Here are the slides for tonight: Week_10
The In the news section from tonight slide below.
In The News:
- Survey: Americans Spent $1.4B on Credit Freeze Fees in Wake of Equifax Breach
- Almost 20 percent of Americans froze their credit file
- 15-Year-old Finds Flaw in Ledger Crypto Wallet
- Hardware wallets like those sold by Ledger are designed to protect the user’s private keys
- Who Is Afraid of More Spams and Scams?
- Security researchers who rely on data included in Web site domain name records to combat spammers and scammers will likely lose access
Fred Zajac says
https://krebsonsecurity.com/2018/03/survey-americans-spent-1-4b-on-credit-freeze-fees-in-wake-of-equifax-breach/
It doesn’t surprise me that the amount of money spent on credit freezes increase to such a high level of 1.4B dollars, since the Equifax breach. The damage this could cause can be disastrous for any individual. We, as a society have accepted a number identification system to process financial transaction. These identification numbers can be easily compromised. The credit freeze option provides a layer of security to deny someone the ability to steal another’s identity for financial gain. What the story fails to identify is what percentage of that money came from Equifax purchasing freezes for breeched individuals, and how many new people were added to the “stolen identities” dark web database?
For the first, Equifax offered credit freezes for people who were compromised. The lasted number reported by Equifax on October 2017 is 2.5 million people. If you use the average cost for a credit freeze reported in the store of $23, you would get a total of $57.5 Million dollars. However, I believe Equifax reported paying more than the average because they offered a freeze on all three reporting agencies. I couldn’t find what was spent on credit freezes prior to the breach, but this is just something to think about when reading numbers.
For the second, 2.5 million people were breached. Meaning… All of those people’s information is now available for sale on the DarkWeb. If this is the case, then how many “New” records were available for sale on the darkweb? Also, I don’t know the answer to this, but… For example: can you do a wget command to gather unsecure databases running apache on the darkweb? If the answer is yes, then how many new records were added to these databases? Then, the question is… Are these records “Deduped” against previous records?
The story mentioned at the end that half of all American’s haven’t been bothered with “this” since the Equifax breach. What is “This” American’s haven’t been bothered with “Credit Freezes” or bothered with “financial loss”? The story leaves somethings to question, but in my opinion… this is the “cost of doing business” in an unsecure marketplace.
The internet is like North Philadelphia. The businesses along Broad Street are websites. The people walking around are the customers. The customers have the obligation to protect themselves when they are walking / “browsing” the area. When the customer walks into a store, the customer inherits the stores protections and hopes these protections are good enough. If the protections are not good enough, the store will be breached and you may get robbed. However, in the “PII” example, you can only be robbed once for certain data. Example: SS#. Once the robber, robbed you… They can’t rob you again for your SS#. The robber than sells your information to other in North Philadelphia, and before you know it… Anyone can walk down to the corner and purchase your SS#. That is old news.
So… How much more damage could this breech be and in my opinion, this will be overshadowed by the next big, “OMG data breech”.
Keep in mind, Ginni Romety, CEO of IBM was quoted saying, “… only 4% of the worlds data is encrypted”. She means data at rest but still. But that is for another time.
Jason A Lindsley says
Nice analogy Fred! At least I know the logging and monitoring in North Philly is working because I get Temple text alerts every time there is an incident!
To me it is a no-brainer to provide free credit freezes to citizens. We trusted credit bureaus with our data, they make a ton of money off of it, and this breach shows the impact when their is a breakdown in security. The least these credit bureaus can do is provide us with a seamless and FREE capability to freeze our credit when are not planning to run inquiries against it.
Patrick DeStefano (tuc50677) says
I agree Jason,
While we must always be mindful of keeping an eye on our financial well being/reporting, when we are in a situation where we don’t have control of an entity having our data or not, such as a person not being in control if a specific credit reporting agency has our PII or not, it’s inherently up to these companies to protect the data, and if compromised, remediate and make amends for the users affected.
The credit freezes should be free for users to better protect their PII.
Fred Zajac says
Jason,
I believe the standard should “Freeze” should be changed for everyone immediately. You must “manually” change it to be “Un-Freezed” by visiting a website or when you apply for your next loan. You may also Freeze and Un-Freeze your account at anytime for no charge. This cost will be passed onto the banks, who will pass it on to the people borrowing money. The one-time borrowers / credit card users will barely feel the markup in cost. The burden will fall on those who take out several loans and have lines of credit.
