An idea to make the UK the safest place to live and work online
In late 2020 I wrote that we should make URLs less important.
The thinking was essentially two fold:
- Use technology to solve cybersecurity problems, don’t expect or make the general user do a bunch of stuff such as install a password manager (because they can’t/won’t)
- If you want to protect more people, you have to move the solutions ‘upstream’ — embed the security functions before the user on their device.
I recently met up with some folks who work across UK government cybersecurity, and I re-surfaced one of my ideas for solving the scale problem — how do you actually make the UK the safest place to live and work online? How do you protect millions of individual people at the same time?
Consumer scams are all the rage
Cyber attacks on organisations who deliver Critical National Infrastructure is a problem. Cyber attacks for the purposes of intellectual theft are a problem. Those attacks scale, but no where near in comparison to SPAM and phishing messages to millions of individuals every day.
Consumer group Which? claim the fraud is up 33% year on year. More than £2.3 billion was lost by victims as a result.
Over £34.5 million stolen in pandemic scams in March 2020 alone (just in the UK) — and that is just what is reported to Action Fraud.
Scam delivery mechanisms
Scams are delivered through email, SMS or telephone calls. Many of them have calls to action (click a link, reply with information, call a number etc).
Telephone calls are really (really) hard to filter out at the carrier level— even the phone number displayed on the screen is not the actual identifier of the system connecting to the public telephone network.
I use Truecaller for iOS and it does help, but nothing is perfect. Silencing unknown callers in iOS is great, apart from when you’re expecting calls from multiple estate agents.
You can report scam telephone calls in the UK by texting the caller ID to 7726. For example: send “call 07700900123” (without quotes) to 7726, then it will reply asking for the name/number, just reply with “07700900123” (without quotes) again.
A small portion of telephone calls lead to the victims being asked to browse to a website and download something (maybe remote access software). My grand idea would help in that scenario, but broadly leave telephone scams untouched. I know the folks working on this, and how stupidly hard this is to solve at the carrier level makes me very sad.
Modern scam/SPAM filtering from Apple, Google and Microsoft (etc) generally do a pretty good job. (I have noticed some rudimentary things slipping through over the last few months though… but overall, good)
Talos Intelligence estimate the average number of legitimate email messages sent over the internet each day is around 22.43 billion.
Spamlaws estimate nearly 85% of all emails are SPAM. 122.33 billion a day. Nice.
Spamlaws further estimate scam and fraud emails account for about 2.5% of all SPAM emails (thats 3.06 billion a day). Phishing statistics indicate that identity theft is the goal of 73% of those (2.23 billion a day).
You can report scam/SPAM emails through most popular email systems. You can also report them by forwarding them to firstname.lastname@example.org
My idea focuses on the emails that want the consumer to click a link, as opposed to reply or open an attached file.
Huffington Post say in all 95 million spam text messages are processed per day in Europe and America — 45 million per day in Europe alone — of which 92% is related to fraud.
Messaging security firm Cloudmark say about a third of those messages (33.2%) are sophisticated attempts by fraudsters to gain personal data to sell for profit.
You can report scam/spam SMS messages in the UK by forwarding the message to 7726, then it will reply asking for the name/number that sent it, and then sending that as well.
Similarly to email, my idea focuses on SMSes that want you to click a link enclosed, as opposed to reply or call a number.
Common bit of the puzzle
The thing that binds this all together is that the user (or the technology, such as web browser or email client on their behalf) want to connect to www.Scam-R-Us.com.
DNS is my big idea
Require all consumer and business networking providers (thats ISPs who provide broadband/fibre and also data connections to smartphones) to implement high confidence malware filtering DNS response policy zones (RPZ) provided by the UK government.
Whether its a telephone call talking someone into downloading remote access software from Scam-R-Us.com, an email loading (or asking the user to click on a link to) Scam-R-Us.com or an SMS containing a fake Royal Mail fee payment link to Scam-R-Us.com — the DNS RPZ could stop it.
Wait. What? How would that work?
The UK government knows what a bunch of bad websites are already — in fact, the UK’s National Cyber Security Centre (NCSC, a part of GCHQ) has a service for the UK public sector which already does this called Protective DNS ( PDNS).
You want all UK ISPs to send all DNS queries to the UK government?
No, I want the UK government to provide a high quality DNS RPZ feed to all ISPs, and require them to implement it.
Allow opt-out, but make it default on for all UK data connections.
Optimally UK ISPs would report back to the UK government when the DNS RPZ ‘hits’ and intervenes. It is really handy to know what domains are indeed being blocked in what volumes and what time period (etc), because that translates to specific campaigns and threat actor groups.
That sounds hard to implement!
The UK government already has a high quality high confidence list of bad domains.
Just like NCSC’s public sector PDNS service, should the ISP’s DNS service (fed by the RPZ) detect a bad domain/website ‘lookup’, it will simply interject with a duff ‘reply’ to stop the lookup (and stop the bad website from loading).
ISPs already have DNS RPZs now today — they just work for copyright, when a child filter is enabled on the connection or when there is another legal requirement. This would just be another one.
Isn’t a connection error a bad user experience?
Is it better or worse than visiting a scam site?
DNS RPZ is really hard as DNS can’t really signal web browsers on what is going wrong. A DNS ‘NXDOMAIN’ response would effectively tell the user (via their browser) that the domain doesn’t have the record being requested — that isn’t accurate (one exists, but its would result in a scam/malware site).
It would be great if DNS responses/servers could signal a browser to provide a richer error, but sadly DNS has a limited number of possible responses.
The ISPs could serve a block page for HTTP (unencrypted), similarly to pages presented when their current DNS RPZ kicks in. This is also how NCSC PDNS works today, showing a branded page explaining what has happened.
