RE: Homeland Security Alert System
On Mon, 24 Feb 2003, St. Clair, James wrote: > ..Once again, reason to pursue getting involved with the Telecomm ISAC. Or FIRST, IT-ISAC, MSC-ISAC, WW-ISAC, ISP-ISAC, IOPS,
RE: Homeland Security Alert System
..Once again, reason to pursue getting involved with the Telecomm ISAC. Jim -Original Message- From: Sean Donelan [mailto:[EMAIL PROTECTED] Sent: Saturday, February 22, 2003 6:47 PM To: [EMAIL PROTECTED] Subject: Re: Homeland Security Alert System I'm certain the government folks working to protect us 24x7 are doing everything they can, but the fact of the matter is the public alert systems in the US suck. Some just suck less. http://www.nj.com/news/gloucester/index.ssf?/base/news-0/104590500555170.xml "Butts said he often finds out about things like the change in the national threat level on CNN hours before the Communications Center receives a teletype about it." Butts is the Gloucester County Emergency Response Coordinator including the county 9-1-1 communications center. ISPs and other communication providers should be prepared to share information directly and quickly with each other. If you wait to hear from government officials to decide what sanitized information to share, it will be hours later. If ever.
Re: Homeland Security Alert System
- Original Message - From: "Sean Donelan" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, February 22, 2003 1:47 PM Subject: Re: Homeland Security Alert System > > I'm certain the government folks working to protect us 24x7 are doing > everything they can, but the fact of the matter is the public alert > systems in the US suck. Some just suck less. > > http://www.nj.com/news/gloucester/index.ssf?/base/news-0/104590500555170.xml > >"Butts said he often finds out about things like the change in the >national threat level on CNN hours before the Communications Center >receives a teletype about it." > > Butts is the Gloucester County Emergency Response Coordinator including > the county 9-1-1 communications center. > > > ISPs and other communication providers should be prepared to share > information directly and quickly with each other. If you wait to hear > from government officials to decide what sanitized information to share, > it will be hours later. If ever. Yesterday I was asked to install a DISH Network system for the Transportation Security Administration so their folks at the Airport can get "the news". --Michael
Re: Homeland Security Alert System
> ISPs and other communication providers should be prepared to share > information directly and quickly with each other. If you wait to hear > from government officials to decide what sanitized information to share, > it will be hours later. If ever. If anybody is interested here, I did put together a small group to experiment with a simple system to exchange and distribute PGP signed messages quickly. The basic 'working' of the system is contained within a yet to be written perl script that will poll a couple of 'master' servers for updated messages, validate the signatures and post the messages to a particular URL. Any server pulling these messages can become a master for other servers, which makes this kind of a 'P2P network' among web servers. Gateway to usernet/email/pagers/ instant messengers would be possible. New pgp keys would be distributed as signed control messages within the system. Each PGP key has a certain number of 'points' assigned, and a message becomes 'valid' as soon as it has enough signatures to make it past a threshold. Anyway. Depending on how the water in my basement develops, I may actually get a first alpha of this out later this weekend. (if not next weekend). At that point, some testers / coders would be welcome to work on things like gateways and such. The overall goal: Make this system fast enough to reach 'everyone' within an hour. Of course, the system will not work once the internet is down, but its P2P like structure should provide for some anti-DDOS robustness. -- [EMAIL PROTECTED] Collaborative Intrusion Detection join http://www.dshield.org
Re: Homeland Security Alert System
I'm certain the government folks working to protect us 24x7 are doing everything they can, but the fact of the matter is the public alert systems in the US suck. Some just suck less. http://www.nj.com/news/gloucester/index.ssf?/base/news-0/104590500555170.xml "Butts said he often finds out about things like the change in the national threat level on CNN hours before the Communications Center receives a teletype about it." Butts is the Gloucester County Emergency Response Coordinator including the county 9-1-1 communications center. ISPs and other communication providers should be prepared to share information directly and quickly with each other. If you wait to hear from government officials to decide what sanitized information to share, it will be hours later. If ever.
