Hero image, numbers and icons
Blog General Infosec

Whois Data, More Important Than Ever

2018 has been a tough year to be a domain name Whois record. For years Whois has been a favorite and uniquely effective tool of security researchers and law enforcement to battle cybercrime and cyberattacks, yet now that data will be kept under wraps to be metered out, if at all, under the watchful eye of domain name registrars whose strongest orientation in this matter is to their own legal certainty and the privacy of their customers. The situation DNS finds itself in is the unfortunate result of today’s privacy-centric global policy regimes.

It used to be the case that, if you wanted to register a domain name and, say, use it to host a website that sells things to people, or use it to send email to people, or use it to host a service that collects information from people, one had to enter identifying registration information in the public Whois database. Which seemed to make reasonable sense. Individuals or organizations interested in hiding their identity had cost-effective options to do so, yet less than 25% of domains enabled this service.

Things are much different today. As a result of GDPR, all this identifying data is redacted from Whois. And proponents of the anonymization of the internet are saying that “see, the sky is not falling, Whois didn’t really matter after all”. Except that it does matter. It matters a great deal to the very same people GDPR is designed to protect.

ICANN and other organizations involved in debating the future of Whois have asked for concrete examples of security investigations or processes being impaired by the current global inability to identify the people or organizations that register and use domain names on the internet. This is a challenging ask simply because security researchers and law enforcement are appropriately reticent about leaking information during active investigations of cybercrime. However, last week’s revelations about the political influence campaigns being run by Iranian organizations give us a window into the importance of Whois data.

Election meddling is a hot-button issue, it gets to a very closely held civil right in most democratic countries. So last week’s announcements by Microsoft, cybersecurity company FireEye, Facebook, and Google regarding US midterm election influence campaigns being run on social media and also via state-sponsored phishing attacks, was widely distributed, read and referenced. Here are some quotes from the blog posts by these companies themselves:

FireEye’s confidence to name Iranian actors as the responsible party stems from “a combination of indicators, including site registration data” as well as “Registrant emails from the sites ‘Liberty Front Press’ and Instituto Manquehue’ “

Facebook builds on the FireEye research and through investigation of Facebook Accounts and Pages is “able to link this network to Iranian state media through publicly available website registration information, as well as the use of related IP Addresses and Facebook Pages sharing the same admins.”

Google’s blog post implicates the Islamic Republic of Iran Broadcasting (IRIB) by noting “Technical data associated to these actors is strongly linked to the official IRIB address space…domain ownership information about these actors is strongly linked to IRIB account information…(and) Account metadata and subscriber information associated with these actors is strongly linked to the corresponding information associated with the IRIB”

Domain name Whois data isn’t going to solve the world’s cyberattack problems all on its own, but these investigations, centering on an issue of global importance that threatens our very democracy, likely get severely impaired without it. And this is just the tip of the iceberg, a few uniquely important investigations among the hundreds of thousands of cyberattacks going on all day every day all over the globe by people and organizations that can now hide behind the anonymity inherent in today’s internet. It’s reasonable that domain names used for certain commercial or functional purposes should require transparent registration information. Whois is not a crime.