” financial planning, the ICANN letters show.

I’ve reached out to Krischenowski for comment, but ICANN said in its letters to victims:

[Krischenowski] has responded through legal counsel and has denied acting improperly or unlawfully. The user has stated that he is unable to confirm whether he performed the searches or whether the user’s account was used by unauthorized person(s). The user stated that he did not record any information pertaining to other users and that he has not used and will not use the information for any purpose.

Krischenowski is a long-time proponent of the new gTLD program who founded dotBerlin in 2005, many years before it was possible to apply.

Since .berlin launched last year it has added 151,000 domains to its zone file, making it the seventh-largest new gTLD.

The bug in the ICANN portal was discovered in February.

The results on an audit completed last month showed that over the last two years, 19 users used the glitch to access data belonging to 96 applicants and 21 registry operators.

There were 330 incidents of unauthorized access in total, but ICANN seems to have dismissed the non-“Krischenowski” ones as inadvertent.

An ICANN spokesperson declined to confirm or deny Krischenowski is the prime suspect.

Its investigation continues…

Dumb ICANN bug revealed secret financial data to new gTLD applicants

Kevin Murphy, April 30, 2015, Domain Registries

Secret financial projections were among 330 pieces of confidential data revealed by an ICANN security bug.

Over the last two years, a total of 19 new gTLD applicants used the bug to access data belonging to 96 applicants and 21 registry operators.

That’s according to ICANN, which released the results of a third-party audit this afternoon.

Ashwin Rangan, ICANN’s new chief information and innovation officer, confirmed to DI this afternoon that the data revealed to unauthorized users included private financial and technical documents that gTLD applicants attached to their applications.

It would have included, for example, documents that dot-brand applicants reluctantly submitted to demonstrate their financial health.

But Rangan said it was not clear whether the glitch had been exploited deliberately or accidentally.

While saying the situation was “very deeply regrettable”, he added that applicant data deemed confidential when it was submitted back in 2012 may not be considered as such today.

The vulnerability was in ICANN’s Global Domains Division Portal, which was taken offline for three days at the end of February and early March after the bug was reported by a user.

Two outside consulting firms were brought in to scan access logs going back to the launch of the new gTLD portal back in April 2013.

What they found was that any user of the portal could access any attachment to any application, whether it belonged to them or a third-party applicant, simply by checking a radio button in the advanced search feature.

It was a misconfiguration by ICANN of the Salesforce.com software used by GDD, rather than a coding error, Rangan said.

“The public/private data sharing setting can be On or Off and here it was set to On,” he said.

On 330 occasions, starting “in earliest part of when the portal first became available” two years ago, these 19 users would have been exposed to data they were not supposed to be able to see.

The audit has been unable to determine whether the users actually downloaded confidential data on those occasions.

What’s confirmed is that only new gTLD applicants were able to use the glitch. No third-party hackers were involved.

The 19 users who, whether they meant to or not, exploited this vulnerability are now going to be sent letters asking them to explain themselves. They’ll also be asked to delete anything they downloaded and to not share it with third parties.

Before May 27, ICANN will also contact those applicants whose secret data was exposed, telling them which rival applicants could have seen it.

Rangan said that there have been almost 600,000 GDD sessions in the last two years, and that only 36 of them revealed data to unauthorized users.

“It’s a small fraction,” he said. “The question is whether they just stumbled across something they were not even aware of… Looking at the log files it is not clear what is the case.”

ICANN seems to be giving the 19 users the benefit of the doubt so far, but still wants them to explain their actions.

As CIO, Rangan was not able to comment on whether the breach exposes ICANN or applicants to any kind of legal liability.

It’s not the first time sensitive applicant data has been exposed. Back in 2012, DI discovered that the home addresses of the directors of applicants had been published, despite promises that they would remain private.

At the time of the original GDD portal misconfiguration, ICANN had noted security expert Jeff “The Dark Tangent” Moss as its chief security officer.

Earlier this week, ICANN’s board of directors authorized expenses of over $500,000 to carry out security audits of ICANN’s code.