As an employee of a largish multinational, I've seen the following approach work:
Send e-mail to an(y) infosec list(s) you're on, asking for a contact. Possibly adding whichever X- header to the e-mail that stops it being archived by mailman. Another approach could be to go through their ISP or ISC (shrug). And my answer to the philosophocial question: make sure you've got at least one person on staff who is connected to the community. :) Regards, Chris. On 20/10/2009, Ben Greenfield <[email protected]> wrote: > I can't divulge a ton of information, but this is the scenario I'm looking > at: > 1)Client has server that gets malware infection > 2)Logs show server reaching out to an IP address for FTP > 3)IP used to have a DNS record for a mega corporation > 4)Client may be running product that legitimately accesses said IP, or > said IP may be compromised under said mega corporations nose or the IP > may no longer belong to said corporation. > > I've tried calling 3 different regional offices of the said > corporation looking for someone in either internal audit, internal > security, network operations, or public relations. Corporate > operators don't seem to want to help out of fear of violating policy > of not transferring callers, so I've only been able to get to tech > support (who blow this off because its not about said corporations > product) and a single person in public relations who isn't returning > calls (yet). > > How would you proceed? At this point I'm just trying to figure out if > the corporation does or does not own the IP anymore. I've obviously > already tried whois, reverse lookups, google, and the like. > > I think this also brings up another issue. In this case, I'm not even > sure the FTP server is malicious or not, I'm just trying to establish > ownership. What if I knew 100% that this thing was hosting malware - > it could ruin this corporations public image if that got out - yet > this corporation has no clear path for me to report this to them. > Obviously, in the hypothetical scenario full disclosure would be an > option, but both because I don't know for certain if the IP hosts > malware right now, and because I'm under NDA, that is not a > responsible or even possible option. > > So I guess I have two questions on this: > The philosophical - what's the best way for an organization to deal > with this scenario (ie making themselves available so they don't get > embarrassed with a full disclosure)? > The applied - If I can't get someone from public relations / network > operations / internal audit on the line because of the corporations > policies, how would you go forward in establishing ownership? > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- Chris Mewett [email protected] _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