Donald Hoxhaj says
Fred,
I agree to your points Fred and this is to a large extent an issue that Equifax should have dealt much earlier. The information of all customers is out in the open and any breach here could significantly impact the financials of these customers. The question always would remain that, do customers always keep paying even for the mistakes of company’s false security infrastructures.
Fred Zajac says
I attended a Risk Quantification Symposium last week and learned some fascinating things that are coming down the pipeline for enterprise risk.
One thing I found very interesting is the FICO Enterprise Security Score. http://www.fico.com/en/products/fico-enterprise-security-score
This is similar to a credit score everyone is familiar with, only it is for enterprises. The score is generated on a few factors, such as:
Threat landscape
Company Culture
Policies / Procedures
Industry
Ect.
This score can be used to gage “risky” vendors and eventually “risky” individuals. This may revolutionize the way organizations report
Gross Value at Risk
– Impact
——————-
Net Value at Risk
It is heavily focused on economic models, running Monte Carlo simulations to determine probabilities. There are several variables included in the function, but this is the basics.
Check it out. This may be the standard, just like our credit score.
Mustafa Aydin says
It is interesting Fred,
I think it should not be publicly available. Otherwise, attackers may also use this security scoring system.
Fred Zajac says
Mustafa,
I understand your concern, but hackers already use credit scores to target people and businesses. Anyone can purchase someone’s credit score for a few dollars, and FTC regulations require a rating on financials, rating from AAA to Junk.
In my opinion, the cyber score should be required for all publicly traded companies who handle PII. Why, because as a shareholder, I would want to know if the company I am invested in has poor cyber security hygiene. A breach could compromise my stock value and/or a DDos attack could render my shares worthless. Imagine if people stopped using Facebook because of the privacy issues… Facebook share holders would be losing money everyday because of poor data management posture (Cambridge broke Facebooks data sharing rules and Facebook never found out).
I truly understand the concerns of scores being secrete, but as an investor, I want to know.
Frederic D Rohrer says
https://www.ietf.org/mail-archive/web/ietf-announce/current/msg17592.html
The TLS Working Group has announced that their submission of the TLS 1.3 proposal was approved by IETF (Internet Engineering Task Force)
TLS 1.3 brings many changes for a more secure protocol. Most importantly it removes support for MD5 and SHA-224 cryptographic hash functions. MD5 is considered broken and unfit for further use, yet many older websites store passwords in MD5. Yahoo was using MD5 when their user database was breached in December of 2016.
I am glad that TLS is advancing and making the web a safer and faster place. You can test the performance gain of HTTPS over HTTP yourself here: https://www.httpvshttps.com/
Personally I think there is a big problem in the web development community. Most developers learn through internet tutorials and have no formal education in web development. This leads to many using outdated tutorials from which they copy and paste the example code with MD5 implementation. I think this because it took me way too long to learn how write prepared SQL statements and sanitize input.
Let me know what you think.
Vince Kelly says
Cisco’s Encrypted Traffic Analytics (ETA), which monitors network packet metadata to detect malicious traffic even if its encrypted, is now generally available.
https://www.networkworld.com/article/3246195/lan-wan/how-cisco-s-newest-security-tool-can-detect-malware-in-encrypted-traffic.html
I saw a demo of this technology a couple of months ago – it really is pretty cool.
In addition to ETA, couple of interesting things about this article to me. First, I thought the estimate that 55% of traffic on the web today is encrypted seemed somewhat high to me – I would have thought it to be much lower. Second, what I thought was *really* interesting was the fact that 41% of hackers are using encryption today. Third, Gartners estimate that 80% of web traffic will be encrypted by next year, (again, assuming it’s accurate) is an amazing growth rate.
Donald Hoxhaj says
This is pretty interesting Vince to see Cisco getting way ahead in detecting fraudulent encrypted packets. However I agree to you that the percentage stated might be too high for today. it is important to ask what percentage of that 55% is applicable across industries of all kinds and at what quality level of data. Does the encryption to huge loads of corporate data? Is it today applicable to financial services where critical data movement is a big task?
