Ameritech Security POC
Hi all - happy new year! Does anyone have a POC at Ameritech Security, particularly their abuse desk? Replies off line apprecited. Rick Infowarrior.org
Whoops! (re: WH network monitoring plan response)
In my last post when I said this: If something's deemed 'critical' to a large segment of the population, then security must NEVER outweigh conveinience. Period. Non-negotiable. I meant to say that security must ALWAYS outweigh convienience. My goofguess I had too much NOG and not enough NAN at the party last night. :) Happy Holidays all - sorry 'bout the mixup. Rick Infowarrior.org
Re: White House to Propose System for Wide Monitoring of Internet(fwd)
Also, this threat can be mitigated more cost effectively through system and network hardening than by expanding the monitoring infrastructure to be able to handle such a difficult to codify threat (in any general sense). I agree totally. However, it's unglamorous, and not as sexy of an announcement - or as cool looking - as saying the Federal UberSOC is on its way. But it's Uncle Sam doing what he does best - reinventing a less-capable wheel at a higher cost. Cyberattacks (again IMHO) are still in the realm of being opportunistic, as we have seen that given as little as $5-10,000, the resources necessary to reliably cause widespread damage are better spent on a plane ticket than a hacker. Definitely agree - 0911 was done for under $150K according to some reports, and if you think about it, the terrorists got a heck of a return for their investment, far more than they could hope to achive in a 'cyberwar' attack. The motive of terrorism is to sow fear. There's much more visceral fear seeing the WTC collapse than watching a graphic on television trying to show how a buffer overflow worked on SCADA system. :) The cyberterrorist threat is based upon the exposure of network systems and the motivation of the attacker. What is not taken into account in this threat description is the other, more reliable and severe options available to someone with the same resources and motives. No, the cyberterrorist threat is a sensational concept based on FUD, ignorance, and hypeand believed to be true by the same politicos who think Swordfish was a realistic movie about INFOSEC. If we're going to say there are cyberterrorists, then we've got to start saying 0911 was the result of aeroterrorists. The manner in which the attack is carried out doesn't matter -- terrorism is terrorism is terrorism. As George Carlin might say, there are no cyberterrorists. In this case, instead of accepting responsibility for our actions (or inactions) regarding INFOSEC, we point fingers at anyone else - such as phantom cyberterrorists - to avoid responsibility and accountability. It's nothing more than the latest version of Passing The Buck. We see INFOSEC incidents occur regularly because WE MAKE IT EASY FOR THEM TO OCCUR and thus BRING IT ON OURSELVESeither through poor management, bad system/network administration and design, or shoddy software. (BTW, I meant we in terms of the IT Society, not we meaning the experts here on NANOG!) threat model, we can be relatively successful. However, some threats are best dealt with by limiting our assets exposure to them instead of building in safeguards whose reliability is inversely proportional to their complexity. :) Which goes along with what I tell students at NDU each month -- if something's deemed a 'critical infrastructure system' (SCADA, banking, etc.) it should not be on any publicly-accessible network, and the higher costs associated with higher levels of security (eg, using dedicated, privately-owned pipes vice a VPN over the Internet) must be an acceptable and necessary part of the security solution. If something's deemed 'critical' to a large segment of the population, then security must NEVER outweigh conveinience. Period. Non-negotiable. inherant administrative overhead of tracking them. The only defense against them is to keep your patch levels current, your firewalls strict, and watch until they get lazy and make a mistake. Amen! This goes back to making sure system admins are competent, trained, and have the time to ensure these security functions are carried out. Unfortunately, I've found they spend most of their time hunting repeated problems in certain mainstream OS environments -- which means that PROACTIVE security routinely takes a back-burner to REACTING to the latest overflow, trojan, worm, or virusor to a 'new' problem injected by the vendor-endorsed patches that allegedly fixed existing ones. Of course, while no OS is perfect, if our systems weren't built on such a flaky foundation, we'd have more time to work on securing them instead of just keeping them operational and somewhat less-annoying while simultaneously providing a self-inflicted target of opportunity for some n'er-do-well. It does not matter who is watching if you are invisible. A sensor can only see what it is looking for. A hacker cannot be seen merely by looking. Hence the need for intelligent network monitoring and pattern profiling, something I've been mulling over for a while now. /rant. :) Rick Infowarrior.org
