A reader sent us an email with an link to a posting about a compromise and that posting included links to the compromised data. They were frustrated from trying to contact someone to warn them that their data was out there and being unable to get hold of anyone except a recording to call 911 if it was an emergency.(Guess no one is thinking about a cyber emergency)
I had to agree with the reader. It's frustrating to try to make contact with an actual security group or someone who handles such things. The only number you can generally find and can get a person on the phone to speak with is customer service. They have NO idea what your talking about or what to do with you. Most of the time what is listed on a website for contact information is an email address. How often is that monitored and if the issue is major for the entity, how long can they afford to let it go unanswered.
To quote the email we received:
It is kind of an interesting issue, though. Does your company have an easy
way for people to get in touch with it 24x7?
If you're a bank and a customer gets a phishing email on a Saturday
afternoon, like next Saturday before a long weekend, how long would it be
before someone at the bank knew they were getting phished?
In the scenario emailed to us, you have an individual, with knowledge of what seems to be freshly posted damaging data, trying to be a good net citizen and let the organization know. The only thing that they could do was send an email and hope someone sees it.
There are two sides to think about in this issue.
First, if your in this reader's position, how do you try to make contact? Do you have a better method? He suggested also sending emails to the following and see if they exist:
All ARIN contacts if applicable
All domain name registrar contacts
Any I can find on the website itself
Second thought, your the company/organization that has data out there, how successful would you be in the above scenario? Do you have phone numbers people can call? If customer service gets a call, do they even know you have a security department or how to route the call? How often does that email account get checked that you have posted as a contact? Better yet, who checks it and makes a decision if its important and gets passed on and who it gets passed on to. If it went to the webmaster, will they ignore it or are they trained who to pass it on to for review? Have you ever tested your organization from this point of view? It is my opinion that every person in the organization needs to know who to contact for cyber related issues and the process is very clear.
So again, the real question is Who ya gonna contact?
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.