Re: Homeland Security Alert System
On Fri, Feb 21, 2003 at 03:32:12PM -0500, [EMAIL PROTECTED] wrote: > On Fri, 21 Feb 2003 14:41:05 EST, Martin Hannigan said: > > > Example: DHS sets RED level. Reaction: Move some third level > > engineers into the SOC. Audit the DR plan if it's not on schedule > > to be audited. Audit the backup plans if not on schedule to be > > audited. Light the medium warm NOC to HOT NOC level. > > Do you buy fire extinguishers when there's no fire, or do you do it > when the smoke alarm is already going off? Or is this the converse, where > a leaky roof doesn't get fixed because you can't work on it on rainy days, > and on sunny days it doesn't leak? DR is a continous loop. It's not the kind of thing you develop and then toss on a shelf. Right now is always a good time to audit your DR planning, or your disaster prevention planning. [ SNIP ] > If you audit your backup plan, and discover you're low on tapes to send > off-site, what are the chances that we'll still be at RED when the tapes > actually arrive from the vendor? If I didn't audit the backup plan, I wouldn't discover I was low on tapes. The state of the alert is irrelevant when related to the DR plan. It's the event itself. I believe there is no bad time to conduct a drill or audit a DR plan. In fact, confusing or non-standard conditions would be optimal for such a test or audit. -M
RE: Homeland Security Alert System
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of David Barak > > Well, an example could be "if threat level is yellow, > permit traffic from $foreign_country_x, but if it goes > to orange, deny all from $foreign_country_x, or > perhaps log all from there. > Um, you're not really serious, are you? Are you worried about some cell being activated by sending a packet through your servers? I can't think of one useful purpose to do something like that. Jeff
Re: Homeland Security Alert System
On Fri, 21 Feb 2003 14:41:05 EST, Martin Hannigan said: > Example: DHS sets RED level. Reaction: Move some third level > engineers into the SOC. Audit the DR plan if it's not on schedule > to be audited. Audit the backup plans if not on schedule to be > audited. Light the medium warm NOC to HOT NOC level. Do you buy fire extinguishers when there's no fire, or do you do it when the smoke alarm is already going off? Or is this the converse, where a leaky roof doesn't get fixed because you can't work on it on rainy days, and on sunny days it doesn't leak? If your DR/backup plan isn't already squared away, RED is a *very* bad time to be screwing with it. Anybody who's read this list for a while has seen enough examples of "attempt to fix broken network only makes it worse". If you audit your backup plan, and discover you're low on tapes to send off-site, what are the chances that we'll still be at RED when the tapes actually arrive from the vendor? -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech msg09240/pgp0.pgp Description: PGP signature
Re: Homeland Security Alert System
>conf t router> warning you cannot configure a router with this one Martin Hannigan wrote: > I have my duct tape and plastic, but haven't applied it to the > windows. I hear it is more effective, if you wrap the plastic around your head, and seal it with the duck tape Never had a -single- complaint, from users of this methodology. as long as they don't cheat. :P Nothing gets through ... (of course, including air..) But this -=is=- a time of WAR, we MUST be willing to make sacrifices :* FACT: Did you know that Government studies show 100% of terrorists, participating in fatal terrorist attacks, were shown to have been breathing -=air=-, right prior to the accident. That's right, AIR! =-All=- of them do it. Well, We've got them NOW! :\ "There are liars, damned liars, and statiticians." :O :* ;) .Richard. === Famous President Bush words: Bush 1: "Read my lips, -NO- ... -NEW- ... -TAXES-!" Bush 2: "There can -ONLY- ... -BE- ... -=ONE=- ... -POSSIBLE- ... -OUTCOME-!" Next time, cough up money for the -real- acting class guys, the "William Shatner" class is too cheap, and everyone graduates sounding alike. * shrug * ;)
Re: Homeland Security Alert System
