.ORG News – ICANN delays again the sale of the .ORG Registry

Sale of .ORG registry - PIR Public Interest Registry - dot ORG - Nameshield

A few months ago, in previous articles, we mentioned the sale by Internet Society of Public Interest Registry (PIR), the .ORG registry, to Ethos Capital, a private equity firm.

The .ORG is the reference extension for non-profit organizations and the .ORG registry represents more than 10.5 million domains. For reminder, the announcement of the sale of the registry caused several concerns in the NGO community.

In front of these many complaints, ICANN had already postponed the approval of the .ORG registry’s sale to Ethos Capital and requested additional information from Internet Society.

Further postponement of the .org registry’s sale after the intervention of the Attorney General of California

On Thursday 16 April, when the ICANN Board was to decide whether or not to approve the sale of the registry, it was finally decided at that meeting, to postpone it again until 4 May 2020. This fourth postponement was caused by a letter received the day before from California’s Attorney General, Xavier Becerra, asking ICANN to reject the sale. He explains that it “raises serious concerns that cannot be overlooked“.

Empowering a for-profit entity that could undermine the accessibility and affordability of the .org domain, which serves nonprofits, should concern all of us” the Attorney General’s office told The Register.

The secret nature of Ethos Capital is a source of concern

In his letter, the Attorney General expressed several concerns about the transaction, including the secret nature of the proposed buyer, Ethos Capital: “Little is known about Ethos Capital and its multiple proposed subsidiaries“. Ethos Capital is criticized for its unusual corporation structure (the purchase involves six different companies, all of which were registered on the same day in October 2019) and its lack of transparency regarding its future plans.

In its notice published last Thursday, ICANN affirms having listened to the community and having demanded greater transparency and more guarantees from PIR. According to the organization, the Attorney General’s letter does not take into account the recent work that PIR has done regarding Public Interest Commitments, to make the entity more responsible to the community. ICANN requested PIR to strengthen these commitments, and a draft of the revised Public Interest Commitments has been provided to ICANN.

ICANN’s behavior and Internet Society criticized

ICANN has also been subject to a number of criticisms during the entire process, particularly as it appeared that the organization’s staff was pushing for approval of the transaction despite near universal opposition to it from the Internet community.

In addition, early last week, ICANN’s founding CEO Michael Roberts and original Board Chair Esther Dyson wrote a letter to Xavier Becerra criticizing the transaction and accusing their successors of abandoning ICANN’s core principles.

According to the Attorney General, this transaction will have an impact on ICANN’s reputation given the way the organization has handled the situation.

Not only ICANN and Ethos have been criticized by the Attorney General’s office, Xavier Becerra also blames the Internet Society for proposing the sale of the .ORG registry to Ethos Capital: “ISOC purports to support the Internet, yet its actions, from the secretive nature of the transaction, to actively seeking to transfer the .ORG registry to an unknown entity, are contrary to its mission and potentially disruptive to the same system it claims to champion and support“.

Xavier Becerra’s letter does not threaten ICANN with action if it does approve the sale. However, it does indicate that the Attorney General of California holds significant authority over the organization and is prepared to act, particularly since this sale could affect hundreds of thousands of other non-profit organizations.

Given the concerns stated above, and based on the information provided, the .ORG registry and the global Internet community – of which innumerable Californians are a part – are better served if ICANN withholds approval of the proposed sale and transfer of PIR and the .ORG registry to the private equity firm Ethos Capital. This office will continue to evaluate this matter, and will take whatever action necessary to protect Californians and the nonprofit community.”

In a notice published last Thursday, ICANN thus declared the postponement of its decision: “We have agreed to extend the review period to 4 May 2020, to permit additional time to complete our review.

Companies’ cybersecurity – 5th edition of CESIN’s annual barometer

Companies’ cybersecurity - CESIN barometer - Blog Nameshield
Image source: TheDigitalArtist via Pixabay

Every year, the Club of Experts in Information and Digital Security (CESIN) publishes its barometer of companies’ cybersecurity in order to better understand the perception and concrete reality of cybersecurity and its issues within CESIN member companies.

