We all get them: those notices from the ARIN WHOIS service. Whether you run a corporate website or perhaps your own blogging domain, those notices arrive reminding us to confirm our internet records. How much attention do you pay to those? Do you treat them casually, relying on the idea that everything is working so that nothing needs to be done? Just click “Confirm” and move on with your day? Or do you regard them with the same cavalier disregard as all of those End-User License Agreements that most folks hastily click through? Now may be a good time to review some of those records with a finer eye to the details. Many of the records that govern your sites may pre-date your employment. Worse yet, many of the records from the early years of the internet contain information that identifies an individual as the point of contact rather than a group address. As a fun legal exercise, go to a few sites of some of your favorite mom-and-pop online merchants and check the WHOIS information for the site. If you are not well-versed in the hacker arts, this is known as Open-Source Intelligence (OSINT). It is part of the Reconnaissance phase of any pentest exercise. This is exactly what your hired pen testers will use as a first step in learning about who the technical contacts are at your organization. Here is a quick way to test that. Open a command prompt and ping the domain name of your choice. It may not respond to a ping, but it will definitely report the IP address of the registered domain. If that doesn’t work, you can try an NSLOOKUP command, or you can try many of the online tools available to perform the reverse lookup. (DNSstuff.com is a favorite for this task.) Take the registered IP address and plug it into the ARIN WHOIS database and look at the results. (A good online tool is located here.) There is some OSINT gold in some of those details! Perhaps some of the details are obvious, such as the name and email address of a contact at the company. Is that person still at the company? How about those e-mail contact addresses? Have you tested those to see where those messages end up? Perhaps a group e-mail address would serve a better purpose than an individual’s address. This way, in the event of a personnel shift, the messages won’t go undelivered. While it is true that a group lacks individual ownership, that is where the protocols for the group should take over. Which group makes the most sense to receive a message? If your WHOIS records align with your incident response plan, the group on your WHOIS records should resemble the first responders of your incident response plan.This way, you stand a better chance of a group message that will receive the proper attention. Something as simple as the WHOIS information on your internet records can offer a wealth of information about your organization. Whether that is good or bad is a discussion for another day. However, at the very least, now is a good time to make sure that those records are reflective of how you want your presence advertised. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
