SDF Cofounder Chris Davis: Bad Guys Will Need a New M.O.
Apr 9, 2014 7:25 PM PT
In the war against malware, a new strategy is taking shape. The good guys are preparing to demolish the bad guys' most effective weapons: rogue websites.
The Secure Domain Foundation will tackle the identification and prevention of Internet cybercrime through a series of steps designed to interfere with the way cybergangs operate online.
Secure Domain Foundation
Making its debut last month at ICANN 49 in Singapore, SDF is a coalition of experts and companies in the cybersecurity, Internet and domain name infrastructure industries.
SDF is the brainchild of security researcher Chris Davis and Internet security guru Norm Ritchie. Davis gained notoriety in part for taking down the infamous Mariposa botnet. Ritchie is one of seven people in the world to hold the key to secure the Internet DNS root zone in the event of a catastrophe.
The new organization includes representatives from Emerging Threats, Facebook, Crowdstrike, Verisign, ESET Anti-Virus, Verizon, Domain Tools, Internet Identity, Enom, Name.com, CIRA(.ca), CO Internet(.co), CoCCA, MailShell, APWG (Anti-Phishing Working Group), Foreground Security and the SecDev Group.
The first step in excising malware purveyors from the Internet is the release of a free API service to obtain an instant domain or registrant credit score based on security reputation and contact data validation.
This API is made available to domain name registrars and registries for use during domain name transactions, such as new account creation, domain registration and record updates. SDF announced the API launch along with the group's formation at ICANN 49.
"ICANN has recently mandated that domain registrars must validate postal addresses, phone numbers and email addresses that are provided as contact information during the domain registration process," said Norm Ritchie, Chairman of the SDF.
In this exclusive interview, LinuxInsider discusses with Chris Davis how SDF will make a difference in stopping cybercriminals' abuse of the Internet.
LinuxInsider: What brought you to form SDF and spearhead a new battlefront in the war on cybercrime?
Chris Davis: I am not the sole creator of SDF, but I took the most active role in getting it started. My background since 1995 or 1996 has been in the security field. More than 90 percent of all the malware distributed over the Internet relies on domain names for delivery.
As I analyzed malware, I started to see more and more registrar names associated with infected websites. It was a recurring pattern. A website would be shut down due to one or more violations -- but it would pop back up in short order under the same registrar or through another registrar.
A couple of years ago I was sitting on a beach in Mexico discussing with Norm Ritchie what we could do to combat this growing problem. We discussed starting a forum to provide a no-cost reputation service. This would be a way to quickly identify bad actors.
The idea grew from there. We started sharing information with registrars about websites that moved around and even changed domain names but were the same operation. It has grown much larger since then. We have developed a bigger reputation system.
LI: How do you carry out this plan with just you and Ritchie?
Davis: I had an adviser, a couple of volunteers, and a few paid staff members. Then we added partner organizations that provide everything from data on bad people to networks that connect us to people who otherwise we would not have connections to. It developed into quite a big group of people in many Web-based companies.
LI: How does this change the landscape from what we had prior to SDF?
Davis: Up to this point, we are focusing on domain name security. There really are not any rigid controls. ICANN has tried to do this but with little success. Our goal, our hope, is that by providing the combined knowledge of top security professionals and some really good data, the various domain registrars can take action to curtail the abuses. Eventually, registrars may be able to prevent the domain name from ever being established.
LI: What about the current U.S. administration's plan to divest the U.S. of its current controlling role in overseeing the Internet?
Davis: It is an excellent thing, in my opinion. One of the concerns that a lot of countries and top level domain operators have is the fact that the controlling body is America. It is true that the Internet was invented in America. It is great that we are getting away from that in favor of making it an international body. I think more people are interested in participating in the organization of the Internet if the U.S. government takes its hands off of it.
LI: So you are saying that if the U.S. government steps out of the picture, that will enhance the ability to make things more secure?
Davis: I think we will see an increase in participation from other countries. The bulk of those countries is where we see a large number of bad actors pushing malware. The more participation you get from countries like China and Russia, the better. After all, the average domain registrar in Russia does not want cybercriminals using their services either. Those bad actors do not want to see control shift to multigovernment regulation either.
LI: Let's say that SDF is successful. How is that going to impact the current conditions? Is part of the problem the lack of any tight control over all of these rogue sites being set up?
Davis: I do not think it is a question of having a tighter control. The Internet is a free place. I think that having a non-biased, non-governmental group without any for-profit motivation trying to make the Internet a little safer and more secure is an idea that all people can accept.
How we address these issues is important. I think we have to take it one step at a time. Right now we are taking a first step into the domain name approach. That is an area that has a lot of room for improvement and is an area in which I think we can have a big effect in a short amount of time.
LI: What might be step two?
Davis: Beyond that I think we can use that model for hosting providers and other infrastructures like DNS operators. We can probably do that at no cost because there is no corporate motivation and involvement of politics. This will help them look after their own networks and be more proactive. In the very rare cases where we find operators, registrars or hosting providers that are clearly malicious, they will glow in the dark. When they do, we can more easily block them.
LI: Is this first step related to any belief that this is a major cause of the growth of our cybersecurity problems?
Davis: By going after the ability to prevent malicious domain registrations, we are forcing the bad guys to actually change their modus operandi. If we can do that, maybe they will stop using domain names and move to static IP addresses. That is actually easier to shut down than a domain name. The bottom line is that the security people have been losing for a long time. We're not saying that we are going to win the war by doing this -- but it is a step in the right direction.
LI: What about the impact on hardening various computing platforms like Windows?
Davis: It is not a question of hardening a more vulnerable platform or enhancing an already more secure computing platform [like Linux]. It involves a higher level than that. IP reputation has been around for a long time. Now it is getting used increasingly by more large organizations and large social networking companies. If a link correlates to a bad reputation, it may or may not be allowed to be posted.