Attack targets .info domain system
Attack targets .info domain system By Robert Lemos Staff Writer, CNET News.com November 25, 2002, 1:12 PM PT http://news.com.com/2100-1001-971178.html?tag=fd_top An Internet attack flooded domain name manager UltraDNS with a deluge of data late last week, causing administrators to scramble to keep up and running the servers that host .info and other domains. The assault sent nearly 2 million requests per second to each device connecting the network to the Internet--many times greater than normal--during the four hours of peak activity that hit the company early Thursday morning, said Ben Petro, CEO of UltraDNS. This is the largest attack that we've seen, Petro said. He stressed that it didn't affect the company's core domain name system (DNS) services, but administrators had to work fast to get the attack blocked by the backbone Internet companies from which UltraDNS gets its connectivity. From a network management perspective, it certainly kept us on our toes, he said. snip UltraDNS, a member of the Internet Society, serves as the primary DNS provider for the .org domain. In addition, UltraDNS acts as the primary provider for .info and for the top-level domains of Ireland, Luxembourg, Norway and nine other domains. The reality is that the attacks keep getting bigger, stronger and faster, Petro said. Like terrorism, you don't know when they are going to strike and how they are going to strike. Until we are able to dedicate attention to these attacks, until we can follow these attacks to their end, we are all vulnerable. http://news.com.com/2100-1001-971178.html?tag=fd_top
News - FCC Approves Comcast-ATT Cable Merger
FYI..rf FCC Approves Comcast-ATT Cable Merger By David Ho Associated Press Writer Wednesday, November 13, 2002; 3:55 PM The $29.2 billion merger of Comcast and ATT Broadband was approved by federal regulators Wednesday, clearing the way for creation of the nation's largest cable television company. The Federal Communications Commission decision is contingent on ATT and Comcast selling their combined 25 percent ownership of Time Warner Entertainment. The FCC voted 3-1 for the deal over the objections of consumer groups, which filed a motion last week asking the agency to delay its decision. The groups claim the new cable giant would limit customers' choices in television viewing and Internet access. But FCC Chairman Michael Powell said the benefits of this transaction are considerable, the potential harms negligible. snip http://www.washingtonpost.com/wp-dyn/articles/A49326-2002Nov13.html
Re: DNS issues various
protecting the servers is not the *critical* point. protecting the service is. don't obsessed up on silly boxes. You're right. It comes down to risk mitigation, not risk elimination. I'd posit it's impossible to PREVENT a DDOS attack -- as such, as we did when they first manifested themselves in 1999, we need to develop response plans capable of meeting the onslaught and mitigating its impact so that things continue to function, even if they're degraded somewhat. It's like airport security - total security is a fantasy, but we have to raise the bar to make it more difficult for an attacker, and couple that with effective plans to respond when things occur, thus ensuring both an acceptable level of service during the incident and a smooth recovery/investigation afterward. Of course, in the airport security case, the bar's still lying on the ground. :( Rick Infowarrior.org
Re: More federal management of key components of the Internetneeded
Why isn't it against the law to (s)Yell FUD at Congress ? Wouldn't do any good, they don't know any better. Few if any Congresscritters are techno-literate -- I spent 3 years on the Hill, saw it first handand it's not gotten much better. The only language most Congresscritters understand is and how it relates to their staying elected by keeping their constituients somewhat happy and impressed with their performance. I don't understand how giving the US federal government management control of key components of the Internet will make it more secure. Sean's Rant about FBI info request removed Remember this is the same 'cybercrime agency' that when I-Love-Y0U was released, simply posted a NIPC warning saying A New Virus Has Been Detected in the Philippenes. -- I was about to make sure my immunization records were up to date. Even after I called them from my NOC, and told