Last January, CESIN unveiled the results of its OpinionWay survey, carried out from the 2nd of December 2019 to the 7th of January 2020 among its 253 members, Chief Information Security Officer (CISO) of major French groups.

Cyberattacks: Fewer companies affected but still heavily impacted

First of all, the study highlights a positive figure: the decline in the number of companies that suffered at least one cyberattack in 2019, i.e. 65% of the companies surveyed compared to 80% in 2018 (note, however, that this difference in results is nuanced by the addition of the definition of cyberattack in the survey conducted in January 2020).

On the other hand, the impact of these cyberattacks remains significant since 57% of these attacks have consequences on business such as disruption of production (27%), website unavailability (17%) and revenue loss (9%).

The targeted companies were the targets of 4 types of cyberattacks on average in 12 months. Among the attacks vectors, phishing remains the most frequent attack with 79% of companies affected in 2019, followed by the scam on the President (47%), the exploitation of a vulnerability (43%) and fraudulent login attempts (40%).

The main consequences of these attacks are identity theft (35%), malware infection (34%), personal data theft (26%), ransomware infection (25%) and denial of service (19%).

Cloud, IoT and AI, issues of concern

With the digital transformation, the use of the Cloud is important within companies: 89% of companies surveyed store their data in a Cloud, including 55% in public Clouds.

A massive use of the Cloud which still represents a high risk due to a lack of control over the hosting provider’s subcontracting chain (for 50% of CISOs), the difficulty of conducting audits (46%) and the lack of control over the use of the Cloud by employees (46%). For 91% of respondents, the tools implemented by Cloud hosting providers are not sufficient to secure the data stored, and specific additional tools or measures are necessary.

Connected objects are also a growing concern, increasing the attack surface and creating new types of threats. The CISOs surveyed are concerned about the security breaches present in this equipment (43%) and the uncertainty in the assessment of potential risks (28%).

The study also shows that the embedded AI at the heart of cybersecurity solutions has yet to prove its worth since 53% of CISOs do not trust it.

An awareness of cyber-risks

To prevent the risk of attacks, companies implement an average of a dozen protection solutions, in addition to antivirus and firewalls. Among them, the mail security gateway (85%), the VPN/SSL gateway (85%), proxy and URL filtering (83%), and multi-factor authentication. The latter, adopted by 72% of companies, has increased by 13% compared to 2018.

More aware of cyber risks, 91% of the companies surveyed are implementing a cyber-resilience program in parallel with protection solutions or are considering doing so, that’s 12 points higher than last year.

Awareness of cyber risks is also reflected in the steady increase over the last three years in the number of companies having subscribed to cyber-insurance (60%).

Despite this, only 4 out of 10 companies say they are prepared in case of a large-scale cyberattack.

Employees Awareness

In addition to the external threat, for 43% of companies, employees’ negligence is the most common cyber risk.

Shadow IT, i.e. the deployment and use of applications and services beyond the control of IT teams, is mentioned by 98% of the CISOs surveyed and remains a significant threat to be dealt with.

Yet even though they are aware of cyber risks (according to 74% of respondents), only half of employees comply with the recommendations, according to CISOs.

Issues for the future of cybersecurity

Governance is the first issue mentioned by CISOs (70%) for the future of cybersecurity, followed by users’ training and awareness raising on cybersecurity issues (57%).

Increasing the budget is another major issue for 50% of respondents. The proportion of the IT budget allocated to cybersecurity has increased in companies compared to last year. 62% of them plan to increase it further in the next 12 months and 83% want to acquire new technical solutions.

In terms of human resources, one out of two companies (51%) would like to increase the number of staff dedicated to cybersecurity, but 90% face a shortage of Information Systems Security profiles, leading to recruitment difficulties.

