Domain: nipc.gov
Stories and comments across the archive that link to nipc.gov.
Comments · 24
-
what caused the outage ..
'The grid (as was shown by the outage on the east coast a couple years ago) is not very redundant'
Actually the grid used to more redundant until the utility companies stopped building standby generators and connected local systems to a central control station, to save on staff and to save money. They managed this by lobbying in Washington to get the regulations diluted.
The actual blackout was caused by the MS Blaster worm that caused the SCADA units to freeze. These Windows based units are used to provide remote reading of Remote Terminal Units (RTUs). As the operators were unaware that a single generator had tripped out in Ohio, they failed to respond when too much power was been drawn in from a neighboring area. This in turn tripped out other generators in a domino effect. Coincidentally enough ten months previously the SQL worm caused a similar crash of the SCADA units at a nuclear power plant owned by the same company.
Years later a report found (a) Unix to be responsible for the outage and (b) an operator had switched off a key piece of equipment and then went to lunch. This despite the fact that telephone transcripts showed that the operators were fully aware that something was wrong in the minutes preceding the blackout.
XA/21
http://www.nipc.gov/dailyreports/2003/August/DHS_I AIP_Daily_2003-08-18.pdf
MS Blaster
http://www.theregister.co.uk/2003/08/20/slammer_wo rm_crashed_ohio_nuke/
We have no idea what happened
http://www.cnn.com/2003/ALLPOLITICS/09/04/blackout .hearing/index.html
transcripts
http://www.cnn.com/2003/fyi/news/09/04/transcript. fri/
potential vulnerability of plant computer network to worm infection
http://www.nrc.gov/reading-rm/doc-collections/gen- comm/info-notices/2003/in200314.pdf
an engineer .. disabled an automatic periodic trigger
http://www.computerworld.com/securitytopics/securi ty/recovery/story/0,10801,87400,00.html
RTUs
http://www.securityfocus.com/news/41
was: Re:What about a boogeyman attack? -
Re:The Storm Center is excellent
I have a set of tabs that I load every morning precisely for this; some of them are:
- ISS GTOC
- myNetWatchman (another perspective on port activity)
- NIPC Critical Infrastructure (updates are spotty but sometimes interesting)
- US-CERT Current Activity (often a tad behind)
ISC is definitely the main one to get but these are useful. I didn't list virus sites but those may be useful as well depending on your environment.
-
Re:Sounds like a non-story
Not flaming here, but you may be comparing apples to oranges. You are complaining that
/. reports every active Microsoft worm while it is out there, actively infecting multiple computers, but does not report every vulnerability affecting Linux machines. Slashdot doesn't tend to report new vulnerabilities affecting Windows, unless it comes as something spectacular, such as 6 high risk holes announced at once.
If you're reading security sites, then you're "doing it right", and that's what you need to focus on. You. I run Jay's IPTables Firewall. I occasionally check LinuxSecurity, but instead I usually visit their Packetstorm mirror and try out some of the latest exploits against my various machines just to see if I'm vulnerable. I also check CERT weekly, NIPC's Cybernotes biweekly, D-Shield and Incidents.org biweekly, and update Nessus and check my firewall biweekly. I don't have any open ports, so I rarely check for updated Snort rules. I do check my MRTG reports about once a day to see if an inordinately high amount of traffic is flowing through my firewall. There's so much that everyone should do all the time, that there's hardly enough time to complain about how much focus a web site places on reporting one OS'es actively exploited holes vs another OS'es potential vulnerabilities. In the time to read this, you could have been reviewing the Top 75 security tools and seeing where they fit in your environment, even if your environment is your house. -
Re:This is why ISPs are changing their SMTP rules?
You are absolutely correct. I am affected by this change. Read more here. Port 135, specifically, is being blocked/filtered on the advice of the US government.
-
Re:heh.
yeap, and it's the same homeland security that after buying that issued this warning. I suppose I should be glad they're looking out, because you and I both know that the terrorists might come into the country next through the finger exploit.
-
Philadelphia
The 10pm news here in Philly interviewed one of the city's IT guys. He stuttered and stammered his way through the whole thing, and looked to me like a man afraid for his job as he claimed that there was "no warning and no way to be prepared for this"-- not a verbatim quote, but close enough.
I think the guy is right to be afraid for his job-- he's pretty damned incompetent to have not heard about this. This vulnerability was quite publicly announced weeks ago, and Microsoft's page with the patch is dated July 16. Even Homeland Security released a bulletin, and I'd hope that if nothing else those would get around in a city government that is supposed to maintain a level of disaster-preparedness.
Then again, this being Philadelphia, that guy likely got his job through patronage and wasn't qualified for it in the first place.
~Philly -
Thank god today's payday
So I can help fund shit like this...