Shi Yu Dong says
An interesting read that I found talked about how Memcached servers can be quickly hijacked and compromised by to launch large DDoS attacks. Utilizing IT spoofing and a poorly implemented UDP causes the servers to be put at risk because attackers will send a packet to the server, which will in turn greatly increase the size and forward the attack to the intended target. The fix only involved disabling the UDP port, but the question is, how many servers are out there with this setting unknowingly enable and stand at a huge vulnerability.
https://www.networkworld.com/article/3258772/security/memcached-servers-can-be-hijacked-for-massive-ddos-attacks.html
Jason A Lindsley says
Interesting – sounds like another Mirai attack on the horizon.
How many servers are out there with this setting unknowingly? That’s a good question. I also wonder how many servers are out there that know this vulnerability exists and “do not have the time or resources to fix it.” See my post of Atlanta ransomware below…
Fraser G says
https://blog.trendmicro.com/trendlabs-security-intelligence/monero-mining-hiddenminer-android-malware-can-potentially-cause-device-failure/
Another Cryptohijacker released for Android.
Mitigation steps, from an enterprise perspective:
1) Managed App Store – https://developer.android.com/distribute/google-play/work.html
2) Strong ACLs on deployed apps using API: https://developers.google.com/android/work/overview
3) Device level vulnerability scanner platform (independent of Google): e.g. https://www.tenable.com/solutions/mobile-device-security
Jason A Lindsley says
https://www.npr.org/sections/thetwo-way/2018/03/28/597758947/time-is-running-out-for-atlanta-in-ransomware-attack
The city of Atlanta’s network has been disrupted for six days from a Ransomeware attack and time is running out to pay the six-bitcoin ransom payment by end of day today.
The attack was conducted by SamSam, who has collected nearly $850,000 of ransom since December 2017.
I found it interesting (but not surprising) that an audit of Atlanta’s IT department found a “significant level of preventable risk” and identified a number of long-standing issues that employees “didn’t have the time or resources to fix.”
Services impacted include municipal court systems, online bill pay, and police reporting/booking tools.
Governments and municipalities need to start taking this seriously and implement stronger controls to prevent these attacks. Otherwise, the number of attacks will increase and become more complex and sophisticated.
Patrick DeStefano (tuc50677) says
Sounds like they need some IT Security Governance. Not getting into politics, but it’s no secret that our government is not exactly a well oiled and efficient machine. It’s one of the slowest acting and one of the last to come up to speed with new technologies and trends (Unless you’re the military). These municipalities, such as Atlanta in this case, don’t seem to have the funding, guidance, nor expertise to be able to handle the cybersecurity needs of today. It’s unfortunate that so much resources needs to be poured into this type of thing instead of into public use projects.
Jason A Lindsley says
Hi Class,
I wanted to share an upcoming event that my company is sponsoring on April 18 in Wilmington, DE. This will be a great networking event and an opportunity for job seekers to learn more about positions in our Technology Risk Management and Information Security department at TD Bank. Please feel free to e-mail me or reply to this post with any questions. Pre-registration is required at the Survey Monkey link below.
Cyber Security Networking Event
Join us for a powerful business networking event where we’ll spotlight our business leaders who will showcase TD’s exciting technology initiatives, and where we see ourselves future state. You’ll have a chance to connect with our leadership teams one on one from different sectors of cyber security including Threat Intelligence, Red Team Ops, CSOC, Malware and Analytics, among others. Network with other industry professionals about exciting projects and innovative ideas over bites and spirits.
DATE: Wednesday, April 18, 2018
TIME: 5:30 PM to 9:30 PM
COST: None
LOCATION: Hotel DuPont – du Barry Room
42 West 11th Street, Wilmington, DE 19801
Suitable for job seekers
Registration is required
Dress is business/casual
Heavy appetizers and spirits will be served
Pre-Registration is required. Please fill out the form below to RSVP for this exciting event! We welcome you to share this information with other colleagues and associates who would be interested in joining us.
https://www.surveymonkey.com/r/TDCyberEvent
Sev Shirozian says
https://krebsonsecurity.com/2018/03/survey-americans-spent-1-4b-on-credit-freeze-fees-in-wake-of-equifax-breach/
When reading the Krebs on Security article about Americans Spending $1.4B on Credit Freeze Fees in Wake of Equifax Breach, i remember hearing about a new offerings that another credit buerau, Experian is offer a new service called a Dark Web Scan.
https://www.experian.com/consumer-products/free-dark-web-email-scan.html
This is a perfect example how you can commercially take advantage of a competitors mishap, the Equifax cyber breach. Just like they used freezing your credit as a way to make some extra money (1.4 billion dollars), they are now going to use this as another avenue of more revenue streams. Although you’re not paying for this dark web scan, they are using this service as a marketing tool and a way to collect your e-mail address and contact information to sell you more services in the future. After all if they were able to find out personal information about you was found on the dark web, they must know what they are doing and could be trusted for more monitoring services in the future.
