[NA-Discuss] Policy Failure Enables Mass Malware: Part II (ICANN and OnlineNIC)

Wed Sep 29 19:11:13 UTC 2010

"ICANN’s vice president of government affairs for the Americas, Jamie Hedlund, said the meeting was “outside the scope of our role as the technical coordinator of the Internet’s unique identifiers.”

How is enforcing the provisions of the RAA outside the scope of its role?

This is nonsensical, and an embarrassment. Obviously there was some other political conversation that was had high up about -- something -- that we're not being told.

Oh, that and the fact ICANN has a dys(non)functional compliance section.

-----Original Message-----
>From: Garth Bruen at KnujOn <gbruen at knujon.com>
>Sent: Sep 29, 2010 2:21 PM
>To: na-discuss at atlarge-lists.icann.org
>Subject: [NA-Discuss] Policy Failure Enables Mass Malware: Part II (ICANN	and OnlineNIC)
>
>Folks,
>
>On Wednesday September 29th at 1PM there will be a meeting in the Old
>Executive Building in Washington D.C. with Registries and domain
>Registrars to discuss illegal Internet sales of prescription drugs
>(http://techdailydose.nationaljournal.com/2010/09/white-house-to-meet-with-icann.php).
>ICANN was originally invited but declined citing “inappropriateness”
>(http://domainincite.com/icann-will-not-attend-white-house-drugs-meeting/).
>One “U.S.” Registrar who definitely will not be in attendance is
>OnlineNIC. It has been known for some time that OnlineNIC’s purported
>Oakland California address is false
>(http://dotsnews.com/domain-name-news/184) and that they have been
>caught directly involved in cyber-squatting and counterfeiting schemes
>that cost them millions in out-of-court settlements
>(http://www.thedomains.com/2009/03/12/onlinenic-settles-with-microsoft-appeals-verizon-decision/).
>However, the core issue relates to an illicit pharmacy domain sponsored
>by OnlineNIC which has been found in thousands of hacked websites
>infected with a PHP redirection. KnujOn first found this malicious
>redirection in July, 2010 and discovered the target domain,
>SECURETABS[DOT]NET, had a false WHOIS record and we appropriately filed
>a complaint with ICANN on July 18, 2010. Under the ICANN Registrar
>Accreditation Agreement the domain owner has 15 days to correct WHOIS
>inaccuracies and the Registrar has 45 days to investigate the complaint
>(http://www.icann.org/en/registrars/ra-agreement-21may09-en.htm#3). If
>the registrant fails to respond their domain must be deleted. The
>Registrar is required to investigate and if they fail to it could be
>considered a material breach of their contract with ICANN. In this case
>both deadlines have passed without correction or deletion. OnlineNIC has
>yet to respond to multiple inquires about this.
>
>
>The Malicious Intrusions Continue
>
>As with our last report on Malware and Policy Failure
>(http://www.circleid.com/posts/20100922_policy_failure_enables_mass_malware_part_i_rx_partners_vipmeds/)
>single illegal pharmacy shop sites that somehow evade detection and
>policy enforcement impact thousands or even millions of innocent
>websites. It provides motivation and opportunity to keep spreading the
>malware that drives Internet users to illegal transaction sites without
>their consent. This particular malicious code has been found at Earlham
>College, the University of Illinois, the University of Delaware, Lord
>Fairfax Community College, the University of Alaska, and Toccoa Falls
>College. While public institutions are frequent targets of these attacks
>because of their typically large networks, multiple access points, and
>constantly changing student populations private sites are just as
>vulnerable. We even found one infection on a local Fox News affiliate in
>Houston. KnujOn currently estimates the number of websites infected with
>some kind of illicit pharmacy-related redirect to be in the millions. 
>
>
>Policy Enforcement from ICANN
>
>While ICANN has continuously stated they have no enforcement powers,
>this type of domain abuse is actually within their mandate. Because
>OnlineNIC is itself a rogue Registrar they cannot be counted on to
>follow policy, it is ICANN’s role to hold the Registrar responsible.
>In the case of OnlineNIC it should be an easy call considering their
>history, but ICANN recently renewed OnlineNIC’s contract for another
>five years even though they have failed to comply with RAA 3.16
>(http://www.icann.org/en/registrars/ra-agreement-21may09-en.htm#3) and
>may be de-accredited under RAA 5.3.2
>(http://www.icann.org/en/registrars/ra-agreement-21may09-en.htm#5)
>because of a judgment against them in a suit filed by Louis Vuitton
>(http://docs.justia.com/cases/federal/district-courts/california/candce/3:2009cv05612/222027/27/).
>Because OnlineNIC is allowed to exist SECURETABS[DOT]NET exists. Because
>SECURETABS[DOT]NET exists the Internet is being flooded with silent
>intrusions and malicious code injections.
>
>
>Rejection of Registrar Complaint by ICANN
>
>ICANN has a secondary process for filing complaints against Registrars
>but in this case it failed. KnujOn followed ICANN’s instructions
>(http://www.icann.org/en/compliance/faq.html) for filing a complaint
>against a Registrar. On September 16, 2010 after OnlineNIC failed to
>comply with the contracted obligations concerning SECURETABS[DOT]NET.
>Instead of seeing SECURETABS[DOT]NET suspended and OnlineNIC admonished,
>our complaint was rejected with the claim we had filed the wrong form.
>It has now been 73 days since our initial complaint about
>SECURETABS[DOT]NET, and the site is still active and continues to appear
>in new website intrusions. 
>
>Until ICANN fully grasps the nature of this threat and their ability to
>thwart it through their normal duties, the problem will grow. In Part
>III we reveal a notorious intrusion and malware download traced right to
>another policy failure at another troubled Registrar.
>
>-Garth
>
>
>More information:
>http://www.circleid.com/posts/20100929_policy_failure_enables_mass_malware_part_ii_icann_and_onlinenic/
>http://www.knujon.com/blog.html
>
>
>-------------------------------------
>Garth Bruen
>gbruen at knujon.com
>http://www.knujon.com
>http://www.linkedin.com/pub/4/149/724
>Linkedin Group: http://www.linkedin.com/groups?gid=1870205
>Blog: http://www.circleid.com/members/3296/
>Twitter: @Knujon
>
>
>
>------
>NA-Discuss mailing list
>NA-Discuss at atlarge-lists.icann.org
>https://atlarge-lists.icann.org/mailman/listinfo/na-discuss
>
>Visit the NARALO online at http://www.naralo.org
>------