RE: Public IP information

["Keith A. Pachulski, PPS, GCIH, GCFW" <keithp () protectors cc>]

chiming in here, when you contact your local or state law enforcement
office, specifically ask for an officer/trooper [depending on whether you
are contacting the local or state law enforcement and where you are located]
who is assigned to the high tech crimes unit or the computer crimes unit. If
you simply contact a law enforcement agency and get the desk officer who you
then begin babbling computer terms too, you probably will get dead air on
the other end of the phone line.

As for defending law enforcement, in my area at least; we just got done a
few hours ago teaching a class to local and state law enforcement -- these
guys are not dense, don't fool yourself. They are just as on the ball,
sometimes far surpassing some of us, in the security arena.

Be prepared to provide them with any and all information they request
including firewall logs, ids logs are great; all date/time [with the correct
time, you do use ntp, rdate or some other similar program right?] stamped..

going back to the original email/information, who owns a block of IP
addresses is not confidential information. Go to the top level provider and
make use of the whois function.

While the ISP is under no obligation to provide you with any information,
good customer service on their part should dictate they point you in the
correct direction.

-Keith
Alphabet soup available upon request

----------------------------------------------------------------------------
Need live assistance with a security issue now? http://www.keen.com/StrmShdw


-----Original Message-----
From: dave [mailto:dave () netmedic net]
Sent: Wednesday, June 11, 2003 7:38 PM
To: 'Carpio, Brian'; 'David M. Fetter'; 'Ronish Mehta'
Cc: security-basics () securityfocus com
Subject: RE: Public IP information


Brian,


Harsh words.....

You Wrote > " contact the law enforcement who will undoubtedly not
understand a word of what you are talking about, but hey, that's how it
goes"

I will take the Pepsi challenge on that one up against you any day of the
week.


Dave



_____________________
Dave Kleiman
dave () netmedic net
www.netmedic.net



-----Original Message-----
From: Carpio, Brian [mailto:Brian_Carpio () csgsystems com]
Sent: Wednesday, June 11, 2003 17:36
To: David M. Fetter; Ronish Mehta
Cc: security-basics () securityfocus com
Subject: RE: Public IP information

They aren't obligated to give it to the Local Police or the FBI unless a
search warrant is issued. But if the ISP is being unreasonable you can try
and contact the law enforcement who will undoubtedly not understand a word
of what you are talking about, but hey, that's how it goes...

This should be looked upon as an opportunity to check your firewall, IDS
etc... and make sure everything is working the way you want it to work.


Brian Carpio

-----Original Message-----
From: David M. Fetter [mailto:david.fetter () fetterconsulting com]
Sent: Wednesday, June 11, 2003 12:46 PM
To: Ronish Mehta
Cc: security-basics () securityfocus com
Subject: Re: Public IP information


If you are being attacked then you should contact the company that you
believe it is coming from.  They should have a technical contact or
abuse contact.  If they do not respond then you should go to the
authorities.  I don't think the ISP has an obligation to provide you
with the information, but they certainly are obligated to give it to the
local police and/or FBI.

Ronish Mehta wrote:
> Hi, we have recently seen attacks comming from a
> specific IP, by query APNIC, we found that the IP was
> registered to a company (say company "X LTD")
>
> We wanted to cross check with our ISP before taking
> any action, the ISP is saying that the IP is no longer
> associated with company "X Ltd" but with another
> company;
> however the ISP is claiming that the information is
> confidential, and that they cannot divulgate the
> identity of the company to which this IP address is
> attached
>
> Does the ISP have the right to do this?
> Should not the ISP give us this information in case
> APNIC is not updated?
>
> Any other information on this issue is the most
> welcome
>
> Thanks & Regards




---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------