I have not tried this service yet but thinking about it. I’m not that adventurous in wanting to check out the dark web to see if my information is there, so why not use a free service that will do it for you.
Sev Shirozian
Patrick DeStefano (tuc50677) says
Thanks for this, I’m going to have to check it out. I’ve personally only ever had my credit card information stolen once, however my friend seems to have it happen every few months or so. It would be interesting to find out what is out there on the dark web.
It would be wise for any financial services company such as banks and credit reporting agencies to have such offerings to their customers especially as attacks seem to be coming more and more common. If nothing else, it would help assist with consumer confidence in the business offering it.
Zirui You says
“Facebook Collected Your Android Call History and SMS Data for Years”
https://thehackernews.com/2018/03/facebook-android-data.html
A New Zealand based programmer, Dylan McKay revealed Facebook was collecting their Android Users’ call history and SMS data by its Messenger app in last few years (iOS users are safe for this problem so far). This news was drawing people’s attention after Facebook’s Cambridge Analytical scandal. As the news mentioned, the Messenger app automatically acquired users’ contact permission while installing it until Google made changes to Android API in Oct. last year. The solution has been provided for people who wants to avoid the collection and delete previous contact history that “turn off the continuous uploading setting in the Messenger app”.
Donald Hoxhaj says
I think this issue calls for a serious debate on the future of social media channels who collect user information. There is absolutely no transparency on why this data is used and where else it is sold to. With the recent Facebook breach, it is evident how data was misused. Post facto analysis of the issue does solve the data collection that was previously done. I believe all users have the right to share their personal information or not and this has to happen with an opt-out system in place.
Matt Roberts says
https://news.sky.com/story/talktalk-urged-to-improve-cybersecurity-in-wake-of-worryingly-easy-web-system-flaw-11307730
UK telecommunications company TalkTalk has come under fire for a long-existing vulnerability in their websites. An anonymous hacker contacted news agencies about an easily exploitable function in many of their sites allowing a potential attacker to gain access to user’s information through simple cross-site scripting. By combining this vulnerability with basic social engineering techniques such as phishing, almost anyone could have compromised untold numbers of users. Although the issue has since been fixed this last week, it has been revealed that they were first alerted of the flaw in 2016, but made no effort to address it. This apparently follows a pattern of poor security management by the company who already suffered a major breach in 2015 resulting in a hefty fine. This is yet another example of why robust security measures and management are essential for any organization today.
Manogna Alahari says
https://krebsonsecurity.com/2018/03/15-year-old-finds-flaw-in-ledger-crypto-wallet/
A 15-year-old security researcher, Saleem Rashid has discovered a serious flaw in cryptocurrency hardware wallets made by Ledger, a company which designs products to protect the user’s private keys from malicious software that might try to gather those credentials from the user’s computer. Rashid mentions that if the attacker has the physical access to the device, who could update the devices with malicious code that would wait for a potential buyer to use it and then route the private key and drain the user’s cryptocurrency account when the user goes to use it.
– The major problem with ledger device is that it contains a secure processor chip and a non- secure microcontroller chip, where the attackers use the insecure microcontroller chip to run the malicious software.
– The authentication to the microcontroller should be strong enough so that any insecure element cannot authenticate to the microcontroller.
– Ledger should include tamper protection seal which warns the customers that the device has been physically opened or modified prior to its first use by the customer.
– One of the chances where attackers gain the physical access to the device is when the products frequently outrun the company’s ability to produce them and this lead the chief of the company state that their products can be purchased from the third party sellers. I feel it’s a good idea to purchase this kind of devices directly from the source.
– In Ledger device, the secure processor chip and in-secure microcontroller chip still passes the information with each other, while the attacker can use the in-secure microcontroller chip and generates the displayed receive address using the code running on the machine
– The ledger wallet doesn’t implement any integrity-check/anti-tampering to its source files, meaning they can be modified by anyone.
