The importance of good, solid, and reliable contact information is extraordinarily valuable when it comes to investigating compromises, and even more important when attempting to contact someone to alert them of a problem.
Unfortunately, only legitimate domain and IP address owners use correct information (that’s another issue entirely), but more & more we are discovering that this information is increasingly incorrect.
This has been a growing source of concern in area the network security, where the importance of being able to contact someone to notify them of a security breach becomes an “emergency issue” in the scope of minutes – not necessarily hours or days.
The longer a “contaminated” webpage, for instance, is present on the Web, the more the chances that unwitting users can become compromised, and the more users can (for example) be unwittingly be recruited in botnets.
I’d like to take this opportunity to urge each and every individual & organization who may read this to ensure that their technical contact information is up-to-date and accurate – whether it be on your webpage(s) as “contact information” (e.g. webmaster@domain.com) or more importantly, in the domain and RIR (Regional Internet Registry) WHOIS databases.
This is crucial.
When Trend Micro researchers discover an “incident”, we make every effort to contact the owners of the particular domain or IP address block to alert them of the problem. But more often than not, our requests fall on deaf ears. Sometimes we get “bounce” messages in e-mail explaining that (a) the recipient’s mailbox is full, (b) the recipient does not exist, or (c) an automated response explaining that “…we take abuse requests very seriously…” yet the issue never seems to get resolved.
On a lucky day, we get (d), an actual human being who responds and takes care of the problem.
We love when that happens.
On those occasions where we can’t get a satisfactory response from the “responsible” organization, we attempt to contact a regional or national CERT/CSIRT listed or affiliated with FIRST.org (Forum for Incident Response and Security Teams). And unfortunately, we seem to have recently experienced more & more instances where we have to go searching for a CERT contact because we can’t get a response from the affected organization, whether by e-mail or telephone.
And subsequently, we keep our fingers crossed that they (the national or regional CERT) can have more success that we have had in contacting someone who can fix the problem, or clean up the mess, as the case may be.
And sometimes they do – we have had great experiences dealing with several of the national CERTs.
There are other unfortunate occasions when a security incident is so large, so immediate, and so diverse, that it is impossible to contact all of the organizations involved – this is also a good reason to leverage the national & regional CERTs.
The underlying issue here is that security incidents do happen, but the speed and efficacy in which an organization deals with the problem is paramount. But let’s be realistic here — security incidents that are not resolved in a timely manner ultimately negatively reflect upon on your organization’s image, your brand image.
So if you’re a network admin out there reading this, double-check your organization’s contact information in the WHOIS database(s) for both your domain, and your IP address space.
It could save us all a few less headaches.
“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research
If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!