.ORG news – NGOs against the .ORG registry’s sale to Ethos Capital

Sale of .ORG registry - PIR Public Interest Registry - dot ORG - Nameshield

At the end of 2019, the announcement of the .org registry’s sale, Public Interest Registry (PIR) by Internet Society to Ethos Capital, a private equity firm, created a debate, which was also the subject of a previous article on this blog.

For reminder, this announcement caused several concerns from NGOs, such as the increase of .ORG prices and the implementation of rights protection policies that could lead to a form of censorship, as is already the practice in some countries. These fears led Electronic Frontier Foundation (EFF) to launch the SaveDotOrg campaign to raise awareness about the potential impact of this sale. To date, 846 organizations and 25 119 people have signed this petition demanding Internet Society to stop the sale.

In front of these many complaints, ICANN postponed the approval of the .ORG registry’s sale to Ethos Capital and requested additional information from Internet Society.

« Public Interest Commitments »: The measures proposed to address the .ORG community’s concerns

In response to these criticisms, Ethos Capital and Public Interest Registry try to reassure by proposing the implementation of “Public Interest Commitments” (PIC), binding commitments which would ensure that the .org prices’ increase would be limited.

Among these commitments, they also propose the creation of a “Stewardship Council” (a council for the .org management) which could influence decisions taken by PIR and thus ensure the preservation of freedom of expression.

These PIC would be added to the Registry Agreement, the contract between the registry and ICANN regarding the functioning of the registry.

A for-profit registry to defend non-profit organizations?

During the last ICANN summit, organized remotely from 7 to 12 March 2020 because of the Covid-19 pandemic, several NGOs, including EFF, mentioned this .ORG registry’s acquisition by Ethos Capital and asked ICANN about how it plans to review the change of control of the .ORG registry.

According to EFF, forming a “Stewardship Council” will not resolve the NGOs’ concerns. Indeed, the initial members of this council will directly or indirectly be selected by PIR and PIR will have the ability to veto new council members, which would thus ensure that the council will stay in lockstep with PIR.

Regarding the .ORG prices, according to NGOs, the implementation of the PIC doesn’t ensure a limitation of the prices increase. An amending of the Registry agreement can be negotiated at any time by the registry’s owner and ICANN, despite a public opposition. That’s what happened in June 2019, when the .ORG Registry Agreement was revised to diminish registrants’ rights and remove price caps. Furthermore, ICANN indicated in 2019, its interest in exiting the role of price regulation, but the PIC implementation would place ICANN back into that role.

Therefore, according to NGOs, these “Public Interest Commitments” would not protect adequately the .org community.

The NGOs’ questions remained without answer during the last ICANN summit, and this acquisition is still under review by ICANN.

We acknowledge the questions and concerns that are being raised” says ICANN. “To ease those concerns and maintain trust in the .ORG community, we urge PIR, ISOC, and Ethos Capital to act in an open and transparent manner throughout this process. […] We will thoughtfully and thoroughly evaluate the proposed acquisition to ensure that the .ORG registry remains secure, reliable, and stable.”

To be continued.

Municipal elections 2020: buzyn2020.fr and buzyn2020.paris domain names redirect towards Anne Hidalgo’s campaign

Municipal elections 2020: buzyn2020.fr and buzyn2020.paris domain names redirect towards Anne Hidalgo’s campaign
Image source: Sadnos via Pixabay

Following the announcement on Sunday February 16, of Agnès Buzyn’s candidacy to Paris municipal elections, several political journalists discovered on Monday that the domain name buzyn2020.fr was registered but redirected towards “Paris en commun”, the campaign website of another candidate, Anne Hidalgo.

Several other names were registered on Sunday night, also redirecting towards Paris en commun’s homepage like buzyn2020.paris, agnesbuzyn2020.fr and agnesbuzyn2020.com.

If several of these names were anonymously registered, two of them were registered by the association “Montreuil en Commun”, a group of “four municipal councilors” who claims to be “without any political label” and explains to Numerama the fact that these names were available “indicates the improvisation of her candidacy and LREM’s lightness regarding a serious matter such as a candidacy to run for Paris’ mayor”.