This can be researched. These are national ISPs/telcos and a whole government with sizeable resources managing a number of complex programmes let alone billions of pounds— this can be readily researched prior to implementation with focus groups, etc.
What about encryption connections?
HTTPS (encrypted websites) are — thankfully — on the rise. DNS RPZ has an even tricker time here, as its not possible to serve an intercepted notice page on HTTPS without a different set of problems.
The only real thing to do here is to mothball entirely, just make it look like a connection error. This is how NCSC PDNS works today.
What about privacy scope-creep problems?
NCSC PDNS only ever intercepts malware domains. There are already avenues as mentioned above for UK ISP/telco DNS filters.
There will of course be a concern that a UK government supplied RPZ could start to filter more than malware. This would be subject to robust definition and governance, as with all broad applications of technology.
There are arguments for and against publishing the list of domains that will be in the RPZ. In general I would be supportive of publication, because this should not disclose the means, methods and sources of the list.
Its really important that the public, oversight and Parliamentary teams are confident that OppositionPartyWebsite.com nor bbc.co.uk can ever get on the list. Its wholly and solely malware/scams, not a route for governmental overreach or censorship.
This mechanism should only ever be used for domains that are used for scam/malware. There may be the occasional miscatgeorisation, but this should be limited if its only about scam/malware, not adult materials (etc).
Easy and clear opt-out would be key.
What would this all do?
Whenever a device (smartphone, tablet, laptop etc) using a UK data connection would try to go to a known scam site, it simply wouldn’t load.
Whenever someone in the UK received a Royal Mail scam SMS and clicked the link, the smartphone’s browser would simply show a DNS error (or the ISP’s unencrypted error page).
Another tool in the defence utility belt
Those SMS messages should be filtered before getting to the person and also the domain itself should be subject to takedown — but a DNS RPZ would be another tool in the arsenal, and could be more effective a whole lot sooner.
Domain takedown requires evidence with registrars. Stopping an SMS from being sent to a handset by network operators requires high confidence matching on the message content and/or originator.
Would the UK government do it?
The cost of running the service wouldn’t actually be too bad (NCSC already run one!) the difficulty would be creating the regulatory or statutory requirements for the UK ISPs to implement it.
Here come the lawyers
I wrote ‘high confidence’ and ‘high quality’ because there will always be a risk that by using DNS RPZ (which would stop the whole domain, such as www.domain.com, not a portion of it, such as www.domain.com/wordpress/just_the_bad_part/index.html) that there is a false positive (something is blocked as malware/malicious, but it is legitimate)
In that case, the offended party might sue the ISP, but more likely — sue the UK government.
Would the UK government be willing to create these instruments to require UK ISPs to act, effectively indemnify them and tolerate the risks of being sued if their bad domain list had a good domain on it? Well… it should — if you ask me.
Is the risk so different to when a general website is miscategorised (let’s say as unsuitable for children) and the website owner asks for it to be re-assessed? When this happens today with Netcraft, SpamHaus, Google Safe Browsing (and so on) the website/domain owner simply asks for a re-categorisation. I’m fairly sure they don’t sue — on this basis, the risk is even lower.
Would it be worth it to implement?
Assuming the UK government continued to develop a high quality and responsive DNS RPZ, the scam domain could be ineffective in the UK in minutes/hours not days.
Only 33.4% of scam/SPAM/malware URLs are taken down within 24 hours (NCSC’s Active Cyber Defence Fourth Year report).
In 2020, PDNS handled more than 237 billion DNS requests. Of these, nearly 105 million requests were blocked, corresponding to 0.04% of all requests. These 105 million blocked requests were for nearly 160,000 distinct domains attributed to cyber crime Organised Crime Groups (OCGs) with ransomware-related malware featuring prominently — NCSC’s Active Cyber Defence Fourth Year report
There are millions and millions of DNS requests per second. So, yes, I think at anywhere near 0.04% it would be well worth it.
Start with mobile data
(Based on absolutely no real data at all) I suspect that connection errors on smartphones using a mobile data connection are more common and tolerable to citizen users, than on laptops/desktops.
The Royal Mail extra fee type SMS scams would be a great thing to stop.
Applying this to mobile data first would be less risky, while also cutting off some large scam attacks.
What would it take to implement?
The technicals (as usual) are actually pretty simple particularly since NCSC PDNS already exists. UK ISPs and telcos generally don’t do anything unless they have to, so its finding a regulatory avenue that already exists or creating one.
It would take attention from the Minister for Digital Infrastructure, the Department for Digital, Culture, Media & Sport (DCMS) and NCSC to see it through.
What about not the UK?
Oh yes, well, of course! It would be difficult for the UK government to provide this to other ISPs but their own governments could. I’m fairly sure the UK would happily share their bad domain know-how with the US, Canada, New Zealand and Australia and vice-versa! 👀
What do I do in the meantime?
Use an encrypted filtering DNS service. I use NextDNS (affiliate link).
NextDNS is compatible with modern smartphones, laptops, and a bunch of routers to protect every device on the network.
NextDNS lets you choose to enable a bunch of security RPZ feeds — including Threat Intelligence Feeds, AI-Driven Threat Detection, Google Safe Browsing, Cryptojacking Protection, DNS Rebinding Protection, IDN Homograph Attacks Protection, Typosquatting Protection, Domain Generation Algorithms (DGAs) Protection, Block Newly Registered Domains (NRDs), Block Parked Domains and Block Child Sexual Abuse Material.
Block Newly Registered Domains (NRDs) is a great one. It can be annoying and get in the way sometimes, but I have seen it stop 100% of all of the SMS based scams I get that ask me to click a link.