them that the security community had already dissected the worm and there were sigs and coutnermeasures available, they didn't update the warning on NIPC.GOV for like 5 hours. A screenshot of that particular example of NIPC's expertise is immortalized here: http://www.infowarrior.org/articles/NIPC.jpg Commentary I did about NIPC's warning capability is here, if you're interested. http://www.infowarrior.org/articles/2000-06.html And these are the people that are going to -=improve=- security ? Hardly. They have a hard enough time passing information from one squad to another within the FBI, they're never going to be able to survive and interoperate in the Information Age against high-tech threats that move at packet speed. And don¹t get me started about Infragard.ugh... I think they should be focusing on terrorist activity, if you ask me. Good idea, since they still haven't got that task down yet, either. Remember, the FBI - before and after its 2002 reorg - is, thanks to its internal culture, UNABLE to work well with outsiders, be they cops, the CIA, or ISP security teams. This has the unfortunate effect of severely torking those folks in the FBI that are intelligent and want to make a difference, but thanks to the system, their initiative is constrained by the 'status quo'. I feel sorry for some of these folks, they really do try, but the system there prevents them from being effective, thus partially explaining the mess the FBI and NIPC is in at the moment in responding to terrorism or hacker threats. re: The DNS Attack -- I'm hearing all this talk about DNS-on-CD that was some sort of research project that would be used during a loss of the roots. Anyone have any add'l info on what this is/was? Cheers from DC, Rick Infowarrior.org
More Thoughts on White House Cybersecurity Draft
FYI.seeing the discussion today I thought I'd offer this to the group as well. Cheers, rf Original with contextual reference URLS located at: http://www.infowarrior.org/articles/2002-11.html America's National Cybersecurity Strategy: Same Stuff, Different Administration Richard Forno (c) 2002 Infowarrior.org. All Rights Reserved Article #2002-11. Permission granted to reproduce and distribute in entirety with credit to author. Today the White House releases its long-awaited National Strategy To Secure Cyberspace. This high-level blueprint document (black/whiteor color), in-development for over a year by Richard Clarke's Cybersecurity team, is the latest US government plan to address the many issues associated with the Information Age. The Strategy was released by the President's Critical Infrastucture Protection Board (PCIPB), an Oval Office entity that brings together various Agency and Department heads to discuss critical infrastructure protection. Within the PCIPB is the National Security Telecommunications Advisory Council (NSTAC), a Presidentially-sponsored coffee klatch comprised of CEOs that provide industry-based analysis and recommendations on policy and technical issues related to information technologies. There is also the National Infrastructure Advisory Council (NIAC) - another Presidentially-sponsored klatch - allegedly consisting of private-sector 'experts' on computer security; but in reality consists of nothing more than additional corporate leaders, few if any considered an 'expert' on computer security matters. Thus, a good portion of this Presidential Board chartered to provide security advice to the President consists of nothing more than executives and civic leaders likely picked for their Presidential loyalty and/or visibility in the marketplace, not their ability to understand technology in anything other than a purely business sense. Factor in Richard Clarke's team many of whom, including Clarke, are not technologists but career politicans and thinktank analysts and you've got the government's best effort at providing advice to the President on information security, such as it is. (One well-known security expert I spoke with raised the question about creating a conflict of interest for people who sell to the government or stand to gain materially from policy decisions to act in advisory roles, something that occured during the Bush Administration's secret energy meetings.) Now that you know where the Strategy comes from, let's examine some of its more noteworthy components. - SNIP - Original with contextual reference URLS located at: http://www.infowarrior.org/articles/2002-11.html
Anyone from Prodigy or L3 listening? (W32/Yaha Complaint)