– New ledger users would typically send all their funds to the wallet once initialized. If the machine was pre-infected, this first transaction may be compromised causing the user to lose all of his funds.
Patrick DeStefano (tuc50677) says
Who Is Afraid of More Spams and Scams?
•Security researchers who rely on data included in Web site domain name records to combat spammers and scammers will likely lose access
•https://krebsonsecurity.com/2018/03/who-is-afraid-of-more-spams-and-scams/
The article describes that changes in laws recently passed in Europe. As stated “The law, enacted by the European Parliament, requires companies to get affirmative consent for any personal information they collect on people within the European Union. Organizations that violate the GDPR could face fines of up to four percent of global annual revenues.”
It’s also noted in the article that this will likely cause a quick increase in the amount of spam emails we all receive in our inboxes and which are not filtered out through our spam filters due to the inability to query the WHOIS systems for domain information. This can be annoying for users, however due to the increase in spam received, this is also going to cause many more occurrences of malware due to phishing on systems. The more spam that comes through, the higher the likelihood that some of those emails will hold some malware which users may trigger.
While I understand the need for privacy with domain information, I believe that some of this legislation will end up hurting end users more than helping with privacy.
Satwika Balakrishnan says
Who Is Afraid of More Spams and Scams?
https://krebsonsecurity.com/2018/03/who-is-afraid-of-more-spams-and-scams/
Summary
Internet Corporation for Assigned Names and Numbers(ICANN), an organization that manages the global domain system has proposed to redact sensitive personal data from WHOIS. WHOIS is a protocol used for querying databases that store the registered users of domain names and IP address ranges. This is being enforced in response to the General Data Protection Regulation(GDPR) which will be taking effect this May.
An accreditation system has been proposed by ICANN, which will be accessible for security researchers, law enforcement officials and journalists. However, this will not be ready until December 2018.
Causes
If the accreditation system is not made available by May 25th, then it will make the life of web administrators, network administrators and law enforcement agents terrible. All these people need WHOIS data for several operations like resolving technical issues related to network, to investigate spam, to investigate identity in cyberspace followed by a cyber-attack, etc.
Also, as mentioned in the article, WHOIS records are used by researchers to notify website owners regarding any hijacking of their websites. All these will be affected if an alternate system is not put in place by May 25th.
Donald Hoxhaj says
Survey: Americans Spent $1.4B on Credit Freeze Fees in Wake of Equifax Breach
https://krebsonsecurity.com/2018/03/survey-americans-spent-1-4b-on-credit-freeze-fees-in-wake-of-equifax-breach/
In wake of data breach, 20% of Americans, as Equifax consumers, froze their credit file, with one or more credit bureaus, estimated to be $1.4 billion. This eventually led lawmakers, debating to make changes in legislation, which would make credit freezes free in every state.
Based on survey of 1000 adults, conducted by Wakefield research, data collected by small business loan provider Fundera, it was found average cost to consumers who froze their credit after the Equifax breach was $23.A credit freeze blocks potential creditors from viewing or taking out credit file, which makes it further difficult task for thieves to identify for new lines of credit in creditor’s name.
The cost of placing a freeze on credit file, varies from $3 to $10 per credit bureau, depending on creditor’s state of residence. Credit bureaus in many states charge fees for temporarily thawing and removing freeze. According to Fundera, percentage of people who froze credit in response to Equifax breach incrementally decreases with aging of people. This was unexpected, as older generations, who have been building on their credit for longer period of time, generally protect their credit accounts.
A provision, included in a bill passed by U.S. Senate on March 14, which led credit reporting firm’s to set consumers place a freeze without paying fees. This somehow would undermine banking regulations in the 2007-2008 financial crisis. However Consumers Union have been protesting security section failed to include number of important consumer protections and would not allow states from making important improvements to expand protections against identity theft.
Donald Hoxhaj says
15-Year-old Finds Flaw in Ledger Crypto Wallet
https://krebsonsecurity.com/2018/03/15-year-old-finds-flaw-in-ledger-crypto-wallet/
In a very surprising incident, a 15 year old researcher named Saleem Rashid has found a security flaw in the cryptocurrency hardware wallets made by Ledger, a French company. The company has been making products for safeguarding public and private keys for the cryptocurrencies. The little kid found out a method in which one can acquire private keys from Ledger devices. He discovered that a reseller of Ledger’s products could update the devices with malicious code that would lie in wait for a potential buyer to use it, and then siphon the private key and drain the user’s cryptocurrency account when the user goes to use it.