Raising awareness to cybersquatting risks

The LREM candidate will not be able to use the domain name buzyn2020.com either, which was registered on Monday by Crisalyde, a risk and crisis management consulting company.

I took the opportunity to raise awareness. It’s my job, I saw a risk and I took advantage of it”, explains Selim Miled, Crisalyde’s CEO, to the Parisien.

Cybersquatting is a practice that consists in taking a domain name by registering it, using or mentioning a trademark, a business name, a patronym or any name on which the applicant has any right, in order to make material or moral profit from its current or future notoriety.

Thus, Crisalyde registered 6 domain names: buzyn.paris, agnesbuzyn2020.paris, buzynpourparis.com, buzynpourparis.fr, buzyn2020.info and buzyn2020.com. “As soon as Agnès Buzyn’s team contacts me, I will give them the domain name at the purchased price, with a friendly advice” adds Selim Miled.

What strategy to adopt against cybersquatting?

Agnès Buzyn’s team will have to contact the persons who registered these names, who may decide to graciously give them back or resell them at prices they will have set.

However, legal actions exist aiming to retrieve a cybersquatted domain name, like the UDRP procedure (Uniform Domain Name Dispute Resolution Policy). This procedure will allow to suppress or transfer the domain name.

And lastly, in order to prevent any cybersquatting risk, it is recommended to implement a domain names registration monitoring to be immediately alerted of any new domain names registration that can potentially infringe your notoriety or your business.

For more information on our online brand protection expertise and domain names recovery procedures, don’t hesitate to contact a Nameshield consultant.

FIC 2020 – Nameshield’s DNS Premium labelled France Cybersecurity once again

During the 12th edition of the International Cybersecurity Forum (FIC), the major event in terms of cybersecurity and digital confidence, which currently takes place from January 28 to 30 in Lille, Nameshield was given once again the France Cybersecurity Label for its DNS Premium solution.

Nameshield’s DNS Premium labelled France Cybersecurity
8th Edition of the France Cybersecurity Labels ceremony, January 29, 2020

Nameshield’s DNS Premium labelled France Cybersecurity

The DNS is at the heart of companies’ critical services: Internet, email, applications…

Exposed more and more frequently to attacks, like DDoS, Man in the Middle… it must remain available.

The Nameshield’s DNS Premium is the solution which meets DNS protection needs with a redundant, ultra-secure infrastructure with all the key DNS services (anycast, DDoS protection, DNSSEC, statistics…).

The DNS Premium solution labelled France Cybersecurity, thus allows its users to protect their digital assets from any attack and ensures a high availability of their Internet services.

France Cybersecurity Label, the guarantee of a certain level of quality in terms of cybersecurity

Nameshield’s DNS Premium labelled France Cybersecurity

For reminder, the France Cybersecurity label is the guarantee for users that the Nameshield’s products and services are French and possess clear and well defined functionalities, with a certain level of quality in terms of cybersecurity, verified by an independent jury.

It answers to several needs and objectives:

  • Raise awareness among users and international ordering parties regarding the importance of the French origin of a Cybersecurity offer and its intrinsic qualities ;
  • Certify to users and ordering parties the quality and functionalities of labelled products and services ;
  • Promote French cybersecurity solutions and increase their international visibility ;
  • Certify to users and ordering parties the quality and functionalities of labelled products and services ;
  • Increase their overall use and the users’ security level.

This label is governed by a committee composed of representatives gathered in 3 colleges:

  • College of officials: representatives from the “Direction Générale de l’Armement” (DGA, the French Government Defense procurement and technology agency), the “Direction Générale des Entreprises” (DGE, the French Directorate General for Enterprise within the Ministry of Economy, Industry and Digital), and the “Agence Nationale de la Sécurité des Systèmes d’Information” (ANSSI, the French National Cybersecurity Agency).
  • College of industrials: representatives from the “Alliance pour la Confiance Numérique” (ACN – Alliance for digital confidence) and HEXATRUST.
  • College of users: representatives from groups of users, such as: CIGREF, GITSIS, CESIN, CLUSIF ISSM space.

