If the rise of phishing has taught us anything, it's that on the Internet, if a digital asset has value, there's somebody out there who wants to steal it. Whether it's a bank account password, a credit card number, a PayPal login, or even a magic sword in an online game, there's a fraudster somewhere trying to misappropriate it for his or her own nefarious purposes.

Domain names have always been a target for such criminals. Companies and individuals doing business online have few assets more valuable than their domain name. It may cost $10 or less to register one, but the domain name is the glue that connects a company to its customers; revenue and brand equity depend upon its security.

Domain theft is not a new phenomenon, of course. Sex.com, for example, was hijacked all the way back in 1995, when there was only one registrar. Its true registrant had to spend years in court to retrieve it. In more recent years, high-profile domains such as Panix.com, Baidu.com and even ICANN.org have been temporarily stolen by attackers using social engineering to exploit process vulnerabilities at domain name registrars.

It's surprising, given that domain name hijacking predates the creation of the competitive registrar market itself, that the industry has not done more in the last decade to mitigate the risks. ICANN's Security and Stability Advisory Committee (SSAC) noted as recently as last year that "pure play, secure registration service providers are rare, in part due to the fact that evaluating security measures does not play as prominent a role in customer decisions when choosing a registrar as it should."

However, registrant apathy regarding security may already be changing, according to a recent survey of savvy registrants.

There are three areas where registrars, in general, have room for improvement when it comes to security.

1. Better Authentication

The simple username/password authentication approach so common at Registrars has repeatedly been found vulnerable to social engineering attacks and should not be considered strong enough security for high-value domain name accounts. This is especially true when automated password reminders are available. If all an attacker needs to do is compromise a password or e-mail address in order to have complete control over a domain portfolio, registrants have the right to ask for stronger authentication.

Nowadays, it's common practice for large financial institutions to allow, or even require, multi-factor authentication before giving customers access to valuable assets. But it's not just banks. After the phishing black market put a dollar value on World of Warcraft accounts, the game's developer had to start offering players one-time password tokens, in the form of key fobs, as a second authentication factor, to decrease fraud.

When you think about it, the fact that magic swords are sometimes offered a greater degree of protection than domain names is pretty crazy.

2. Notifications

When someone logs into a registrar domain account they are given virtually the “keys to the kingdom” for that organization’s entire domain portfolio and DNS settings. If domain account access is compromised, then all it takes for the criminal is to login to the registrar account, change the registrant and other contacts associated with the domain, and then either change the DNS information to point to a new site or transfer the domains to a completely different registrar where it is difficult for to reclaim the names.

It is time registrants get routinely notified when such changes are made to their domain name portfolio, whether via e-mail, text or perhaps even telephone for the most critical items. The best scenario is to notify two or more authorized employees to provide for shift changes and/or redundancy. Social engineering is the attack of choice for hijacking domains, and it's harder to impersonate two people than one.

Because e-mail accounts are easier to compromise than phone numbers, using out-of-band communications channels, such as telephone or SMS text message, could also increase security.

3. Access Control

Usually, authenticated registrants have global privileges: they can change name servers, transfer out domains or cancel renewals, for example. The risk of domain hijacking could be further mitigated by employing more granular access controls once a customer has been "authenticated". Many registrants may wish to use a higher level of security on their primary domains, limiting critical privileges to certain high-status users. The learning curve here could be eased somewhat by the fact that existing registrar Whois records already usually describe at least three roles – the administrative, technical and billing contacts.

Registrars should enable Registrants to designate different contacts for different authority levels. This would accord Registrants the choice of better protection.

 

None of these measures need to be a drain on registrars' margins. Indeed, once in place, these will save money that is now spent resolving disputes after the fact by making criminal activity more difficult. Further, with domain name registrants increasingly looking at registrars' security provisions before they make their purchasing decisions, the opportunity presented by value-added premium services, designed for security and marketed to customers with high-value domain portfolios, should be obvious. Criminals look for the softest targets; with a little effort in just 3 areas, registrars can significantly improve the security they provide for registrants.

For more reading on this topic, see SSAC’s advisory to registrars on improving security: SAC040

(Disclosure: I am one of the charter members of SSAC)

Fourth annual .INFO Awards program will offer US$15,000 in prizes

DUBLIN, IRELAND – 10 August 2010 – Afilias, a global provider of Internet infrastructure services and registry for the .INFO top-level domain (TLD), today announced the opening of its fourth annual .INFO Awards program which recognizes the best .INFO websites around the world. From August 9th to September 10th any .INFO domain owner may submit their website to the .INFO Awards for a chance to win honors as the “Best .INFO website of 2010.”