Peter, I didn't say that I did that, only that I know that there are networks which deny all mail traffic from certain ASes and/or TLDs on a fairly regular basis. Personally I don't have a problem with .cc I would say that for a US operator to respond to a threat by enabling additional, temporary logging/monitoring of specific ports would not be unreasonable. Denying all traffic is a bit harsh, especially from a paying customer, but I could understand watching them really closely. Public peers, on the other hand, might get a different sort of treatment entirely... The only reason this makes any sense at all is that most networks are basically OK most of the time, so the rest of your network can probably spare a little bit of attention for a short period of time. If it were forever, then that solution wouldn't work. -David Barak fully RFC 1925 compliant --- Peter Salus <[EMAIL PROTECTED]> wrote: > > > David, what does "from" mean in your "rules"? > > with .cc at the end? But there are very many > places with addresses in TLDs and ccTLDs other > than the geographical location. > > passing through an AS known to be in a given > location? > > Peter __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/
Re: Homeland Security Alert System
David, what does "from" mean in your "rules"? with .cc at the end? But there are very many places with addresses in TLDs and ccTLDs other than the geographical location. passing through an AS known to be in a given location? Peter
Re: Homeland Security Alert System
Okay, I'll bite... --- Sean Donelan <[EMAIL PROTECTED]> wrote: > > On Fri, 21 Feb 2003, Martin Hannigan wrote: > Isn't your NOC normally vigilant? Of course. > > Perhaps even use different sets of ACL's on the > edge, etc. It could also > > be used > > to explain an unexpected surge in traffic, calls, > or other things. Ever > > look at some traffic stats and see a major surge > and want to make sure > > you understand why? > > Again wouldn't you also do all of these things > "normally?" If an ACL is a > good idea at "Orange" wouldn't you protect your > network with those ACL's > when the level is "Yellow." Or would you remove > those ACL's when the > threat level is reduced. How do would you explain > to your management when > you are hacked at level "Yellow" you had better > ACL's, but you only used > the good ACL's at level "Orange." Well, an example could be "if threat level is yellow, permit traffic from $foreign_country_x, but if it goes to orange, deny all from $foreign_country_x, or perhaps log all from there. I know that there are certain ISPs which deny all mail traffic from certain ASes, because of the volume of Spam. The same principle could be at work here: if (threat_level++) then deny(unknown_from_Source[nasty]) else permit. -David Barak fully RFC 1925 compliant __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/
Re: Homeland Security Alert System
On Fri, 21 Feb 2003, Martin Hannigan wrote: > But what would you do with the information? > > Let the noc know what's up so they can be more vigilant based on the the > threat level. I'm not trying to be sarcastic, because lots of people have been going through these same conversations. "Threat level" is different from an attack. Isn't your NOC normally vigilant? If the DHS lowered the threat level to "Green" would you stop monitoring your network just because the government says there is no more threat? Do you have more or fewer people on duty in your NOC as the government threat level goes up or down watching the big TV screens? > Perhaps even use different sets of ACL's on the edge, etc. It could also > be used > to explain an unexpected surge in traffic, calls, or other things. Ever > look at some traffic stats and see a major surge and want to make sure > you understand why? Again wouldn't you also do all of these things "normally?" If an ACL is a good idea at "Orange" wouldn't you protect your network with those ACL's when the level is "Yellow." Or would you remove those ACL's when the threat level is reduced. How do would you explain to your management when you are hacked at level "Yellow" you had better ACL's, but you only used the good ACL's at level "Orange." > I'd take it serious and consider NBC as well as "cyberAttacks". Secretary Ridge has said to keep the plastic sheets and duct tape in storage. Don't start sealing your house (or NOC) yet. The FEMA/Red Cross prepardness recommendations are a good idea irregardless of the alert level.