Nameshield, a 100% French company, certified ISO 27001 on all its registrar activity, was able to bring all the necessary guarantees to obtain the France Cybersecurity Label for its offer, the DNS Premium and illustrates its engagement to always provide the best services and standards regarding cybersecurity.

For more information on our labelled solution DNS Premium, please visit Nameshield’s website.

The launch of .GAY is close

The launch of .GAY - New gTLDs - dotgay - Nameshield Blog
Image source : Top Level Design website

On June 1970, one year after the Stonewall Riots, which marked the birth of the LGBTQ rights movements, the first Gay Pride parades took place in many US cities to claim liberty, equality and denounce prejudice, persecution, bigotry and hate.

Fifty years later, with the launch of the new extension .GAY by the registry TOP LEVEL DESIGN, a new digital space is created for the LGBTQ community. This extension is thus intended for individuals, organizations, businesses supporting the LGBTQ community. It will increase their visibility and create a safe online space.

The launch of .GAY will follow the calendar below.

.GAY Launching Calendar

  • Sunrise period: from 10/02/2020 to 06/05/2020
  • EAP (Early Access Period): from 11/05/2020 to 18/05/2020
  • General availability: from 20/05/2020

.GAY donations to LGBTQ nonprofit organizations

Note that for each new domain name registered, the .GAY donates 20% of registration revenue to LGBTQ nonprofit organizations like GLAAD and CenterLink which are currently the inaugural beneficiaries.

A .GAY domain name registration will become a way to express support to the LGBTQ community.

.GAY rights protections policy

The .GAY will give the possibility to create a safer space online for LGBTQ community. Indeed, the extension will be subject to a .GAY rights protections policy, which will allow to report any content that is harmful or harassing LGBTQ people, and to act against them by removing the content or suspending the site itself.

The use of .gay for anti-LGBTQ content or to malign or harm LGBTQ individuals or groups is strictly prohibited and can result in immediate server-hold. Prohibited behavior includes harassment, threats, and hate speech” highlights the registry.

.GAY domain name registrations will be prohibited to parties that are, or are associated with, recognized hate groups inciting violence against the LGBTQ community.

For more information on the conditions for registration of your .GAY, don’t hesitate to contact a Nameshield’s consultant.

Fake mobile applications: a growing threat to brands and consumers

Fake mobile applications - Nameshield Blog
Image source: HeikoAL via Pixabay

With over 5 million mobile applications available today on the major apps stores like Google Play and App Store, over 2 000 new applications uploaded every day and almost 2 billion applications downloaded in France in 2018, mobile apps have rapidly grown over the last 10 years to become an essential element of the digital world.

According to a research done by FEVAD, the revenue from mobile commerce is estimated to 22 billion euros in France in 2018, i.e. ¼ of online sales. Thus, mobile applications represent a fast growing market.

Studies have shown that 68% of consumers identified as loyal to a specific brand have downloaded that brand’s app. Conversely, statistics indicate that 40% of users will go to a competitor after a bad mobile experience. Companies have then quickly come to realize that ensuring that their customers have a high quality and secured mobile experience when downloading and using their branded applications is the key to consumer loyalty.

The growth of fake mobile applications

As brands’ mobile applications have grown in popularity with consumers, the number of fake mobile applications being released into the market by malicious actors has also exploded. Fake mobile apps can be dangerous because they are associated with fraud attacks, and have become a growing threat to consumers. Indeed, they have increased by 191% from 2018 to 2019. The McAfee Mobile Threats report indicates that almost 65 000 new fake apps were detected in December 2018.

Despite the precautions taken by most major apps platforms to mitigate the number of malicious applications uploaded on their platform, cybercriminals continue to find ways to bypass these security measures.