“.INFO is an intuitive domain name choice for anyone looking to share their information with the world,” said Roland LaPlante, Chief Marketing Officer for Afilias. “.INFO has been the most successful new TLD ever launched, as evidenced by the millions of sites now operating worldwide. The .INFO Awards program not only gives us the opportunity to highlight the best .INFO sites from around the world, but also to allow Internet users to voice their support for their favorite ones.”

 Afilias first launched the .INFO Awards program in Germany in 2007 and expanded the awards internationally in 2009. 2010 will mark the fourth year of honoring the best .INFO websites and highlighting the usefulness that the .INFO domain has added to the Internet in the nine years since its debut.

Qualifying submissions will be evaluated by a panel of online and media experts based on five key criteria including: presentation of content, functionality of the website, design, usability, and originality. The panel of judges will be announced on August 17th and will consist of experts in the fields of websites, design, and media.

A shortlist of the 10 finalists based on the judges’ scores will be published on October 5, 2010. Members of the public will then be able to vote for their favorite of the top 10 sites until November 2 at 11:59 pm ET. The public votes will be combined with the judges’ scores to select the top 3 winners, with first place being named the “Best .INFO website of 2010.” Winners will receive cash prizes allocated as: US$7,500 for first place, US$5,000 for second place, and US$3,000 for third place.

 For details on entry requirements and restrictions please visit the Awards Rules. For more details on the .INFO Awards or to submit your site visit www.INFO-award.info.

About .INFO:

.INFO was the first generic, unrestricted TLD to be launched since .com and is the most successful new TLD launched in over 25 years. Registrations in .INFO first became available in 2001. Since then, .INFO has grown to become the fourth largest gTLD in the world with over 6 million domain names registered. .INFO Domains are currently available in ten Internationalized Domain Name (IDN) scripts. For more information on .INFO please visit www.info.info.

About Afilias:

Afilias is a global provider of Internet infrastructure services that connect people to their data. Afilias’ reliable, secure, scalable, and globally available technology supports a wide range of applications including Internet domain registry services, Managed DNS, and services in the RFID and supply chain market with its Afilias Discovery Services. For more information on Afilias please visit http://afilias.info.

###

What were you doing this week back in 1985? Answer: Probably watching the debut of Back to the Future, a early Steven Spielberg movie which incorporated novel uses of technology to travel in time. During that same time in 1985, however, another innovative use of technology was also making its debut—one with much greater implications for improving our lives on a global scale.

On July 10, 1985 the first .ORG domain name – mitre.org – was registered, joining the initial registrations in .com and 5 other “generic top level domains” in the Internet’s Root zone. This date marks the starting point of the Internet revolution by allowing Internet users to locate online resources by easy-to-remember names instead of complex numbers. Making the Internet more accessible has spurred global economic development, improved freedoms and increased access to knowledge for the last 25 years.

Afilias is pleased to be a partner with .ORG, The Public Interest Registry (PIR) in supporting the millions of .ORG domains now in use worldwide. We are proud to provide state of the art registry and DNS services which ensure that .ORG is a reliable and secure home for the millions of organizations worldwide who depend on their .ORG online identity to pursue their missions. We have worked closely for the past seven years with PIR and its parent organization, the Internet Society (ISOC), to continuously upgrade the critical infrastructure supporting .ORG to meet the needs of both current and future Internet users. The recent deployment of a significantly upgraded security technology, DNSSEC, across the .ORG domain is but one example of how PIR, ISOC and Afilias join together to ensure the .ORG domain is exemplary, safe and trusted.

Since 2003, when PIR became the steward of .ORG, .ORG has grown by almost 300% to over 8 million domains. This growth is a testament to the dedicated and focused team at PIR, the secure and reliable technology underpinning the registry, and to the engaged base of active registrars, who serve the expanding core of .ORG registrants and the larger universe of .ORG Internet users. The achievements of .ORG over the past twenty-five years in general and the seven years in particular point to a great renaissance and a period of extraordinary activity and success for .ORG, and bode well for the next twenty-five years.

The entire team at Afilias congratulates Alexa Raad, CEO of PIR, her team, ISOC and the Internet community on achieving this important and historic milestone. Happy Birthday .ORG!

To see a timeline of the History and Growth of .ORG, please click here.