Re: Homeland Security Alert System
At 01:44 AM 2/21/2003 -0500, Sean Donelan wrote: On Thu, 20 Feb 2003, Martin Hannigan wrote: > Is anyone running an automated Terror Alert system that's > real time with the DHS? CNN (or Fox, MSNBC, etc) news satellite feed (for national alerts) Radio Shack National Weather Service Alert radio (for local alerts) Individual states have other alert systems. For example, California has EDIS, Oklahoma and Florida have their own systems. When the alert level was raised from Yellow to Orange, the DHS web site was updated long after all the 24-hour news networks were running scrolls across the bottom of the screen announcing the upcoming press conference about the change. But what would you do with the information? Let the noc know what's up so they can be more vigilant based on the the threat level. Perhaps even use different sets of ACL's on the edge, etc. It could also be used to explain an unexpected surge in traffic, calls, or other things. Ever look at some traffic stats and see a major surge and want to make sure you understand why? I'd take it serious and consider NBC as well as "cyberAttacks". Regards, -- Martin Hannigan [EMAIL PROTECTED]
Re: Homeland Security Alert System
Hey - I have a Def Leppard CD and MP3 collection that I am VERY proud of!!! Regarding the HLS thing, could you not just do a simple automated screenscrape of the DHS website and then flag an alert if the code for the alert changed from one scrape to another? And no, even though I'm in DC, I don't own a pair of hip-boots. -Rick, who submitted the HLAS Scheme as "Stupid Security Scheme" last week > From: "Stretch" <[EMAIL PROTECTED]> > Date: Thu, 20 Feb 2003 20:54:19 -0600 > To: "Martin Hannigan" <[EMAIL PROTECTED]>, "Richard Irving" > <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Subject: Re: Homeland Security Alert System > > > "People who bought HIP BOOTS also shopped for: > * Duct Tape > * Jack Daniels > * Def Leppard CD's > * Clean Underwear" > > on-topic: I use a plug-in for my NMS that looks for abnormalities in the > load times of various popular sites. (it's helped me spot routing problems > more than once). Looking back at historical data, all the news-related ones > show a clear change immediately after events like the Columbia disaster. I > was not using the same system on 9/11 so I don't know how quickly one would > have spotted an abnormality. > > - Original Message - > From: "Martin Hannigan" <[EMAIL PROTECTED]> > To: "Richard Irving" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Thursday, February 20, 2003 8:27 PM > Subject: Re: Homeland Security Alert System > > >> >> On Thu, Feb 20, 2003 at 08:08:58PM -0500, Richard Irving wrote: >>> Yes. >>> >>> But, until elections 2004, the "FUD" field is hardcoded to "High". >>> >>> However, if there are changes to the -=actual=- dhs.gov status, >>> it sends out an automatic Amazon.Com order for >>> Hip Boots for all members of the list. >>> >>> Would you like to subscribe to the notification list ? >> >> [ snip ] >> >> >>>> Is anyone running an automated Terror Alert system that's >>>> real time with the DHS? >> >> >> Ok, that was interesting. :) >> >> The diving thing is my fun stuff. I'm actually working in >> Security. :) >> >> I was writing a little tool that scanned their page for the alert >> image name change, but that's subject to them making changes to >> their site and the images are multi layer graphics, etc. etc. >> >> I'm going to call them and see if they can offer >> a place to poll something simple that we can trip >> changes off in the NOC. >> >> If anyone does have some insight to anything they are >> doing, or a good contact number for the DHS webite, please >> ping me in email and I'll follow up if I find something >> or get them to do something. >> >> -M >> > >
RE: Homeland Security Alert System
Martin, >From the NANOG perspective, the best place to tie your own alert system to nat'l threat levels is with the Telecomm ISAC, which is run out of the NCS. That is the 27/7/365 commander center for telecomm sector security. Bear in mind, a change in the HSAS may NOT be as a result of a specific threat to Telecomm, so get with the ISAC instead. Jim -Original Message- From: Martin Hannigan To: [EMAIL PROTECTED] Sent: 2/20/03 7:35 PM Subject: Homeland Security Alert System Is anyone running an automated Terror Alert system that's real time with the DHS? -M
Re: Homeland Security Alert System
On Thu, 20 Feb 2003, Martin Hannigan wrote: > Is anyone running an automated Terror Alert system that's > real time with the DHS? CNN (or Fox, MSNBC, etc) news satellite feed (for national alerts) Radio Shack National Weather Service Alert radio (for local alerts) Individual states have other alert systems. For example, California has EDIS, Oklahoma and Florida have their own systems. When the alert level was raised from Yellow to Orange, the DHS web site was updated long after all the 24-hour news networks were running scrolls across the bottom of the screen announcing the upcoming press conference about the change. But what would you do with the information?