A recent example, the fake Samsung app which has tricked 10 million Android users. This app named “Updates for Samsung” promises firmware updates, but in reality is not affiliated to Samsung. Once downloaded, the app proposes ads first and foremost. To download an update, the user must pay a fee of $34.99. However, this operation is completely free of charge since the firmware update is directly accessible from the smartphone’s settings.

What to do against these fake mobile apps?

Given the importance and omnipresence of mobile applications, it is absolutely essential for companies to incorporate into their brand protection and security strategies, a mobile application protection and a monitoring implementation of mobile apps present on the market.

Every second, a malicious application is active and poses a threat to brands and consumers. To face this, Nameshield proposes an online monitoring of mobile apps present on the applications stores, allowing to identify the ones that might be infringing your brands and assists you in the actions to implement.

For more information about our monitoring solution, don’t hesitate to contact your Nameshield’s consultant.

General availability of .MADRID as of December 17, 2019

.MADRID domain name
Image source: Stan89 via Pixabay

The general availability of .MADRID, the geographical extension of Madrid, the capital city of Spain is near. Managed by the Comunidad de Madrid registry, this extension was launched last April following the calendar below:

Launching schedule

  • APL period (Approved Launch Program): from 11/04/2019 to 06/06/2019
  • Sunrise and LRP (Limited Registration Period) period: from 16/07/2019 to 10/12/2019
  • General availability: from 17/12/2019

Some requirements must be respected to register a .MADRID domain name. A .MADRID name’s registration is reserved to individuals or legal entities possessing a link with the Madrid Community:

  • Local presence;
  • Professional, personal, cultural or commercial activity in the Madrid Community;
  • Direct or indirect link with the Madrid Community.

The date of the general availability planned for December 17 2019, is approaching, if you wish more information on your .MADRID registration, don’t hesitate to contact your Nameshield’s consultant.

[New gTLD] Launch of .NEW by Google

[New gTLD] Launch of .NEW by Google
Image source: 377053 via Pixabay

Following the launch of .APP, .PAGE, and .DEV among others, Google (Charleston Road Registry), launches the new extension .NEW in Sunrise period as of October 15, 2019.

Conditions for registration of a .NEW

  • All domains on .NEW must resolve to action generation or online creation flows. Once resolved, the web user should be able to ‘create’ something without any further navigation. For example, docs.new proposes a dedicated page proposing the direct use of Google online word-processing software allowing a new document creation page.
  • Any .NEW domain will need to be live within 100 days of registration.

If these conditions are not respected, the registry will consider the registration as non-compliant with the registration policy. In this case, the name will be placed on hold. The registrant will then be notified to correct and apply these conditions, if no action is taken, the domain will be blocked then deleted.

Launch calendar

  • Sunrise period: from October 15, 2019 to January 14,2020
  • LRP (Limited Registration Period): from January 14 to July 14, 2020
  • General availability: from July 21, 2020

For more information on the conditions for registration of your .NEW, don’t hesitate to contact us.

New eligibility criteria for .EU

New eligibility criteria for .EU
Image source: OpenClipart-Vectors via Pixabay

As of October 19, 2019, internationally-based EU citizens can now register .EU or .ею domain names.

The .EU is the country code top level domain for the European Union. More than 3.6 million registrations spread out across Europe make this TLD a popular extension. Initially, this extension is only reserved to companies and individuals residing within EU and EEA member states. However in order to meet the needs of an ever-changing digital environment, EURid, the .EU registry, changes this eligibility criteria to extend it to all EU citizens living around the world.

We are excited to be able to extend the registration criteria to EU citizens around the world. The .eu domain is now closer to your ambitions, achievements and dreams. It is the bridge connecting you to your friends and family – even if you live outside the EU. It will always show your roots, your outlook, and your cultural values.” – Marc van Wesemael, EURid`s CEO.

For more information on the conditions for registration of your .EU, don’t hesitate to contact us.