iDNS: Scam Going On for More Than 15 Years

iDNS renewal letterYou probably already received one of these letters if you have registered a domain name in the past few years. The company behind these letters is Brandon Gray Internet Services Inc. The worst part is the fact this is a legitimate organization registered and operating in Canada (Markham, Ontario). I thought for a long time it was only a scam here, but I recently discovered they also operate in the United States, Europe and Australia.

Operations Under Many Names

I got my first domain name in 2003 so I don’t exactly remember the first time I received one of these letters. However, I believe it was under the name, “Domain Registry of Canada”. They now seem to use more often iDNS as shown on the image. Over the years, they used many different reseller names under the parent company “Brandon Gray Internet Services” such as:

  • Namejuice
  • Domain Registry of Canada (DROC)
  • Internet Domain Name Services (iDNS)
  • Domain Registry of America (DROA)
  • Domain Renewal Group
  • Liberty Names of America
  • Domain Registry of Europe (DROE)
  • Domain Registry of Australia

Deceptive Message

The main concern is the deceptive message in these letters sent by mail. It is possible since postal addresses are freely available for each domain name with a WHOIS query. There is always the situation where the domain owner is using a privacy protection service but it is not always the case. The main objective is to trick the owner to renew the domain name with them. Nevertheless, this renewal also means the transfer of the domain to the new registrar. A situation that will definitely lead to future problems. The reseller names used can easily mislead the recipient to think they are an official government authority.

The business is totally unethical, but there is a grey zone worth mentioning. I believe the wording was updated throughout the years to be more… compliant with the law. However, it is still a deceptive message and can surely mislead a neophyte in the universe of domain names management.


In my opinion, you have all elements for a perfect scam. The message that would protect them: “This notice is not a bill, it is rather an easy means of payment should you decide to switch your domain name registration to Internet Domain Name Services” and “As a courtesy to domain name holders, we are sending you this notification of the domain name registration that is due to expire in the next few months“. A message to generate fear to the recipient: “Failure to renew your domain name by the expiration date may result in a loss of your online identity making it difficult for your customers and friends to locate you on the Web“. Finally, a possible new opportunity even if it is not true: “Privatization of Domain Registrations and Renewals now allows the consumer the choice of Registrars when initially registering and also when renewing a domain name“.


They have a long history of lawsuits and investigations following various complaints since the beginning with different regulators e.g. Competition Bureau of Canada, Advertising Standards Authority (ASA), Federal Trade Commission, ICANN and the Canadian Internet Registration Authority (CIRA). But also some lawsuits with other companies such as Tucows, and Deinternetman.

What Should You Do?


Their prices are even higher than the competition and you simply don’t want to write down your credit card information on a piece of paper. Be careful to the details. They are not even able to use a well-known TLD such as a .com. They are using a country code top-level domain .as (American Samoa) which is a redirection to the ccTLD .to (Tonga).

Unfortunately, this scam seems to be working since Brandon Gray Internet Services is still in operation and the scam is going on after more than 15 years. You will receive these letters a few times a year if you own more than one domain. The only solution for now is to throw it away. You have nothing to do. You could always complain to some authorities but I personally think it is not worth the time after so many years… However, be sure to still renew your domain name on time with your current registrar. In fact, you should simply activate the auto-renewal offer by most registrars.

September 2017: Security Breaches

September 2017 has been an interesting month for many important security breaches. We all learned the value of our personal information. From now, I will publish a monthly post about the major security breaches from the previous month.


Equifax is a consumer credit reporting agency and they had a recurrent unauthorized access to their systems from May 13th to July 30th. The technical teams knew about the vulnerability exploited since they even got a memo on March 9th to patch it (Apache Structs CVE-2017-5638). Even then, the security team detected the situation only on July 29th. The CEO learned about the situation on July 31st. The board of directors got the news on August 24th and 25th. It is only on September 7th that Equifax disclosed the security breach to the public.

143 million (143 000 000, yes, six zeros) records on Americans were stolen, including names, social insurance numbers (SIN), dates of birth, and even some driver licences. After the investigation, it is now 145.5 million, and now including some credit card numbers for 209 000 consumers. In Canada, we are a little luckier since it was at first announced to be 100 000 consumers impacted, but the revised number after the investigation was more 8 000 consumers.

The CEO took an early retirement with many executives including the Chief Information Officer (CIO) and Chief Security Officer (CSO). Equifax will also face many lawsuits in both Canada and the US. The then CEO will even have to testify in front of Congress. There are also some interrogations about executives selling their stock options following the detection of the security breach. Since the hack was not publicly disclosed, these people could face charges for insider trading.

