|  BlueWolf's Howl   | Comics and Art  | Higher Level  | Photography  | Poetry and Stories  |
|  Chess  |  Letterboxing  |
|  2003 Blogathon Archive  |   2005 Blogathon Archive  | 8th Layer Archive  | Blue702 Archive  |

BlueWolf's Howl

« Here we go again... | Bluewolf's Howl | Run or Freeze »

September 21, 2003

DHS is Making Friends

U.S. Department of Homeland Security Announces Partnership with Carnegie Mellon

So Tom Ridge finally created US-CERT -- like this was some new idea. Network people have been screaming and begging for something like this for years. I know I've been looking for something like this for a looooooong time.

It would be great to be able to plug into some central repository to know what's going on elsewhere and have time to brace/prepare for the impact. By the time it hits the media, network people already know about it. The best site we have right now is the Symantec Security Response site. It's a good site, but very vague regarding statistics. Their categories consist of Low, Medium, and High. They tell you how widespread the distribution is and how fast it's spreading. They also give information on removal tools and a link to update the virus definitions. This is very useful, but we need more.

The Army has ACERT, the Air Force has AFCERT and now the country has US-CERT. From my experience with ACERT and AFCERT, the information is usually much more specific regarding the effects on current systems. I hope the US-CERT will be able to follow suit, but I have my doubts. Some of this is due to the nature of the beast.

With DoD networks, admins are required to report incidents. Because of this requirement, the military CERTs know the impact of the attack on their respective networks. Getting the cooperation of civilian companies in a similar manner is not going to be easy.

It's not that the civilian companies are just difficult prima donnas. They have a number of constraints that don't affect military units. One of those constraints is that they have to make a profit. Military units don't have that problem. If they report an incident, their stock doesn't plummet.

The US-CERT is going to have to convince companies that they can benefit by disclosing information. This will not be easy. Regulations will not be enough. It will require the US-CERT to build trust with corporations. It will also require them to build trust with the user base. Home users will have to be convinced that their privacy will not be compromised by reporting an incident. THAT's going to take a huge PR campaign.

This is why it hasn't been done yet. If it were possible through cooperation or cajoling, some company would have already sprung up to create this resource and made a handsome profit from it. The privacy concerns are crucial to the success of this endeavor. Imagine being a company like Pepsi that finds out Coke was hacked or taken down by the latest mass-mailing worm. Do you think they wouldn't make a grand marketing campaign out of that? Not to mention the possibility of corporate espionage during that juicy time when they are down and ripe for an alternate method of attack.

And the reporting process itself has to be carefully reviewed. The military CERTs can be assured that if an admin reports an incident, there is one. Imagine the embarassment of the US-CERT if it was duped into action by bogus reports. They could easily be swamped with calls from people reporting that they found Jdbgmgr.exe on their "infected" computers. And if there was a hoax like that circulating at the same time as a *real* worm, people trying to report the real worm might not be able to get through to report it.

Still, it's a first step in the right direction. Hopefully, they take enough steps in the same direction to make the US-CERT effective and useful.

Oh...and if you do follow the link at the top and read the article... The worm that caused the creation of CERT that they're talking about is the Robert Morris worm.

On November 2, 1988, Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating, self-propagating program called a worm and injected it into the Internet. ... The program took advantage of a hole in the debug mode of the Unix sendmail program, which runs on a system and waits for other systems to connect to it and give it email, and a hole in the finger daemon fingerd, which serves finger requests.

It was not the first worm, but it was the first one that garnered such widespread media attention. For a history of worms see the NCSU site.

Posted by BlueWolf on September 21, 2003 08:19 AM