The argument of criminals being harder to catch just doesn't make sense. Long before the GDPR there were Domain Privacy services: providers that don't put their customers' details into the WHOIS...
The argument of criminals being harder to catch just doesn't make sense. Long before the GDPR there were Domain Privacy services: providers that don't put their customers' details into the WHOIS database. In such cases, they would need a judge anyway.
Investigating Internet attacks isn't my area of expertise but it is Brian Kreb's beat and he's written quite a bit about it. He seems to think there is something to it. [...]
Investigating Internet attacks isn't my area of expertise but it is Brian Kreb's beat and he's written quite a bit about it. He seems to think there is something to it.
Whether or not cyber crooks do provide their real information is beside the point. ANY information they provide — and especially information that they re-use across multiple domains and cybercrime campaigns — is invaluable to both grouping cybercriminal operations and in ultimately identifying who’s responsible for these activities.
To understand why data reuse in WHOIS records is so common among crooks, put yourself in the shoes of your average scammer or spammer — someone who has to register dozens or even hundreds or thousands of domains a week to ply their trade. Are you going to create hundreds or thousands of email addresses and fabricate as many personal details to make your WHOIS listings that much harder for researchers to track? The answer is that those who take this extraordinary step are by far and away the exception rather than the rule. Most simply reuse the same email address and phony address/phone/contact information across many domains as long as it remains profitable for them to do so.
This pattern of WHOIS data reuse doesn’t just extend across a few weeks or months. Very often, if a spammer, phisher or scammer can get away with re-using the same WHOIS details over many years without any deleterious effects to their operations, they will happily do so. Why they may do this is their own business, but nevertheless it makes WHOIS an incredibly powerful tool for tracking threat actors across multiple networks, registrars and Internet epochs.
[...]
It is true that some domain registrants do take advantage of WHOIS privacy services, but based on countless investigations I have conducted using WHOIS to uncover cybercrime businesses and operators, I’d wager that cybercrooks more often do not use these services. Not infrequently, when they do use WHOIS privacy options there are still gaps in coverage at some point in the domain’s history (such as when a registrant switches hosting providers) which are indexed by historic WHOIS records and that offer a brief window of visibility into the details behind the registration.
The top two articles from your link were an interesting read! However, they are both from Apr and March 2018. I wonder if someone has an updated article on what the current state is. Also,...
The top two articles from your link were an interesting read!
However, they are both from Apr and March 2018. I wonder if someone has an updated article on what the current state is.
Also, regarding this:
To understand why data reuse in WHOIS records is so common among crooks, put yourself in the shoes of your average scammer or spammer — someone who has to register dozens or even hundreds or thousands of domains a week to ply their trade.
I know laziness is generally the norm and not the exception, but I find it hard to grasp that there are no toolkits out there which automates this.
Krebs failed to mention an important mitigating factor in all this though, which is that historical WHOIS and DNS records are still available to investigators via webcrawling, scraping, archival...
Krebs failed to mention an important mitigating factor in all this though, which is that historical WHOIS and DNS records are still available to investigators via webcrawling, scraping, archival services that specialize in collecting and then selling that data (e.g. just google historical whois|dns).... so the GDPR doesn't actually make that data suddenly impossible to come by, which renders the "GDPR protects cybercriminals" criticism rather moot, IMO.
Well yes, but are the historical records getting added to for new domains? It seems like they would get increasingly stale and less useful? A gradual decay, perhaps?
Well yes, but are the historical records getting added to for new domains? It seems like they would get increasingly stale and less useful? A gradual decay, perhaps?
Yes. These services are constantly crawling the updated DNS records to look for new domains and altered records to then scrape the new WHOIS data from to keep their history up to date. Yeah, the...
Well yes, but are the historical records getting added to for new domains?
Yes. These services are constantly crawling the updated DNS records to look for new domains and altered records to then scrape the new WHOIS data from to keep their history up to date.
It seems like they would get increasingly stale and less useful? A gradual decay, perhaps?
Yeah, the data does eventually get stale and less useful, but you would probably be surprised how careless and shortsighted people often are, recycling old usernames, pseudonyms, fake addresses, and such, or even inadvertently exposing their real identity at some point and failing to scrub that data (or doing so but not realizing it was archived), which often comes to bite them in the ass years later when they are trying to hide their identity. See: Ross Ulbricht (was an old forum post that did him in, not WHOIS data, but the same principle applies).
Old DNS/WHOIS records are a pretty trivial amount of data to store as well, all things considered, so these archival services rarely, if ever, do any clearing out of old data, in my experience. I haven't had to use one in years, but that was at least the case back when I did, and I don't imagine they have changed their practices much since then.
edit: p.s Here's a good NYT article with more details on the Ross Ulbricht AKA Dread Pirate Roberts story if you're interested in reading more: The Tax Sleuth Who Took Down a Drug Lord
TBH, not much. LOL! As I said in another comment below, the utility of WHOIS for cybercrime investigation was undermined more by the rise of the dark web (where most of the nefarious activity...