Step 1. Microsoft wins homeland security contract worth $100 million
Step 2. Homeland security warns of flaws in microsoft software
So, this government has spent $100 million dollars to Q&A Microsoft products. Meanwhile,at the NSA, free security enhanced linux.
Your tax dollars hard at work. I'm going to buy a box of tea and throw it in Boston harbor. -
so what?
They post other vulnerabilities like BIND, not just windows advisories. Was this just a bad attempt to make a cheap shot at microsoft?
-
Re:Which link contains the story of interest?Sometimes it's hard to find the story, isn't it? Maybe that's just to spread the Slashdot effect out a bit.
jeremycec writes " Evidently, nothing's been resolved since 2001 , when this happened the first time. In these Memorandum Opinion and Preliminary Injunction documents from Judge Royce C. Lamberth of the U.S. District Court for Washington, D.C., we see how the court stepped in to pull the plug on a system, which, through its abject lack of due care, left someone's important financial information wide open to attackers. According to the former CIO of the Bureau of Indian Affairs: 'For all practical purposes, we have no security, we have no infrastructure,
... Our entire network has no, firewalls on it. I don't like running a network that can be breached by a high school kid.' So, when the BIA could get no relief through Interior's IT Dept., it went to the courts. Source: Government Computer News " -
That's funny...
I guess you can really tell the workers are on vacation for the holiday, because the only ones left to post on Slashdot are the goof-offs.
There are computer networks that run behind the scenes that maintain every utility that runs our lives, whether it be remotely-controllable circuit breakers on the bulk power grid, hydroelectric dam controls for power & water, the multiplexors that run the telephone systems, etc. It's cheaper to put a machine out in the field and run network cable to it, than to have a live person out at the station pushing the same buttons, so more and more infrastructure is getting networked, telemetered, and controllable...
Companies are increasingly relying on VPN and similar systems to allow workers to tunnel through the internet to connect to their business machines. Well all trust RSA encoding, but crack the operating system and you can use the tunnelling to get into a lot of restricted (price sensitive) data. Or maybe the company has a nifty database back-end to their site, and some buffer overruns gets you into schemas that weren't supposed to be exposed... Or it could be passwords on a stolen laptop. For whatever reasons, sites get hacked.
Right now, what do companies do? If they even notice the cyber attack, they fill out some NIPC forms, and the issue vanishes into the beaurocracy. Not exactly the best measure, because the NIPC doesn't have the authority like the FBI to investigate events... or read the NIPC homepage, even they admit that there were 4 government programs that were combined, each in some way did little pieces of the puzzle but noone had the big picture of the events.
My opinion? Appointing a Cyber-Security chief is a good thing, as long as there are additional steps taken to reduce the bloat of governement, by combining the other departments into one sector that can actually be effective in investigation. You have to not only create the position, but you have to give it the proper resources (like contacts at the FBI & NSA) who can properly identify crackers going after government resources, and hunt them down. Adding another level of red tape isn't going to accomplish much, but any step in the direction of securing national & private sector secrets is a good thing. -
ITU rule on chargingThe ITU rule for telephony is that "charging begins when the connection becomes bidirectional". That's not directly applicable to raw IP, but it can be applied to anything behind a stateful firewall or DHCP router. That way, customers don't get charged for IP-level attacks, which they can't stop, but they do get charged for anything they reply to.
Big attacks should be reported to Homeland Security. (Really. Effective March 1, Homeland Security runs the National Infrastructure Protection Center. ISPs are going to be dealing with them on a regular basis.)
-
NIPC spreading misinformation
Read the NIPC Advisory -- it sends people the the ISS site for Sendmail patches. Not only is the link broken, but ISS does not offer patches on its site, at least not in the public area.
In short, if you rely on NIPC, you are screwed. Nice waste of your tax dollars. -
Don't fool around! Hit 'em hard!
I dunno dude, but it sounds to me like you're the victim of a Denial of Service (DoS) attack. If I were you I would document each and every single occurance (time, size, IP addresses, etc) and attach a dollar value to each occurance (time spent, harddrive space filled up, bandwidth filled up, down time, new equipment bought to counter the threat, etc).
Then give a call to the U. S. Secret Service Electronic Crimes Branch or the FBI National Computer Crime Squad or the National Infrastructure Protection Center.
Note that each of these organizations has a dollar amount threshold. If the crime doesn't break the threshold (e.g. over $10k or something (I don't know the actual numbers, but I'm sure they can be found here)), then they won't investigate the crime. -
IN SOVIET EKROUTFederal Bureau of Investigation Home Page
FBI Responds to Report Issued Today. ... The Committee's recommendations set forth
areas where the FBI can improve upon its domestic intelligence abilities. ...
www.fbi.gov/homepage.htm - 16k - Dec. 12, 2002 - Cached - