|
Info on CERT (The Computer Emergency Response Team
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
Date: 19-Feb-93 19:07 EST
From: Mark Zajicek >INTERNET:[email protected]
Reply to: Re: CLEARING HOUSE [INFO #1534]
Mich,
Thank you for your recent message to cert:
> The National Computer Security Association wants to determine where its
> members should report incidents of computer crime, including virus attacks.
> We feel that there should be a clearinghouse where information from victims
> of computer crimes can be assembled, classified, analyzed and reported on.
>
> 1) Does anyone associated with CERT currently take care of any of these
> functions?
>
> 2) Does anyone know of any other group currently performing these
> functions? [We are aware of the National Center for Computer
> Crime Data (NCCCD).]
>
> Thank you.
>
> Michel E. Kabay, Ph.D.
> Director of Education, National Computer Security Association (NCSA)
>
> cc. Robert Bales, Exec Director NCSA
I must confess that I am not sure whether a "clearinghouse" as you describe
it exists anywhere yet-- it certainly sounds like it would be a useful
resource. But rather than trying to guess or make incorrect assumptions
about your needs and the things ("functions") that you are looking for in
such a clearinghouse, I will try to contact you by telphone next week to
discuss this further.
In the mean time, I am appending a copy of our "CERT Coordination Center
Frequently Asked Questions (FAQ)" document. This document may provide you
with some general information about what CERT is and the services that we
can provide. Section A1 of the FAQ gives a somewhat concise description of
our "functions." Computer security incident handling response for Internet
hosts is one of our primary activities, but we also have groups working in
the areas of security research & development, and education & training. We
are not experts in the area of virus attacks, but we do have some resources
and external contacts that we will use in the event of a virus incident.
While I'm not sure if the CERT Coordination Center is what you are looking
for in the lines of "a clearinghouse where information from victims of
computer crimes can be assembled, classified, analyzed and reported on"...
you may certainly feel free to contact us to report any computer security
incidents or to request security-related information.
If you have any questions about the FAQ document, or if there is anything
that we can do to help, please let us know.
Mark T. Zajicek
Technical Coordinator
CERT Coordination Center | Internet E-mail: [email protected]
Software Engineering Institute | Telephone: 412-268-7090 24-hour hotline:
Carnegie Mellon University | CERT/CC 7:30a.m.-6:00p.m. EST(GMT-5),
Pittsburgh, PA 15213-3890 | on call for emergencies 24 hours/day.
------ ------ ------ ------ ------ ------ ------ ------ ------ ------ ------
February 1993
Revision 9
The CERT Coordination Center FAQ
=======================================================================
= Preface Section: =
=======================================================================
This document is intended to answer the most Frequently Asked
Questions (FAQs) about the CERT Coordination Center. The FAQ is a
dynamic document that will change as information changes. Suggestions
for additional sections are welcome -- please e-mail them to
[email protected]. The most recent copy of this FAQ will be available
via anonymous FTP from cert.org (192.88.209.5) in the /pub directory.
Questions answered in this document
A. Introduction to the CERT Coordination Center
A1. What is CERT?
A2. What does CERT stand for?
B. Where to go for information
B1. What is a CERT advisory?
B2. Where can I obtain archived CERT advisories?
B3. Can I obtain source code to a patch described in a CERT
advisory?
B4. What security mailing lists, newsgroups, and other sources
of information does CERT recommend?
B5. What information is available via anonymous FTP from
CERT?
B6. What presentations, workshops, and seminars does the CERT
Coordination Center offer?
B7. What books or articles does the CERT Coordination Center
recommend?
B8. How do I use anonymous FTP on cert.org?
C. Incident Response
C1. What kind of information should I provide to CERT when my
site has experienced an intrusion?
=======================================================================
= Section A. Introduction to the CERT Coordination Center =
=======================================================================
A1. What is CERT?
CERT is the Computer Emergency Response Team that was formed
by the Defense Advanced Research Projects Agency (DARPA) in
November 1988 in response to the needs exhibited during the
Internet worm incident. The CERT charter is to work with the
Internet community to facilitate its response to computer
security events involving Internet hosts, to take proactive
steps to raise the community's awareness of computer security
issues, and to conduct research targeted at improving the
security of existing systems.
CERT products and services include 24-hour technical
assistance for responding to computer security incidents,
product vulnerability assistance, technical documents, and
seminars. In addition, the team maintains a number of
mailing lists (including one for CERT advisories) and
provides an anonymous FTP server: cert.org (192.88.209.5),
where security-related documents, past CERT advisories, and
tools are archived.
CERT contact information:
U.S. mail address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
U.S.A.
Internet E-mail address
[email protected]
Telephone number
+1 412-268-7090 (24-hour hotline)
CERT Coordination Center personnel answer
7:30 a.m.- 6:00 p.m. EST(GMT-5)/EDT(GMT-4), on call for
emergencies during other hours.
FAX number
+1 412-268-6989
A2. What does CERT stand for?
You may see our name in several different forms. CERT stood
for "Computer Emergency Response Team", CERT/CC stood for
"CERT Coordination Center", and now we use "CERT Coordination
Center". Informally, we use "CERT", throughout this document
and a few other documents.
We use the e-mail address:
[email protected]
Any references to:
[email protected]
or
[email protected]
should be changed to the new address ([email protected]).
=======================================================================
= Section B. Where to go for information =
=======================================================================
B1. What is a CERT advisory?
A CERT advisory provides information on how to obtain a patch or
details of a workaround for a known computer security problem.
CERT works with vendors to produce a workaround or a patch
for a problem, and does not publish vulnerability information
until a workaround or a patch is available. A CERT advisory
may also be a warning to our constituency about ongoing
attacks (e.g., "CA-91:18.Active.Internet.tftp.Attacks").
CERT advisories are published on the USENET newsgroup:
comp.security.announce
and are distributed via the cert-advisory mailing list. Both
of these publication methods are described below.
CERT advisory archives are available via anonymous FTP from
cert.org (192.88.209.5) in the /pub/cert_advisories
directory.
B2. Where can I obtain archived CERT advisories?
CERT advisories are available via anonymous FTP from cert.org
(192.88.209.5) in the /pub/cert_advisories directory. The
"01-README" file provides a short summary of each of the
advisories.
B3. Can I get source code to a patch described in a CERT advisory?
CERT does not provide source-level patches. Some vendors make
source-level patches available to their source customers
while others only distribute binary patches. Contact your
vendor for more information.
B4. What security mailing lists, newsgroups, and other sources of
information does CERT recommend?
(a) CERT mailing lists
(1) CERT advisory mailing list
The CERT Coordination Center maintains a CERT
advisory mailing list for those members of the
constituency who are unable to access USENET news
or who would like to have advisories mailed
directly to them or to a mail exploder at their
site. If you would like to be added to the
mailing list, please send mail to:
[email protected]
You will receive confirmation mail when you have
been placed on the list.
(2) CERT tools mailing list
The purpose of this moderated mailing list is to
encourage the exchange of information on security
tools and techniques. The list should not be used
for security problem reports.
The CERT Coordination Center will not formally
review, evaluate, or endorse the tools and
techniques described. The decision to use the
tools and techniques described is the
responsibility of each user or organization, and
we encourage each organization to thoroughly
evaluate new tools and techniques before
installation or use.
Membership is restricted to system programmers,
system administrators, and others with a
legitimate interest in the development of computer
security tools. If you would like to be
considered for inclusion, please send mail to:
[email protected]
You will receive confirmation mail when you have
been placed on the list.
(b) Other security-related mailing lists
(1) VIRUS-L mailing list (see comp.virus newsgroup
below)
VIRUS-L is a moderated mailing list with a focus
on computer virus issues. For more information,
including a copy of the posting guidelines, see
the file "virus-l.README", available via anonymous
FTP on cert.org (192.33.209.5) in the /pub/virus-l
directory. To be added to the mailing list, send
mail to:
[email protected]
In the body of the message, put nothing more than:
SUB VIRUS-L your name
(2) VALERT-L mailing list
VALERT-L is a mailing list for sharing urgent
virus warnings among other computer users. Note
that any message sent to VALERT-L will be
cross-posted in the next VIRUS-l digest. To be
added to the mailing list, send mail to:
[email protected]
In the body of the message, put nothing more than:
SUB VALERT-L your name
© USENET newsgroups
(1) comp.security.announce
The comp.security.announce newsgroup is moderated
and is used solely for the distribution of CERT
advisories.
(2) comp.security.misc
The comp.security.misc is a forum for the
discussion of computer security, especially as it
relates to the UNIX® Operating System.
(3) alt.security
The alt.security newsgroup is also a forum for the
discussion of computer security, as well as other
issues such as car locks and alarm systems.
(4) comp.virus
The comp.virus newsgroup is a moderated newsgroup
with a focus on computer virus issues. For more
information, including a copy of the posting
guidelines, see the file "virus-l.README",
available via anonymous FTP on cert.org
(192.88.209.5) in the /pub/virus-l directory.
(5) comp.risks
The comp.risks newsgroup is a moderated forum on
the risks to the public in computers and related
systems.
(d) NIST (National Institute of Standards and Technology)
Computer Security Bulletin Board
Information posted on the bboard includes an events
calendar, software reviews, publications, bibliographies,
lists of organizations, and other government bulletin
board numbers. This bboard contains no sensitive
(unclassified or classified) information.
If you have any questions, contact NIST by phone at:
301-975-3359; by FAX at: 301-590-0932; or by e-mail at:
[email protected].
B5. What information is available via anonymous FTP from CERT?
CERT provides information available via anonymous FTP from
cert.org (192.88.209.5) in the /pub directory. In the
/pub directory, the file "ls-lR" lists the subdirectories
and the information found in those subdirectories.
/pub/CERT_Press_Release_8812: The file
"CERT_Press_Release_8812" is a copy of the December 1988 DARPA
press release announcing the formation of the CERT
Coordination Center.
/pub/FIRST: The /pub/FIRST directory contains a file,
"first-contacts". FIRST, the Forum of Incident Response and
Security Teams, is an organization whose members work together
voluntarily to deal with computer security problems and their
prevention. General information on FIRST is available via
anonymous FTP from csrc.ncsl.nist.gov in the /pub/first
directory. The name of the file is "op_frame.txt". The
document begins with a description of the CERT System, which
was later renamed "FIRST". Also in that directory are the
minutes from meetings, a list of FIRST contacts (also
duplicated in the CERT anonymous FTP area on cert.org
[192.88.209.5] in the /pub/FIRST directory), and other related
information.
/pub/NIST: The /pub/NIST directory contains security
publications from NIST.
/pub/cert_advisories: The /pub/cert_advisories directory
contains archived copies of past CERT advisories, the
"01-README" file, a copy of the CERT press release from
December 1988 announcing the formation of CERT, an article
from the March 1990 issue of Bridge, a magazine published by
the Software Engineering Institute (SEI), describing CERT, and
a file containing information on the status of the rdist
patch.
/pub/cert_FAQ: The file "cert_FAQ" is a copy of the CERT
Coordination Center FAQ (Frequently Asked Questions).
/pub/cert_incident_reporting_form: The file
"cert_incident_reporting_form" is a form to facilitate our
interaction with members of the Internet community in
responding to security incidents. The form is also
Section C1 of this FAQ.
/pub/clippings: The /pub/clippings directory is an archive
service for computer security. This archive is a central
repository for selected security related USENET News and
mailing list postings. The archive will not be restricted to
any one newsgroup or mailing list. To submit an article for
the clippings archive, please send e-mail to:
[email protected]
/pub/cops: The /pub/cops directory includes the information
for the COPS package. COPS is a publicly available collection
of programs that attempts to identify security problems in the
UNIX Operating System. COPS does not attempt to correct
any discrepancies found; it simply produces a report of its
findings.
/pub/info: The /pub/info directory contains online copies of
security-related books and papers, including Dave Curry's May
1990 SRI Tech Report "Improving the Security of Your Unix
System", "Computer Emergency Response - An International
Problem" by Richard D. Pethia and Kenneth R. van Wyk, the
report "Coping with the Threat of Computer Security Incidents:
A Primer from Prevention through Recovery" by Russell Brand,
and the Department of Defense Trusted Computer System
Evaluation Criteria CSC-STD-001-83 often referred to as the
"Orange Book". (Note: This is the Aug 1983 version of this
document; this document was revised in Dec 1985.)
/pub/network_tools The /pub/network_tools directory contains
network tools made available via anonymous FTP. The file
"tcp_wrapper.xx" is a TCP daemon wrapper program that will
provide additional logging information and access control for
many network services (also duplicated in the /pub/tools
directory).
/pub/papers: The /pub/papers directory contains the
announcement of the CERT tools mailing list.
/pub/ssphwg: The /pub/ssphwg directory contains archived
information from the IETF Site Security Policy Handbook
Working Group and the IETF Security Policy Working Group. RFC
1244, "Site Security Handbook" was the result of the Site
Security Policy Handbook Working Group; and RFC 1281,
"Guidelines for the Secure Operation of the Internet" was the
result of the Security Policy Working Group. Both of these
RFCs are available in the /pub/info directory, as mentioned
above.