US Securities and Exchange Commission (SEC)

This US federal agency is mainly responsible for enforcing securities laws and regulating the securities industry. The Commission discovered a software vulnerability in 2016 and was “promptly” patched. However, the SEC disclosed a possible incident since they believe that an unauthorized access still occurred before being able to apply the patch. No access to personally identifiable information (PII), but sensitive nonpublic information related to companies. An official statement was published on September 21st.


One of the “Big 4” accountancy firms was also targeted this month. The news was published by the Guardian on September 25th. Deloitte is often the firm, among the Big 4, which is the most well-known for their services in cybersecurity. The firm’s clients include 80 percent of the Fortune 500. The unauthorized access occurred on the firm’s global email server hosted on Microsoft Azure. And this, probably since October or November 2016.

Nothing too complicated this time, hackers simply got an administrative account credential. After that, it was possible to login directly on the email server accessing emails to and from Deloitte’s 244,000 staff. Many of these emails probably contain sensitive information about their clients and even, some interesting attachments. The system was not compromised in a technical manner, but simply by social engineering technique in order to obtain credentials. Furthermore, without two-factor authentication (2FA), it was easy to login remotely.


Sonic is a major fast-food chain in the US with nearly 3 600 locations. Brian Krebs was the first one to report this security breach on September 26th. Their credit card processor informed them about unusual activity related to their transactions. It is still unclear how the security breach occurred. However, it was possible to find at least 5 million credit and debit card accounts for sale online. These are probably related to the Sonic security breach.

Whole Foods Market

Whole Foods Market, which is owned by Amazon, also disclosed on September 28th that some payment card information had been stolen. The investigation is still ongoing, and we should have more information soon. An interesting point mentioned in the press release is the fact that systems are not connected to the ones at Whole Foods.

Kantoku: Project Shutdown and Future Comeback

Kantoku logoKantoku is a self-hosted application for companies to manage their IT governance, risk management and compliance (GRC). As mentioned in a previous post, I developed this application during the first part of 2016. At first, it was a Software-as-a-Service (SaaS) solution with a really nice high availability infrastructure on AWS. However, I had to put aside the infrastructure behind the SaaS solution. Back then, it was mostly a question of priorities. To keep the project alive, one alternative was to offer Kantoku as a self-hosted application. In that case, companies would still be able to buy a licence and to install the application on their own servers.


I mainly developed this application to help small and medium enterprises (SME) to manage more efficiently their IT GRC. Even SME have compliance obligations. I thought it was a niche market where it could have been possible to offer something different than the existing solutions. An application that would be simpler and more affordable for everyone. It was also an interesting complement to consulting services. However, I did not account for these two situations:

Small and Medium Enterprises

SME are fortunate enough if they have someone who is aware of the main IT GRC concepts. They will probably have a consultant who will help them with their compliance obligations. It could be cheaper for them than having a full-time employee. However, their GRC needs are often not complex enough to justify the implementation a dedicated application. They will prefer to work with many documents such as spreadsheets and emails than to learn a new application workflow. SME don’t necessarily see the value in monitoring their GRC and I understand them. They want to concentrate on their core business where they will be able to generate a direct income.

I also have to admit that one of my weaknesses is the selling side of a business. I really need to be convinced that my product and/or service will be beneficial for the client. Otherwise, I don’t want to sell anything since I care about my clients. This was not always the case with Kantoku and SME. Most enterprises need help on their IT GRC strategies and I obviously see the value for them having a consultant to help them. Not an application that they will barely know how to use. If I have to push too much in my explanation about a solution’s features, maybe it is not the right solution for the client.

Larger Organizations

For larger organizations, they often have the budget to acquire a well-known solution with all advance functionalities such as RSA Archer, Resolver, MetricStream, Reciprocity, etc. It is really hard to compete with solutions that cost more than just a few thousands. Furthermore, these organizations will not make the differences. They are expecting the same features which is understandable.

Future Comeback

As I said before, even if I am really proud of this IT GRC application, Kantoku will be shut down. One other reason is also that my professional life and other projects all evolve around the IT GRC fields. I need a project that will be in a completely different field. It is also important for me to stay neutral when it is time to provide consulting services in IT GRC. I can’t provide a solution in IT GRC and be impartial with other existing solutions. There is also an open source solution that I really like, Eramba. It could be an interesting alternative for many SME with an interest in their IT GRC. I exchanged a few emails with the founder and I would prefer to work with them in the future.

Why a future comeback? I am already working on something else, but I don’t want to mention too much about it, yet. It will be an application that it is not in a niche market since there are many other applications like this one. However, I am still not satisfied with current offers. This time, it will be a SaaS solution and I will probably reuse the domain name

CISSP: Passed, and One More Milestone Completed

CISSP By (ISC)² [Public domain], via Wikimedia Commons

Done. The 6-hour exam with its 250 questions is finally in the past. Yes, I am talking about the famous CISSP or the “Certified Information Systems Security Professional” exam from ISC2. This is the certification that most information security professionals will try to obtain at one point in their career. Why? For most recruiters and companies that are looking for a professional in information security, the CISSP is now the golden ticket for employment in this field.


I would say that it all started in 2015. Back then, I decided to pursue the SSCP or the “System Security Certified Practitioner” from the same organization. This was a shorter exam, which is a little more technical, but not deeply technical either. It helped me have a first experience with an ISC2 exam before pursuing the CISSP. Both exams share some similar domains, but not necessarily at the same level.

For studying, I only bought the official study guide, the CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide, which I think is really well written. Knowing that I perform much better when I have the occasion to practice beforehand, I used the official practice tests, the CISSP Official (ISC)2 Practice Tests and even the mobile application, which is really great to use during daily transit. There are many resources available with thousands of questions.

The exam itself is as with any exam, just longer and more expensive. What about the duration? In about 4 hours, I was able to answer the questions and review a few trickier ones.


There are some criticisms on this certification among professionals in information security. There seems to be a misconception about the knowledge and experience obtained with this certification. These days, a company will look first for a candidate with a CISSP for any kind of role related to the world of information security. It could be from the typical information security analyst to any technical role such as penetration testers, security architect, encryption specialists, security cloud specialists, etc. This is the biggest mistake.

In my opinion, this certificate is a management level certification giving better insight into policies and standards. The CISSP will be able to guide and manage the information security objectives of an organization. However, the person in this role will be supported by people with technical know-how. It is not a technical certification. Obviously, it depends on the person’s professional background since it is possible to have a CISSP holder with a deep understanding of the technical concepts.


Well, it is now the waiting period. I will hopefully obtain the CISSP certification some time in 2019 after I have completed the required experience. Every holder must have 4 to 5 years of direct information security experience in at least 2 of the 8 domains. However, I must admit that this is a great advantage for this certification. There is a one year waiver possible depending on previous academic experience and other certifications. I also had a similar situation with the CISA where there is a 2 to 5 year requirement.

What’s next after the CISSP?

I am still unsure about the next step. I think I have completed the majority of relevant certifications. On the other hand, I am always curious in privacy matters and I would like to be more proficient in questions related to privacy law. There is indeed a certification that piqued my interest from the International Association of Privacy Professionals but it will be for a different post…

Why did I do the OSCP certification?

I am more an IT auditor, and on the business side of information security (at least, in theory, I still like doing many technical projects). However, it was still important for me to pursue the Offensive Security Certified Professional (OSCP) certification. At first, I was maybe interested in a career as a penetration tester (pentester) and it was indeed a good way to confirm, or not, my interest.

The OSCP certification is unique among other IT certifications. Students don’t have to “simply” learn theories and pass a multiple choices exam. To obtain the certification, students have 24 hours to gain privilege accesses to 5 servers. After that, a second 24 hours to write a report. Basically, it is a simulation of a client engagement to perform a penetration testing.

Students will learn by studying the Penetration Testing with Kali (PWK) which will introduce different methods on how to compromise servers. There is an electronic book and also really good videos. The material with allows students to have an overview of each concept. Kali is the Linux distribution maintained by Offensive-Security, previously known as BackTrack. In any case, the most important part is definitely having access to the virtual lab, Offensive Security Penetration Testing Labs. The lab is where students can exploit many machines with different types of attack. It is almost impossible to be able to pass the final exam without an impressive amount of time in the lab.

I must admit that I thought at first that it would have been easier to get through that intensive training. If you are interested in this certification, and the field of penetration testing, this is an amazing experience. However, you will need a lot of determination. You will get frustrated many times, and be stuck on many servers in the lab. Not just an hour or two, but probably for many days. It is possible to get through all servers, well, most of them… The solution is often kind of simple enough when the attack vector is discovered. After the first few servers, it is more and more an addiction to find out a way to get into a new machine.

You can always ask for help on their IRC channel, but they will never give out the solution or simply respond to… “Try Harder!”. And, yes, they are serious about it. I was not sure to really understand the meaning of those two words at first. I never really ask questions in class since I prefer to figure out things on my own. Most of the time, it is simpler and resources are available online. With the OSCP, it was not the case at all. They will be happy to guide you, but their responses are still vague, even if you have solved part of the problem. You will need to be ready to learn by yourself. The PWK will not give you the solution, it is just some tools to help you after in the lab.

I did the exam in January 2016, more than 1 year ago, and I still remember the exam. Probably more difficult than most exams during my university or other certifications. When I see someone with a certification from Offensive-Security, I know that they have gone through a lot. I don’t think that I would become a pentester in my professional life. However, it is definitely an important asset to anyone working in information security. I would recommend it without hesitation.