TBH, not much. LOL! As I said in another comment below, the utility of WHOIS for cybercrime investigation was undermined more by the rise of the dark web (where most of the nefarious activity moved to) and domain privacy services than by anything the GDPR did.
I guess the only real difference is that now you typically have to pay for access to the historical DNS/WHOIS data from companies intentionally breaking the GDPR by scraping, holding on to and selling that data (unless there is a provision I am unaware of that allows them to do it for "research purposes" or something), unless you scrape it yourself... which I imagine a lot of government intelligence/investigation agencies do anyways. So all it really did was make it a bit more of a PITA as a freelancer or non-government investigator, but still not impossible to work around.
They're just parroting talking points from the tech lobbying orgs like the Internet Association and the Information Technology Association. Try to criticize GDPR so much that the US won't consider...
They're just parroting talking points from the tech lobbying orgs like the Internet Association and the Information Technology Association. Try to criticize GDPR so much that the US won't consider anything of the sort. Classic playbook.
Fix the DMCA and your damn anti-crypto agenda, and reign in your intelligence services, and I'll promise to appeal to my MEP. The USA shouldn't throw stones in this regard. Interesting though that...
Fix the DMCA and your damn anti-crypto agenda, and reign in your intelligence services, and I'll promise to appeal to my MEP. The USA shouldn't throw stones in this regard.
Interesting though that the GDPR has that effect. I wouldn't expect WHOIS to be useful against cyber criminals. They surely know how to keep that leak shut. Unless the cyber criminals referred to are the petty kind. Pirates (the download side) for example. Those who don't know they're doing much wrong, take no precautions. I'm reasonably certain you're not catching kiddie porn or hackers or piracy uploaders with this. The involvement of the chamber of commerce doesn't help dissuade me either. Seems like it's more about commercial interests vs privacy than fighting serious crime. And if you are fighting serious crime, you can just bypass this whole thing with a warrant.
WHOIS records actually used to be a reasonably powerful tool for cybercrime investigation (still are, to a degree), and not just against idiots who used their real info when registering. The...
WHOIS records actually used to be a reasonably powerful tool for cybercrime investigation (still are, to a degree), and not just against idiots who used their real info when registering. The information contained in them is often still valuable, even if falsified, if you cross-reference it with other data you have acquired on the subjects you are investigating. Being able to identify the host and registrar also allows for warrants to be served to collect more information from them, or covert surveillance to be put in place on the servers.
But honestly, it's not the GDPR that killed the majority of WHOIS' utility in that department so much as the rise of the dark web and domain privacy services. So this particular criticism of the GDPR coming from the US is a pretty weak one, IMO, especially since historical data for WHOIS records is still available, if you know where to look for it and are willing to pay for it, despite the fact the services that collect and offer that information up for sale violate the GDPR.
I think you're getting to a core point: you cannot fight crime by having all information available because criminals will by necessity find ways to circumvent it. The position that the GDPR is...
I think you're getting to a core point: you cannot fight crime by having all information available because criminals will by necessity find ways to circumvent it. The position that the GDPR is making it harder for law enforcement is essentially rooted in the same argument for mass surveillance: that there exists a tipping point at which criminals are no longer able to hide a paper trail. Personally I think it's a bogus argument and if it weren't so clearly being put forward in bad faith it'd deserve a public rebuttal.
GDPR critics say the rules have made it harder to identify cybercriminals. Before the law came into effect in May 2018, they could issue a request via WHOIS to identify the owner of a domain name in a process that many say was simple and straightforward.
After the law came into effect, however, it became much more complicated. Registrars — the entities that control domain names — became concerned that, if they complied with such requests, they could be sued for privacy violations under the GDPR. In many cases, law enforcement officials had to ask a judge to validate the request, a process that one EU law enforcement official said is "very slow" and "not effective."
In February, a Republican Congressman introduced a bill to the House of Representatives demanding that domain name information be made readily accessible via WHOIS. Two months later, a group of 40 companies, trade associations and interest groups wrote to Vice President Mike Pence urging him to force internet registrars to identify cybercriminals for law enforcement purposes.
[...]
Multiple parties, including ICANN, the nonprofit that maintains the WHOIS database, and law enforcement agencies around the world, have called for WHOIS to be replaced by a more privacy-friendly system that would provide the same functionality for cybercrime investigators.
In conversations with POLITICO, a range of critics including the U.S. Chamber of Commerce and two European law enforcement officials said that EU data protection authorities are refusing to clear up legal confusion about who could lawfully use such a system and under what conditions.
"All of this has been a frustration for two years that has been building and building," said Sean Heather, senior vice president for international regulatory affairs at the U.S. Chamber of Commerce. "The Europeans should make clear that this [identifying suspected cybercriminals] is not a violation of the GDPR," he added.
In response to such critiques, EU privacy officials said it is up to legal authorities in member countries to respond to law enforcement requests to identify domain name owners, and that no change to the GDPR is planned.
[...]