/pub/tech_tips: The /pub/tech_tips directory contains
documents on anonymous FTP configurations, packet filtering,
and the CERT security checklist.
/pub/tools: The /pub/tools directory contains various
software programs, including COPS, Crack, TCP daemon wrappers,
and virus-detection programs.
/pub/vendors: The /pub/vendors directory contains directories
of information specific to the particular vendor. Currently,
the only directory is the /pub/vendors/hp directory, which
contains the file "supportline_and_patch_retrieval", which is
information on HP SupportLine Registration Instructions.
/pub/virus-l: The /pub/virus-l directory contains the
archives and other VIRUS-L and VALERT-L mailing list
documents.
B6. What presentations, workshops, and seminars does the CERT
Coordination Center offer?
(a) Presentations
Throughout the year, members of the CERT Coordination
Center give presentations at various technical
conferences, seminars, and regional networks.
Periodically, special arrangements can be made to tailor
the presentation to fit the requirements of the specific
site. For further information regarding presentations,
please contact the CERT Coordination Center.
(b) Workshops
For the past few years, the CERT Coordination Center has
hosted and co-sponsored the FIRST Workshop on Incident
Handling. The 1993 workshop will be held in St. Louis,
Missouri, August 10-13, 1993. For further information,
please contact the CERT Coordination Center.
© Seminars
(1) Internet Security for Managers
Description: This seminar is to help
managers understand what needs to be done to ensure
that their computer systems and networks are as
securely managed as possible when operating within
the Internet community. Attendees will be provided
with information that will enable them to formulate
realistic security policies, procedures, and
programs specific to their operating environment.
Audience: This seminar is designed for managers of
computing centers/facilities, individuals tasked to
evaluate/initiate Internet connectivity, senior system
administrators, and others interested in computer
security within the Internet community.
(2) Internet Security for UNIX System Administrators
Description: The information presented in this
seminar is based on incidents reported to the CERT
Coordination Center. The topics covered will include
defensive and offensive strategies for system
administration, site-specific security policies, and
incident handling.
Audience: This seminar is designed for users and
system administrators of hosts using the UNIX
Operating System. It is especially suited for system
administrators of systems connected to a wide
area network based on TCP/IP such as the Internet.
Some system administrator experience is assumed.
B7. What books or articles does the CERT Coordination Center
recommend?
[Bishop 87] Bishop, Matt. "How to Write a Setuid
Program." ;login: 12(1) (Jan/Feb 1987):
5-12.
[Curry 90] Curry, Dave. "Improving the Security of Your
UNIX System" (Technical Report
ITSTD-721-FR-90-21). Menlo Park, CA: SRI
International, April 1990.
[Curry 92] Curry, David A. UNIX System Security: A
Guide for Users and System Administrators.
Addison-Wesley Publishing Co., Inc.
(ISBN 0-201-56327-4), 1992.
[Denning 91] Denning, Peter J., ed. Computers Under
Attack: Intruders, Worms, and Viruses. ACM
Press, Addison-Wesley Publishing Company,
Inc. (ISBN 0-201-53067-8), 1990.
[Farrow 91] Farrow, Rik. How to Protect Your Data and
Prevent Intruders: UNIX System Security.
Addison-Wesley Publishing Company, Inc.
(ISBN 0-201-57030-0), 1991.
[Garfinkel and Spafford 91]
Garfinkel, Simson; Spafford, Gene. Practical
UNIX Security. O'Reilly & Associates, Inc.
(ISBN 0-937175-72-2), 1991.
[Grampo and Morris 84]
Grampo, M.; Morris, R.T. "UNIX Operating
System Security." AT&T Technical Journal
63(8) (Oct 1984): 1649-1672.
[Hafner and Markoff 91]
Hafner, Katie; Markoff, John. Cyperpunk:
Outlaws and Hackers on the Computer Frontier.
Simon & Schuster, 1991.
[Morris and Thompson 79]
Morris, R.T.; Thompson, K. "Password
Security: A Case History." CACM 22(11)
(November 1979): 594-597.
[Nemeth, Snyder, and Seebass 89]
Nemeth, Evi; Snyder, Garth; Seebass, Scott.
UNIX System Administration Handbook. Prentice
Hall (ISBN 0-13-933441-6), 1989.
[Stoll 89] Stoll, Clifford. The Cuckoo's Egg: Tracking a
Spy Through the Maze of Computer Espionage.
Doubleday (ISBN 0-385-24946-2), 1989.