The barriers to DNSSEC adoption are quickly disappearing. There are nearly 20 top-level domains that have already deployed DNSSEC including generic TLDs like .org and .gov. This July, the DNS root will also be signed, and will begin validating DNSSEC queries. At this point, the decision for remaining TLDs to deploy DNSSEC is really no longer a question. In fact, as it stands today, all new TLDs approved by ICANN will be required to have DNSSEC deployed at launch.

Afilias already supports .ORG’s deployment of DNSSEC and provides secondary DNSSEC service for other ccTLDs. Our experience in deploying DNSSEC demonstrates that you need to plan for an increase in strain on your DNS network if your ccTLD or gTLD plans to deploy DNSSEC.

Deploying DNSSEC will have three main effects on your DNS operations:

Larger Zone File Size

For every signed domain, your zone file will now have to store and provide not only the original DNS information such as Start of Authority (SOA) and other Resource Records, but also a digital signer record (DS) to point to the Public Key as well as the actual signature record (RRsig) for each RRset in your zone file for which you are authoritative.

On average, you should expect your zone file to increase 4-6 times its current size.

More than 50% of the DNS traffic Afilias serves today already requests DNSSEC information. When you sign your zone, you will be serving signature information immediately.

Delivering a larger zone file that is serving more records for every DNS query will increase the daily strain on your DNS servers, and could result in increased response times.

Greater Bandwidth Requirements

DNSSEC-enabled responses contain more information because they are now carrying an additional set of information (signatures and keys) that go along with every DNS query. On average, a DNSSEC response is about twice the size of a non-DNSSEC response.

You will need to factor in more bandwidth and processing power to handle larger responses for each DNSSEC query that you need to serve. Some of this is dependent on the DNSSEC configuration choices you make.

While our experience shows that the bandwidth increase associated with a signed zone is not orders of magnitude higher than an unsigned zone, we recommend that you plan for at least a 2-4 times increase in bandwidth required to respond to normal DNS query volume.

Increased DNS Traffic

There are a few reasons why you may see an overall bump in DNS traffic just because you enable DNSSEC.

DNS uses UDP, a lightweight protocol, to return responses for most DNS queries. BIND 9.4.x and earlier versions limit UDP responses to 512 bytes. Since DNSSEC information is larger, responses can be truncated, thereby forcing validating resolvers to ask for the DNSSEC information again using TCP. Most signed TLDs to date report a 1-2% TCP traffic increase overall.

 

Solving for these three significant operational impacts could cost you time, money and pull your resources away from other critical projects. And, it may even deter you from implementing DNSSEC even though it has become an essential part of TLD management.

We would like to suggest a simple solution that will lighten your load: back-up your DNS with a Secondary provider.

Why? It will reduce your overall risk by offloading part of your traffic onto someone else’s network that has already planned for higher peak capacities. It provides a more economical solution by minimizing the overall expense and capital requirements to expand your existing DNS network. And more importantly it provides a virtual insurance plan against unexpected traffic spikes not just for DNSSEC, but any DNS traffic spike or malfunction whether caused by network failure, DDoS, or a natural disaster affecting the geographic location of your existing nodes.

It’s easy, it’s economical and it makes your infrastructure more resilient.

Register now for a free Web Seminar “Lessons from the Trenches: Deploying DNSSEC” on June 9, 2010, featuring leaders from the .SE registry, .ORG The Public Interest Registry, Shinkuro, and Afilias. Register now.

If you are a new TLD applicant, one of the key pieces of your plan is how you intend to go to market. Many applicants will be required by ICANN to use registrars, and there are many good reasons for this. Registrars understand the domain business, they are experienced domain marketers and most importantly, they have existing business relationships with many of the same registrants you will need to make your TLD successful.

The question is: HOW do you get registrars to support YOUR new TLD? Afilias has more experience introducing new TLDs to registrars than anyone, and we’d like to suggest 3 principles for success:

1. First, choose an attractive string: The most important reason for a registrar to support you is if your TLD will sell. Make sure your string has a strong reason for being—that it adds value to the Internet and will serve a market that will buy it!
2. Second, Provide Support: Be sure to give registrars tools that will help them sell your TLD. For example you’ll need to ensure competitive pricing and provide marketing materials and promotional support. Plan to work as a TEAM with your registrars
3. Third, Keep it simple: Registrars are going to be swamped with new offerings. If YOUR TLD is simpler to implement, your chances for success are better.
   • Simplicity begins with the accreditation process—Study what new TLDs have done in the past and don’t re-invent the wheel.
   • Pricing should also be simple and sustainable. Look at how registrars sell domains today and try to replicate that model.
   • And last, Technical systems must be familiar and standards-compliant: Registrars don’t have time to learn a whole new system. They will support TLDs that use systems they are familiar with, as it saves them time and money.