Dayman and other U.S. parties said they would prefer to avoid any sort of high-level clash over the GDPR, as doing so would only undermine the internet's global nature. The fact that European law enforcement agents shared their concerns about domain names and cybercrime would help to speed up the development of a new database, they said — a point corroborated by EU security officials.
The argument of criminals being harder to catch just doesn't make sense. Long before the GDPR there were Domain Privacy services: providers that don't put their customers' details into the WHOIS database. In such cases, they would need a judge anyway.
Investigating Internet attacks isn't my area of expertise but it is Brian Kreb's beat and he's written quite a bit about it. He seems to think there is something to it.
[...]
The top two articles from your link were an interesting read!
However, they are both from Apr and March 2018. I wonder if someone has an updated article on what the current state is.
Also, regarding this:
I know laziness is generally the norm and not the exception, but I find it hard to grasp that there are no toolkits out there which automates this.
Krebs failed to mention an important mitigating factor in all this though, which is that historical WHOIS and DNS records are still available to investigators via webcrawling, scraping, archival services that specialize in collecting and then selling that data (e.g. just google
historical whois|dns).... so the GDPR doesn't actually make that data suddenly impossible to come by, which renders the "GDPR protects cybercriminals" criticism rather moot, IMO.Well yes, but are the historical records getting added to for new domains? It seems like they would get increasingly stale and less useful? A gradual decay, perhaps?
Yes. These services are constantly crawling the updated DNS records to look for new domains and altered records to then scrape the new WHOIS data from to keep their history up to date.
Yeah, the data does eventually get stale and less useful, but you would probably be surprised how careless and shortsighted people often are, recycling old usernames, pseudonyms, fake addresses, and such, or even inadvertently exposing their real identity at some point and failing to scrub that data (or doing so but not realizing it was archived), which often comes to bite them in the ass years later when they are trying to hide their identity. See: Ross Ulbricht (was an old forum post that did him in, not WHOIS data, but the same principle applies).
Old DNS/WHOIS records are a pretty trivial amount of data to store as well, all things considered, so these archival services rarely, if ever, do any clearing out of old data, in my experience. I haven't had to use one in years, but that was at least the case back when I did, and I don't imagine they have changed their practices much since then.
edit: p.s Here's a good NYT article with more details on the Ross Ulbricht AKA Dread Pirate Roberts story if you're interested in reading more: The Tax Sleuth Who Took Down a Drug Lord
Did anything change with GDPR that affects these service's crawlers?
TBH, not much. LOL! As I said in another comment below, the utility of WHOIS for cybercrime investigation was undermined more by the rise of the dark web (where most of the nefarious activity moved to) and domain privacy services than by anything the GDPR did.
I guess the only real difference is that now you typically have to pay for access to the historical DNS/WHOIS data from companies intentionally breaking the GDPR by scraping, holding on to and selling that data (unless there is a provision I am unaware of that allows them to do it for "research purposes" or something), unless you scrape it yourself... which I imagine a lot of government intelligence/investigation agencies do anyways. So all it really did was make it a bit more of a PITA as a freelancer or non-government investigator, but still not impossible to work around.
They're just parroting talking points from the tech lobbying orgs like the Internet Association and the Information Technology Association. Try to criticize GDPR so much that the US won't consider anything of the sort. Classic playbook.
Fix the DMCA and your damn anti-crypto agenda, and reign in your intelligence services, and I'll promise to appeal to my MEP. The USA shouldn't throw stones in this regard.
Interesting though that the GDPR has that effect. I wouldn't expect WHOIS to be useful against cyber criminals. They surely know how to keep that leak shut. Unless the cyber criminals referred to are the petty kind. Pirates (the download side) for example. Those who don't know they're doing much wrong, take no precautions. I'm reasonably certain you're not catching kiddie porn or hackers or piracy uploaders with this. The involvement of the chamber of commerce doesn't help dissuade me either. Seems like it's more about commercial interests vs privacy than fighting serious crime. And if you are fighting serious crime, you can just bypass this whole thing with a warrant.
WHOIS records actually used to be a reasonably powerful tool for cybercrime investigation (still are, to a degree), and not just against idiots who used their real info when registering. The information contained in them is often still valuable, even if falsified, if you cross-reference it with other data you have acquired on the subjects you are investigating. Being able to identify the host and registrar also allows for warrants to be served to collect more information from them, or covert surveillance to be put in place on the servers.
But honestly, it's not the GDPR that killed the majority of WHOIS' utility in that department so much as the rise of the dark web and domain privacy services. So this particular criticism of the GDPR coming from the US is a pretty weak one, IMO, especially since historical data for WHOIS records is still available, if you know where to look for it and are willing to pay for it, despite the fact the services that collect and offer that information up for sale violate the GDPR.
I think you're getting to a core point: you cannot fight crime by having all information available because criminals will by necessity find ways to circumvent it. The position that the GDPR is making it harder for law enforcement is essentially rooted in the same argument for mass surveillance: that there exists a tipping point at which criminals are no longer able to hide a paper trail. Personally I think it's a bogus argument and if it weren't so clearly being put forward in bad faith it'd deserve a public rebuttal.
From the article:
[...]
[...]