Apologies for posting this to NANOG, but I am in a mood, and it's difficult to reach anyone at Prodigy. For the past several weeks, every other day, I've received 10 messages sent through Prodigy's mail servers, all of which appear to be a Win32/Yaha message. (http://www.ravantivirus.com/virus/showvirus.php?v=101) Today I got 10 more messages, dated 18 August 2002, which is the same date appearing on dozens of other messages over the past few weeks. I'm posting this to NANOG in the hopes that someone on the list who works for Prodigy and/or L3 (the dialup provider) can ruffle some feathers on this for corrective action. The header of the message appears below - note that in other cases, I've received messages from this person from pimoutX-ext.prodigy.net, where X is the number (1-5) of their mail server. And, yes, as of today, I've added this latest crap to my filters. :) Thanks in advance, and again, sorry for the Sunday afternoon complaint. Cheers rick Return-Path: [EMAIL PROTECTED] Received: (from daemon@localhost) by web1.nidhog.com (8.12.5/8.11.3) id g7IJdt5l046337 for [EMAIL PROTECTED]; Sun, 18 Aug 2002 15:39:55 -0400 (EDT) (envelope-from [EMAIL PROTECTED]) Received: from pimout5-ext.prodigy.net (pimout5-ext.prodigy.net [207.115.63.98]) by web1.nidhog.com (8.12.5/8.11.3) with ESMTP id g7IJdsuQ046332 for [EMAIL PROTECTED]; Sun, 18 Aug 2002 15:39:54 -0400 (EDT) (envelope-from [EMAIL PROTECTED]) Received: from smtp.prodigy.net (dialup-65.58.64.224.Dial1.Indianapolis1.Level3.net [65.58.64.224]) by pimout5-ext.prodigy.net (8.11.0/8.11.0) with SMTP id g7IJdcf286002 for [EMAIL PROTECTED]; Sun, 18 Aug 2002 15:39:38 -0400 Message-Id: [EMAIL PROTECTED] From: JANE FAY[EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Fw: Enjoy Romantic life ! Date: Sun,18 Aug 2002 14:37:29 PM X-Mailer: Microsoft Outlook Express 5.50.4133.2400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=voeuogm
Re: proposed changes in national cyber security
...which probably means it would become a centralized office that continues to spin its wheels (instead of several doing the same thing - I guess that's a move toward cost-cutting!) while lawmakers defer the problem by funding additional research reports and projects instead of funding immediate ventures to remedy existing problems and known vulnerabilities... When it comes to information security - or technology society in general - the USG still doesn't get it, despite all the hype and hoopla. rick infowarrior.org From: Fred Heutte [EMAIL PROTECTED] Date: Thu, 25 Jul 2002 01:18:33 -0700 To: [EMAIL PROTECTED] Subject: proposed changes in national cyber security http://www.cdt.org/publications/pp_8.15.shtml#2 (2) NEW DEPARTMENT LIKELY TO GAIN AUTHORITY OVER CYBER SECURITY AND INFRASTRUCTURE PROTECTION Both House and Senate bills would grant the Department of Homeland Security authority over cyber security and infrastructure protection. Specifically, the bills would transfer to the new department the functions of the following entities: * the National Infrastructure Protection Center of the Federal Bureau of Investigation (excluding the Computer Investigations and Operations Section); * the National Communications System of the Department of Defense; * the Critical Infrastructure Assurance Office of the Department of Commerce; * the National Infrastructure Simulation and Analysis Center of the Department of Energy; * the Federal Computer Incident Response Center of the General Services Administration. Following objections by the high-tech industry and others, the House bill would not transfer the Computer Security Division of the National Institute of Standards and Technology. The Senate bill as introduced would transfer that NIST component, along with the Energy Security and Assurance Program of the Department of Energy and the Federal Protective Service of the General Services Administration. Both bills would leave the FBI and CIA untouched by the reshuffling (with the exception of the FBI's NIPC, as noted above).
Worldcomm network question
Anyone have any ideas, speculation, or info on how adverse future of WCOM would play out for ISPs and such? Among other things, WCOM is the preferred provider of long-haul pipes for DoD.that can't be good!! just curious rick
Re: Discussion of Results
Sounds like either way, the consensus was that ICANN has to go..which isn't necessarily a bad thing. Very interesting. rf From: John Palmer (NANOG Acct) [EMAIL PROTECTED] Date: Thu, 23 May 2002 14:14:28 -0500 To: [EMAIL PROTECTED] Subject: Discussion of Results Proposal #1 (which passed by over 2/3rds - 67.9%) expresses the sense of the GA that DOC should re-bid the ICANN contract and forget ICANN completely Proposal #2 (which passed by 75%) expresses to ICANN the desire that they reform in a meaningful way, and if they don't, that the DOC should replace ICANN. Interesting AGN Domain Name Services, Inc http://www.adns.net Since 1995. The Registry for .AMERICA, .EARTH, .LION, .USA and .Z Define yourself or Be Defined. Censorship-free GA list at : http://dns-o.org/mailman/listinfo/ga