Re: Homeland Security Alert System
Ok, What we really need is something like what NOAA has for space weather: http://www.maj.com/sun/noaa.html Currently, the weather is "active and unsettled"... Eric :)
RE: Homeland Security Alert System
All of this begs the question, what specifically would you do if the alert level went to red or yellow? Would you broadcast the change to customers, place disaster recover teams on stand-by or stand-down, implement an expanded ACL, etc.? Seriously, I'm interested in a response to this. Regarding your suggestion of a simple place to poll, I can probably get this implemented if there is sufficient interest. I'm reviewing response plans from others now. If you care to provide them, I'd be interested in comparing them. John S. Maddaus Veridian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Martin Hannigan Sent: Thursday, February 20, 2003 9:27 PM To: Richard Irving Cc: [EMAIL PROTECTED] Subject: Re: Homeland Security Alert System On Thu, Feb 20, 2003 at 08:08:58PM -0500, Richard Irving wrote: > Yes. > > But, until elections 2004, the "FUD" field is hardcoded to "High". > > However, if there are changes to the -=actual=- dhs.gov status, > it sends out an automatic Amazon.Com order for > Hip Boots for all members of the list. > > Would you like to subscribe to the notification list ? [ snip ] > >Is anyone running an automated Terror Alert system that's > >real time with the DHS? Ok, that was interesting. :) The diving thing is my fun stuff. I'm actually working in Security. :) I was writing a little tool that scanned their page for the alert image name change, but that's subject to them making changes to their site and the images are multi layer graphics, etc. etc. I'm going to call them and see if they can offer a place to poll something simple that we can trip changes off in the NOC. If anyone does have some insight to anything they are doing, or a good contact number for the DHS webite, please ping me in email and I'll follow up if I find something or get them to do something. -M
Re: Homeland Security Alert System
"People who bought HIP BOOTS also shopped for: * Duct Tape * Jack Daniels * Def Leppard CD's * Clean Underwear" on-topic: I use a plug-in for my NMS that looks for abnormalities in the load times of various popular sites. (it's helped me spot routing problems more than once). Looking back at historical data, all the news-related ones show a clear change immediately after events like the Columbia disaster. I was not using the same system on 9/11 so I don't know how quickly one would have spotted an abnormality. - Original Message - From: "Martin Hannigan" <[EMAIL PROTECTED]> To: "Richard Irving" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Thursday, February 20, 2003 8:27 PM Subject: Re: Homeland Security Alert System > > On Thu, Feb 20, 2003 at 08:08:58PM -0500, Richard Irving wrote: > > Yes. > > > > But, until elections 2004, the "FUD" field is hardcoded to "High". > > > > However, if there are changes to the -=actual=- dhs.gov status, > > it sends out an automatic Amazon.Com order for > > Hip Boots for all members of the list. > > > > Would you like to subscribe to the notification list ? > > [ snip ] > > > > >Is anyone running an automated Terror Alert system that's > > >real time with the DHS? > > > Ok, that was interesting. :) > > The diving thing is my fun stuff. I'm actually working in > Security. :) > > I was writing a little tool that scanned their page for the alert > image name change, but that's subject to them making changes to > their site and the images are multi layer graphics, etc. etc. > > I'm going to call them and see if they can offer > a place to poll something simple that we can trip > changes off in the NOC. > > If anyone does have some insight to anything they are > doing, or a good contact number for the DHS webite, please > ping me in email and I'll follow up if I find something > or get them to do something. > > -M >
Re: Homeland Security Alert System
On Thu, Feb 20, 2003 at 08:08:58PM -0500, Richard Irving wrote: > Yes. > > But, until elections 2004, the "FUD" field is hardcoded to "High". > > However, if there are changes to the -=actual=- dhs.gov status, > it sends out an automatic Amazon.Com order for > Hip Boots for all members of the list. > > Would you like to subscribe to the notification list ? [ snip ] > >Is anyone running an automated Terror Alert system that's > >real time with the DHS? Ok, that was interesting. :) The diving thing is my fun stuff. I'm actually working in Security. :) I was writing a little tool that scanned their page for the alert image name change, but that's subject to them making changes to their site and the images are multi layer graphics, etc. etc. I'm going to call them and see if they can offer a place to poll something simple that we can trip changes off in the NOC. If anyone does have some insight to anything they are doing, or a good contact number for the DHS webite, please ping me in email and I'll follow up if I find something or get them to do something. -M
