RiskReact on Domain Name Security & Domain Locks

RiskReact is a service of Realtime Register B.V. with a focus on security threats, cyber intelligence & OSINT.

Last year a registrar employee was the victim of social engineering resulting in an unauthorized transfer of a domain name. 

A few months ago, a registrar employee was the victim of a spear-phishing attack, resulting in a DNS hijack. 

A possible solution to counter such issues and other risks is a Domain Name Registry Lock. 

Domain name registry locks are available for many TLDs. They all cover the same basic level of protection. 

  • Domain name update lock, preventing unauthorized or accidental updates
  • Domain name deletion prevention
  • Prevents unauthorized transfers or domain theft
  • Prevents host updates or deletions 

When we look at our competitors who offer registry locks as a service we observe the following issues; 

  • No option for secure and encrypted user authentication. 
  • Domain updates and passphrases are not encrypted.
  • One size fits all procedure.
  • Procedures are posted publicly on websites for anyone to read, including social engineers and hackers with malicious intent. 
  • Low prices. While low pricing is not a bad thing itself, low pricing usually does not provide the highest possible security. 

With RiskReact, we approach the solution from a different angle. 

Our approach is not to offer the cheapest or most convenient solution. With Risk React, we aim for the best custom solution that matches your threat and risk profile. 

In counter-surveillance, a useful strategy is to let unknown surveillance operators know that there are robust measures in place that make surveillance hard and detectable. Such an approach is acting as a deterrence to protect the target. Below I will explain how Risk React can work as deterrence and why it is an excellent solution to protect your high profile domain names. 

Assess the risk (module 1, included in base price)

Together with the client/reseller, we will discuss the potential dangers that a domain name might face and discuss the best possible solution. 

After the decision on what solution is best, we will perform an OSINT and non-intrusive technical scan to determine if the solution matches reality.

If there is a divergence in the assumed risk model, we will inform the client/reseller so we can adjust the solution if required.

Module one also includes a scan for public breached user accounts. In case of detection and in combination with the RiskReact service, we will discuss this first with you as it is usually better to avoid such user accounts and email addresses altogether for security reasons.

One or multiple authorized users (module 2)?

Depending on the setup and organization of the client/reseller, it might be advisable to add more authorized users to add more flexibility. 

For example, we have a client where both the CISO and CTO have to approve the changes. 

Out of band, out of the box (module 3). 

We understand that in some cases, like a domain name that is part of a critical internet infrastructure requires a lot more added security and a different set of protocols and perhaps different communication channels. 

For example, it might be necessary that communications are done through an encrypted decentralized communication protocol.

Such options can all be discussed, so surprise us!

SOCMINT (module 4).

Social media is great for branding until you become the target of activists or worse, hacktivists.

RiskReact can monitor social media, and our CTI analysts will inform you of possible threats. Being alerted of such events at an early stage allows you to deploy possible mitigation responses.

Intelligence Monitoring (module 5)

If required, we can put the domain name on i24/7 intelligence monitoring. Such a system pulls intelligence and abuse feeds from free and paid sources and sends out alerts to our analysts for further investigation.

Our intelligence feeds are rather diverse and go beyond the regular abuse feeds. Our feeds include the monitoring of fake news, terrorism, porn, scams, rogue pharmacies, and much more. 

If our analysts determine that contact with the reseller/client is required, we will contact the designated contacts right away with our assessment. 

Public breached and leaked database assessment and monitoring (module 6)

RiskReact monitors domain names and PII provided by the client/reseller by checking public breached databases and publicly-leaked databases. These databases are updated almost weekly. When we discover the submitted PII in a breach/leak, we notify the client/reseller. 

Be advised we need to comply with the GDPR, and the service mentioned above has some restrictions.

 Dark web Research (module 7)

Dark web research is an excellent way to detect possible threats arising from the dark Web. 

Such research includes the detection of exploits used in the wild or leaked information. Naturally, analyzing a part of the Internet frequented by individuals trying to stay out of the spotlight is a more difficult task than traditional measurement campaigns conducted on the regular Web.

For more information, contact our support team to discuss your potential domain name risks and solutions!

Additional MFA support at Realtime Register

In addition to the recent introduction of adding API keys, now we are adding Multi-Factor Authentication support. Multifactor authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction.

Multifactor authentication combines two or more independent credentials: what the user knows (password), what the user has (security token) and what the user is (biometric verification).

We will support the following methods for MFA:

  • Webauthn (FIDO2) supporting Touch or Pin and Touch sensor like Yubikey with secure elements, Software authenticators and also Biometric authentication like Finger, Face, Iris/ Voice recognition.
  • TOTP (Google authenticator)

We offer multiple methods to add an additional layer of security for your account. Read more how to add MFA to your account via our Knowledgebase: How to enable MFA on your account.

Adding Multi Factor Authentication support

In addition to the recent introduction of adding API keys, now we are adding Multi-Factor Authentication support. Multifactor authentication (MFA) is a security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction.

Multifactor authentication combines two or more independent credentials: what the user knows (password), what the user has (security token) and what the user is (biometric verification).

We will support the following methods for MFA:

  • Webauthn (FIDO2) supporting Touch or Pin and Touch sensor like Yubikey with secure elements, Software authenticators and also Biometric authentication like Finger, Face, Iris/ Voice recognition.
  • TOTP (Google authenticator)

We offer multiple methods to add an additional layer of security for your account. Read more how to add MFA to your account via our Knowledgebase: How to enable MFA on your account.

.SE & .NU removing forms requirement on transfers and registrant changes.

Last year in the new Registry-Registrar agreement the Swedish registry has made “everyday life easier” by lifting the required transfer form that needed to be filled in when transferring a domain / changing a registrant.

Due to this from February 3rd onward no more manual work is needed with a .SE/NU transfer and every change will have a digital timestamp. The implications and changes in behavior compared to the current situation that you may be used to are:

  •  Domain update with registrant change is not charged anymore.
  • No more registrant change form/mail.
  • External & internal transfers will no longer keep the registrant-as-is when a registrant change takes place during transfer, which may impact those of you using the current behavior.
  • Our generic registrant validation process will take place (and no longer be skipped) for transfers and registrant changes.

Privacy by default account setting.

Today we introduce a new account setting called:”Default Privacy Protect setting”, which you can access by clicking here.

Setting disabled.

When selected, domain name registrations and transfers will not use our privacy service automatically. This is how it used to work for years.

Setting enabled when free (and available)

When enabled all domain name registrations and transfers will automatically use our privacy service. Regardless if you use WHMCS, our API or the domain name manager.

A list of available TLDs that can be used for this service is located here.

We keep recommending this service as it is unknown if gTLD registries will continue to publish the data in the WHOIS or not. Several large gTLDs will no longer publish the WHOIS, similar to how we will operate our WHOIS server. But some of them most likely will keep publishing registrant data.

Enabled (when available)

Same as above but also will use privacy services that are not free of charge. Please check the price list in your account if that is the case.

Registration

When you register a domain name you can override your account settings if required. Select the desired action from the drop-down menu.

Current Customers.

At the moment the default setting is not active, as mentioned earlier. Due to the new ICANN contractual regulations that have been rushed out of the door on 17-05-2018 this week, we are reviewing the option to turn this on for all customers. I apologize in advance for any inconvenience this may cause.