[Wood and Kochran 86]
Wood, Patrick; Kochran, Stephen. UNIX System
Security. Haden Books, 1986.
B8. How do I use anonymous FTP on cert.org?
Below are the steps and examples of each of the steps.
1) At your system prompt, type "ftp cert.org" or "ftp
192.88.209.5", followed by a carriage return.
% ftp cert.org <return>
or
% ftp 192.88.209.5 <return>
2) At the "Name (cert.org:ktf):" prompt, type
"anonymous", followed by a carriage return.
Name (cert.org:ktf): anonymous <return>
3) At the "Password:" prompt, type your E-mail address
as your password, followed by a carriage
return.
Password: [email protected] <return>
4) At the "ftp>" prompt, type:
ls => to list the contents of the current
directory
cd => to change to a directory
bin => to set the file transfer mode to binary
mode (the default is ASCII text)
get filename => to get a file
ftp> cd pub <return>
ftp> bin <return>
200 Type set to I.
ftp> get CERT_Press_Release_8812 <return>
5) To exit from your FTP session, type "quit" at the
"ftp>" prompt, followed by a carriage return.
ftp> quit <return>
%
=======================================================================
= Section C. Incident Response =
=======================================================================
C1. What kind of information should I provide to CERT when my site
has had an intrusion?
The CERT Coordination Center would like as much information as
possible, including opinions and thoughts as to how the
breakin occurred. Below is our Incident Reporting Form:
CERT Coordination Center
Incident Reporting Form
CERT has developed the following form in an effort to facilitate our
interaction with members of the Internet community. We would appreciate
your completing the form included below in as much detail as possible.
The information is optional, but the more information you can provide,
the better we will be able to assist you.
Note that our policy is to keep confidential any information you provide
unless we receive your permission to release that information. (See questions
7 and 10 below.)
Please feel free to duplicate any section as required. Please return
this form to [email protected]. If you are unable to e-mail this form,
please send it via FAX. Our FAX telephone number is +1 412-268-6989.
Thank you for your cooperation and help.
1) Reporting site information
Organizational Name (e.g. CERT Coordination Center):
Domain Name (e.g. cert.org):
2) Your contact information
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (for CERT internal use only):
3) Additional contact information (if available)
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (for CERT internal use only):
4) Compromised host(s) at your site (one entry per host please)
Hostname:
IP address:
Vendor:
Hardware:
OS:
Version:
Security patches applied:
5) Please list the other sites compromised that you have notified, and
the contact information for each site (one entry per site please)
Hostname:
IP address:
Contact information:
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (optional, for CERT internal use only):
6) Please list the other sites compromised that you have not yet
notified (one entry per site please)
Hostname:
IP address:
Contact information (if available):
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (optional, CERT internal use only):
7) Would you be willing to contact these sites if CERT provided you
the relevant contact information (Yes/No):
Or, can CERT give your contact information to these sites when we
contact them (Yes/No):
8) Incident category (Yes/No)
Probe:
Prank:
Mail Spoofing:
Breakin:
Installed Trojan Horse:
Intruder gained root access:
NIS (yellow pages) attack:
NFS attack:
TFTP attack:
FTP attack:
Telnet attack:
Rlogin or rsh attack:
Product vulnerability:
Worm:
Virus:
Other (please specify):
9) Are you currently using (Yes/No/Periodically)
COPS (The Computer Oracle and Password System):
TCP access control using packet filtering:
Host access control via modified daemons or wrappers:
Crack:
Tripwire:
Proactive password checkers (e.g. npasswd, passwd+):
Shadow passwords:
Other (please specify):
10) Miscellaneous
Please specify any other incident response team(s) you have
contacted
Team:
Contact information
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (optional, CERT internal use only):
If you have not contacted another incident response team,
could we give them your contact information (Yes/No):
Please specify any law enforcement agency(ies) you have
contacted
Agency:
Contact information
Name:
E-mail address:
Telephone number:
FAX number (optional):
Pager number (optional):
Home telephone number (optional, CERT internal use only):
If you have not contacted any law enforcement agency, could we
give them your contact information, if necessary (Yes/No):
11) Detailed description of incident (e.g. method of intrusion, etc)
12) What assistance would you like from CERT?
13) Please append any log information or directory listings
UNIX® is a registered trademark of UNIX System Laboratories, Inc.
CERT is sponsored by the Defense Advanced Research Projects Agency
(DARPA). The Software Engineering Institute is sponsored by the U.S.
Department of Defense.
|
|