Registrars are the key to distribution so you must learn how to succeed through them. How? Choose an attractive string, provide appropriate support for your registrars, and keep it simple for them.

Of course, it isn’t quite that simple. That’s why you should work with an expert who is already dealing with registrars and has done this for many new TLDs before. Afilias already has a group of accredited registrars that together support over 90% of the active domain name marketplace. This coupled with our registry technology which already supports 15 different TLDs, has the kind of experience you’ll need in gaining distribution to make your new TLD successful.

Afilias is a sponsor of the 12th AfriNIC Public Policy Meeting and AfNOG.

• ‹ previous
• 65 of 78
• next ›

Over the last three years, the Anti-Phishing Working Group’s semiannual Global Phishing Survey has become a widely cited source of information about the state of phishing and its place in the Internet landscape. Afilias’ Director of Domain Security, Greg Aaron, has been co-authoring these reports with Rod Rasmussen of Internet Identity, with the goal to show the community what phishers are doing and how anti-abuse measures are effective. The newly published edition of the report highlights how criminals have utilized the domain name space, but offers good news about the domain name community has helped diminish the effects of some very dangerous phishing. It’s an encouraging success story.

The new Global Phishing Survey reveals that in the second half of 2009, the Avalanche phishing gang perpetrated two-thirds of all phishing attacks on the Internet! This criminal entity utilizes a botnet comprised of consumer-level computers to host its phishing and malware too. By running its own distributed, illegal hosting, the gang tries to make its phishing “bullet-proof” – resistant to take-down because there’s no traditional hosting provider to call. But such phishing can be stopped by suspending the domain names. Fortunately we saw a number of domain name registrars and registries shut down Avalanche phishing in an increasingly effective fashion, often neutralizing the phishers’ technical advantage.

In the second half of 2009, we saw Avalanche registered 4,141 domain names in various TLDs, and hosted up to 40 separate attacks on each domain. Avalanche prefers to register domains at registrars that react slowly (or not at all) to abuse reports and/or have weak fraud-detection routines. Similarly, Avalanche prefers TLDs where the registry operators do not have effective anti-abuse policies and procedures to help the registrars and provide swift action when needed. Unfortunately, we saw Avalanche victimize certain registrars and TLDs over and over again.

Avalanche and similar threats have prompted many industry members to adopt best practices to fight phishing and other criminal abuses. Afilias adopted its .INFO Anti-Abuse Policy in 2007, defining what constitutes abusive use, and reiterating the registry’s right to take action. Registrars also have terms of service in their registration agreements, and those terms prohibit illegal activities and allow the registrars to suspend domain names at their discretion. In practice, Afilias monitors for phishing and other problems in the .INFO space, and communicates abuse reports and documentation to its registrars. The registrars examine the reports and work on mitigation as they feel appropriate. On occasion Afilias will also suspend domains directly, especially to stop large-scale abuse in a timely fashion. This kind of cooperation and information-sharing is adaptable and effective, allows registrars and registries to install good process, and appropriately manage risk. On a daily basis, it saves thousands of Internet users from becoming victims.

The 2009 data shows that Avalanche phish stayed up for less than half the time as other phish—a great result. How did it happen? First, the entire response community concentrated attention on Avalanche, pushing phishing attack alerts to each other. That response community includes the banks and online services targeted by the phishers, security companies and researchers, registries, and registrars. Second, a number of registrars and registries took quick action, looking for Avalanche domains and killing them through the summer and fall of 2009. Education and data sharing clearly helped. In November 2009, members of the security community shut down Avalanche’s infrastructure for a week. After re-establishing its operations, Avalanche kept registering domains, but launched fewer attacks. Avalanche attacks decreased from 26,411 in October 2009 to just 59 in April 2010. We’ll continue to monitor Avalanche, but it appears that overall, the domain industry may be more prepared for whatever comes next.

The median up-time for all phishing attacks on the Internet has fallen remarkably over the past two years, from 19 hours 30 minutes in early 2008 to 11 hours 44 minutes in the second half of 2009. The falling times point to improved awareness, responsiveness, and detection across the board. Here at Afilias, our policies and procedures have dissuaded phishers like Avalanche from registering .INFO domains, and non-Avalanche phish in .INFO stayed alive for less than half the industry average.