The company until now does not has a solution to know if the code powering the devices has been modified or not. However, Rashid’s solution allows an attacker to force the device to sidestep those security checks. The company has after the incident updated its Ledger Nano S devices from firmware version 1.3.1 to version 1.4.1. It is yet to however update its Ledger Blue devices and the company believes that it would be done soon. Guillemet says that ‘The vulnerability he found was based on the fact that the secure element tries to authenticate the microcontroller, and that authentication is not strong enough’
Donald Hoxhaj says
Who Is Afraid of More Spams and Scams?
https://krebsonsecurity.com/2018/03/who-is-afraid-of-more-spams-and-scams/
The new European privacy laws have posed a big challenge for security researchers who rely on data included in Web site domain name records to prevent attacks by scammers. The access to the data will however be lost for at least 6 months starting May 2018. Some of the experts believe that this will cause more spams and scams in the user’s inbox. The General Data Protection Regulation (GDPR) takes effect on the 25th May under which companies are required to get affirmative consent for any personal information they collect on people within the European Union. Companies that violate the rules will have to pay a penalty of 4% from their global revenues.
Donald Hoxhaj says
Survey: Americans spent $1.4B on Credit Freeze Fees in wake of Equifax Breach
https://krebsonsecurity.com/2018/03/survey-americans-spent-1-4b-on-credit-freeze-fees-in-wake-of-equifax-breach/
According to a new study, consumers were estimated to cost $1.4 billion due to the data breach at Equifax last year, this forced almost 20 percent of Americans froze their credit file with big credit bureaus. The survey was conducted by Wakefield Research and involved nearly 1000 adults in the U.S. Respondents, asked to report themselves on how much they spent on to the issue, as much of 32 percent said that it cost them something like less than $10 and a quite a similar percentage people said that total cost was more than $30 or equivalent. Anyways, there is an average cost of $23 to consumers is laid after the Equifax breach.
There is a variance in cost to freeze your credit file, which can be possibly in between $3 and $10 per credit bureau, and it is said that they also charge fees for removing a freeze, but Consumers Union stated that, residents of four states – Maine, Indiana, South and North Carolina cannot be laid any fees to place or lift a freeze.
Donald Hoxhaj says
15 Year Old Finds Flaw in Ledger Crypto Wallet
https://krebsonsecurity.com/2018/03/15-year-old-finds-flaw-in-ledger-crypto-wallet/
Saleem Rashid, a 15 year old security researcher from the UK, has discovered a serious loophole in crypto currency hardware wallets designed by Ledger, a security expert in crypto currencies and block chain applications safeguarding crypto assets for individuals and companies. The products sold by Ledger are mainly hardware based which are designed in a way to protect the user’s private keys from malicious software that might assess the credentials from the user’s computer. But the kid discovered a way to access the private keys from these devices which requires an attacker to have the device physically.
However, the company’s Chief Technology Officer stated that, the product’s security model is safe and can be purchased their products from even third-party sellers, including Amazon and eBay. But the kid also has mentioned that, the reseller, since he has access to the device prior to the consumer they can update the devices with a malicious piece of code which can be able to retrieve the private keys when the user goes to use it.
Donald Hoxhaj says
Who is afraid of more Spams and Scams?
https://krebsonsecurity.com/2018/03/who-is-afraid-of-more-spams-and-scams/
The new European privacy laws will result in the occurrence of more spams and scams popping up in your inbox, and you do not see that coming. As the law could result in losing the access of Website domain name records to the security researchers in half a year from this May.
There are several rules in ICANN (Internet Corporation for Assigned Names and Numbers) which demands the domain name registrars to collect and display some data points when someone performs a WHOIS lookup on a domain, such details include, registrant’s name, address, email and mobile number. However, most registrars will have some protection service that encapsulates this information from public WHOIS lookup, some registrars charge fees for this service, while others give it for free included in registration.
ICANN is taking a step forward to help registrars comply with GDPR (General Data Protection regulation) by limiting the data which appears on WHOIS public lookups to just registrant’s name, physical and email address, phone number. It has also proposed to create an “accreditation system” that would let access to personal data in WHOIS records for security researchers, journalists, law enforcements officials who frequently use WHOIS records to protect privacy.