Analytics // Security Monitoring
12/2/2010
08:39 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Feds' Crackdown Of Online Counterfeit, Copyrighted Goods Meets DNS Backlash

Alternative DNS systems emerge to pick up seized domains

In the wake of federal crackdowns, such as the U.S. Immigration and Customs Enforcement's (ICE) mass seizure yesterday of 82 domain names of websites illegally selling and distributing counterfeit and copyrighted items, a group is building out a new point-to-point DNS system as a way for sites to dodge future domain takeovers by the feds.

The so-called "LostServers" website is also hard-coding IP addresses of the deleted domains into its DNS system to help visitors access the sites whose domains have been shuttered. "The U.S. government is going to have to have ISPs start blocking access to these alternative domain servers or I think this will become popular," says Chris Wysopal, CTO at Veracode.

Meanwhile, the new Dot-P2P Project says its goal is to combat DNS-level censoring with a decentralized, Bit Torrent-powered system. "By creating a .p2p TLD that is totally decentralized and that does not rely on ICANN or any ISP's DNS service, and by having this application mimic force-encrypted bittorrent traffic, there will be a way to start combating DNS level based censoring like the new US proposals as well as those systems in use in countries around the world including China and Iran amongst others," the Dot-P2P Project page says.

The U.S. ICE's Operation In Our Sites v. 2.0 announcement yesterday is the latest move by federal officials to crack down on online sales of counterfeit sports equipment, shoes, handbags, athletic apparel, sunglasses, and illegal copies of copyrighted DVDs, music, and software. In June, the feds seized nine domains that streamed first-run movies online.

Yesterday's domain takedowns came with the help of VeriSign. "VeriSign received sealed court orders directing certain actions to be taken with respect to specific domain names, and took appropriate actions," a company spokesperson said in a statement. VeriSign declined to comment further on the case.

Among the domains seized were names like coachoutletfactory.com, louis-vuitton-outlet-store.com, nfljerseysupply.com, and dvdscollection.com. A full list of the seized domains is here (PDF).

"By seizing these domain names, we have disrupted the sale of thousands of counterfeit items, while also cutting off funds to those willing to exploit the ingenuity of others for their own personal gain," said Attorney General Eric Holder, in a statement. "Intellectual property crimes are not victimless. The theft of ideas and the sale of counterfeit goods threaten economic opportunities and financial stability, suppress innovation and destroy jobs. The Justice Department, with the help of our law enforcement partners, is changing the perception that these crimes are risk-free with enforcement actions like the one announced today."

Garth Bruen, founder of KnujOn, says there has been a general shift the past six months in cracking down on cybercrime in the U.S. "This has been a strange case since it did not happen at the registrar level -- GoDaddy, in this case -- it happened at the registry-level, with VeriSign, which handles .com," Bruen says. "This only worked probably because VeriSign is a U.S. company...Customs must have made a compelling case to VeriSign because they have been previously uncooperative in this area."

Bruen, whose organization helps track phony online pharmacies, says if ICE were to go after .com pharmacy sites in this manner, there would be tens of thousands of these domains to take over.

Meanwhile, the new Dot-P2P DNS system in the works will be free to users, but participants must demonstrate they are legitimate and own a similar domain before registering, according to a blog post on TorrentFreak. Users of the system will run an application on their system to access domains.

Veracode's Wysopal says the peer-to-peer sharing concept is obviously nothing new and could be done today. "P2P is a much better use of resources, and it's more resilient. You can transfer a file without going over the Internet backbone," he says. "Will we see other services start to move to that?"

But the real challenge, he says, is trusting the data in a shared host file as well as the sender of the file. "There would need to be some way for a person to authenticate that they were the valid owner of a domain and could give the correct information to be added to the file, " Wysopal says. "With the LostServers.com method, [for example], you are basically trusting LostServers to do the right thing. Something people don't often think about is you are trusting your ISP to give you the correct DNS information and send you to the correct site."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-0460
Published: 2014-04-16
The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map.

CVE-2011-0993
Published: 2014-04-16
SUSE Lifecycle Management Server before 1.1 uses world readable postgres credentials, which allows local users to obtain sensitive information via unspecified vectors.

CVE-2011-3180
Published: 2014-04-16
kiwi before 4.98.08, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands via shell metacharacters in the path of an overlay file, related to chown.

CVE-2011-4089
Published: 2014-04-16
The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.

CVE-2011-4192
Published: 2014-04-16
kiwi before 4.85.1, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands as demonstrated by "double quotes in kiwi_oemtitle of .profile."

Best of the Web