The results above emphasize the effectiveness of best practices and processes. Domain industry players are becoming increasingly sophisticated about e-crime, and can greatly improve the safety of the Internet for everyone.

To see all the details, please read the new APWG report, at: http://www.apwg.org/reports/APWG_GlobalPhishingSurvey_2H2009.pdf

Afilias' Desiree Miloshevic will be chairing this panel discussion entitled 'How long will the Internet remain a level playing field?' on Net neutrality at the University of Surrey, Guildforde. Networking and refreshments at 19.00 with the debate starting at 19.30. Visit the Web link to register for this free event!

Afilias is a Gold Sponsor the 38th ICANN Meeting in Brussels.  We will be sponsoring the DNSSEC Workshop on Wednesday from 9:00 - 13:30 in the Silver room on Level 1.  Afilias is also a sponsor of the ccNSO lunch on Tuesday, June 22nd.

Due to the many groups that did not attend this month's ICANN meeting in Nairobi for various reasons,  I don't think anyone expected the meeting to result in major decisions on new TLD issues we've been debating for over a year.  However, that is exactly what happened.

The proposed Expressions of Interest (EOI)
Going into the ICANN meeting, many expected the EOI process to be approved. The EOI would have required interested new TLD applicants to confirm their interest and place a $55,000 deposit against their new TLD application. Over the course of the meeting, however, a number of groups expressed concerns that the EOI would in effect be a pre-application process that would preclude future applicants from getting a shot at their TLD. After listening to feedback from the community, the ICANN Board dismissed the EOI process in favor of just proceeding with the round.

From Afilias' perspective, we think this decision was wise because it will accelerat the nTLD launch process by re-focusing the community on resolving the remaining issues instead of debating an entirely new process.  Further, ICANN can now work on increasing awareness of the opportunity so that when the round does open,  more entities will feel informed and ready to commit.

Vertical Integration
The ICANN board elected to maintain today's registry and registrar separation requirements that prevent a registry from acting as a registrar in a TLD that it also operates. This separation policy has historically provided important consumer protections and safeguarded the current fair marketplace.  Rather than rushing into a significant rules change, ICANN is following its "bottoms up" mandate by allowing the GNSO PDP process to complete.  The PDP process allows for full discussion of the pros and cons and generally enables community consensus to become clear.

Trademark protection
Most of the trademark issues either have been resolved or are close to resolution. Key intellectual property protection mechanisms will include: a centralized trademark clearinghouse which will validate trademarks and provide data for pre-launch or sunrise services; a uniform rapid suspension (URS) process that will enable trademark holders to quickly suspend any infringing registrations; and guidelines for addressing malicious conduct.  

Security 
The concept of a High Security Zone (HSZ) is being refined through the work of an advisory group. In effect, this would give HSZ registries a trust seal if they adhere to higher security standards for operating their registry and potentially compel registrars to verify registrant data.  In addition to this security discussion, various zone file access models are currently being reviewed.

Root Zone Scaling 
ICANN completed the Root Zone Scaling study and expects reports from the SSAC and RSSAC soon. In addition, a model is being developed to assess the impact on the Root of varying numbers of new TLDs over various time frames.

Economic impact 
ICANN has retained various consultants to assess the economic implications of a new TLD round, including defensive registration costs and assessments of the overall economic benefit to the Internet community. Final findings on this issue have yet to be issued.

new TLD character format
ICANN has been working for some time on introducing internationalized domain names at the top-level (otherwise known as IDN.IDN). ICANN is moving cautiously here to avoid any issues with variants that might cause collisions in the DNS.  While the applications for countries are on a separate fast-track process, new TLD applicants may also apply for their new TLD in an IDN string, or the IDN equivalent(s) to the ASCII string they are proposing. The burden will be on the applicant to document any variant issues and address them before delegation will be permitted.  As part of the new TLD process, ICANN will also consider 2-character TLDs in certain circumstances (relaxing the historical 3 character minimum restriction), but one character TLDs will be prohibited for the time being.

We can expect a lot of work to be done between now and the next ICANN meeting in Brussels this June on the subject of new TLDs.  The key take away, however, is that the process is nearly final.  Therefore, if you are going to apply for a new TLD, now is the time to formalize your plans and select your registry and DNS provider.