Skip to main content

Security Working Group Minutes RIPE 91

Tuesday, 21 October 2025 16:00 - 17:30 (UTC+3)

Chairs: Brian Nisbet, Markus de Brün, Tobias Knecht

Scribe: Josh Paolucci

Status: Draft

The recordings and presentations are available at:
https://ripe91.ripe.net/programme/meeting-plan/sessions/21/

The stenography transcript is available at:
https://ripe91.ripe.net/programme/meeting-plan/sessions/21/transcript/

A. Administrative Matters

Brian opened the session, co-chairing with Tobias and with Markus, who joined remotely.

The minutes from RIPE 90 were approved.

B. Update

B.1. Recent List Discussion

Brian noted that there were no recent discussions on the list and encouraged more engagement from the working group members.

C. Policies

There were no policies up for discussion. Brian reminded members of the working group that if they had any relevant policies, the Co-Chairs are ready to assist and review policies. Furthermore, if it is deemed that the Security WG isn't the right place to raise the policy, the Co-Chairs will work with the submitter to find the right home.

D. Interactions

D.1. Reflections on the Europol Cybercrime Conference

Brian Nisbet

Brian presented about the importance of engagement with law enforcement to help them get more involved in the community. He spoke about the Europol Cybercrime Conference he had recently attended. The event covered some of the challenges faced by law enforcement, such as high turnover and insufficient documentation for new personnel. Brian stressed the need for the community to teach others how to navigate the RIPE Registry and Database to help investigations. Brian noted that law enforcement and the RIPE community approached discussions about encryption very differently, with the community insisting they could not bypass it while law enforcement continued to look for a way to do so. He noted that it was important to remember both parties were on the same team in terms of wanting the Internet to be safer for all users.

Rüdiger Volk asked if this was the only European political meeting Brian had attended since RIPE 90. Brian confirmed it was.

Rüdiger Volk brought up a presentation that was given in the Cooperation WG at RIPE 90, where representatives from the EU Commission had announced they were preparing for the implementation of NIS2, including elements of cybersecurity risk management, DNS routing and email. He asked Brian if he had observed anything about that and if the Security WG should be involved.

Tobias Knecht responded by mentioning that there were several processes ongoing in the EU Commission and other organisations at the moment. Things were evolving, such as at ICANN, with regulations over new contracts and abuse management. There were a lot of discussions about online security that did not feel very well-coordinated, so it was unclear where it was going.

Hisham Ibrahim, RIPE NCC, mentioned the RIPE NCC had been speaking with the EU Commission about NIS2 since the beginning of the year. The Commission was bringing the topic to various communities to see how they could cooperate on this. The representatives had also gone to the IETF after that presentation. Hisham said the Security WG did have a role to play here in terms of coordination with the RIPE NCC or other organisations. He also noted there were presentations from the IETF today as well, and he had met with representatives from the IAB to talk about standards and coordination. The RIPE NCC understood there was more to be done here.

Alex de Joode, AMS-IX, said it was important to realize that NIS2 targets organisations. The RIPE NCC was expected to be NIS2-compliant because they were a part of some customers’ supply chains.

Rudiger Volk reiterated the importance of NIS2 compliance.

Emanuele Iovini, Europol, said he invited the RIPE NCC to help train law enforcement so they could work together to tackle cybercrime. Europol was at the RIPE Meeting because they wanted to be part of the community.

Romain Bosc, RIPE NCC, added that the RIPE NCC was monitoring NIS2. They understood the concerns and were working to tackle any issues that might arise.

E. Presentations

E.1. The File That Contained the Keys Has Been Removed: An Empirical Analysis of Secret Leaks in Cloud Buckets and Responsible Disclosure Outcome

Yury Zhauniarovich, TU Delft

The presentation is available at: https://pretalx.ripe.net/media/ripe91/submissions/U7YLJ8/resources/20251021_ripe91_open__v2t77Nx.pdf

Yury presented research from TU Delft on secret leaks in publicly accessible cloud storage. The study involved large-scale Internet scanning and analysis of exposed data. He explained that despite improvements in secret-detection mechanisms by platforms like GitHub, many credentials remained publicly exposed. The team worked with CSIRT Global for responsible disclosure, but noted that the high number of findings made coordinated reporting challenging. Their scans identified over 450 open storage buckets and discovered 215 valid secrets. When they contacted the owners of the credentials, most responded quickly and remediated the issue within days, but some tokens remained active with restricted permissions. Yury concluded that cloud storage remained a major source of secret leaks, highlighting the importance of coordinated responsible-disclosure processes and continued awareness.

Marc van der Wal, AFNIC, asked whether any organisations had reacted negatively to the disclosure. Yury said this was rare, although one had asked for proof of exploitability.

Tobias Knecht asked whether the team notified cloud providers or the key owners. Yury said they contacted the customers directly. Tobias noted that AWS had a dedicated security contact that would welcome such reports.

Leo Vegoda, PeeringDB, asked if providers should proactively scan for customer leaks. Yury replied that Google had started doing this, though expecting all providers to do so might be unrealistic.

Brian Nisbet added that support teams likely encountered these issues regularly and expressed hope that other providers would follow Google’s lead.

E.2. RegCheck: A Real-Time Approach for Flagging Potentially Malicious Domain Name Registrations

Thomas Daniels, DNS Belgium & KU Leuven

The presentation is available at: https://pretalx.ripe.net/media/ripe91/submissions/K3L3HH/resources/ripe-regcheck-present_TsImrUD.pdf

Thomas presented on RegCheck, a machine learning system for identifying potentially malicious domain name registrations in real time. Since 2020, DNS Belgium had used a rule-based system to flag suspicious registrations, but this approach was manual and difficult to maintain. The new machine learning method performed automated risk scoring within milliseconds of domain registration. Suspicious domains were flagged for manual review and could not be activated until legitimacy was verified. Features of the model included registrant information, registrar and domain history, along with derived reputation and geographic consistency data. The model was deployed in March 2024 and reduced the rate of domain revocation by 30%, while maintaining proactive detection capabilities. Thomas concluded that the machine learning pipeline significantly improved on manual processes and could be applied to other domain registries.

Emanuele Iovini praised the proactive approach and asked if the system gave higher scores to domains related to previously malicious ones. Thomas confirmed it did. Emanuele also asked about actions based on the score. Thomas said all suspicious domains underwent the same manual review process.

Tobias Knecht asked whether data from domains that later became abusive was included in the model. Thomas said these were labelled as malicious during training, but the model was not used to predict on the same dataset. Tobias expressed interest in the proportion of domains registered with malicious intent versus those that became malicious over time.

Andrew Campling, 419 Consulting, noted a recent study estimating global online scam losses at over one trillion dollars and suggested Thomas explore Nominet DNS funding grants of up to £100,000. Thomas thanked him for the suggestion.

X. A.O.B.

There was no other business.

Z. Agenda for RIPE 92

Brian invited working group members to send agenda items for RIPE 92.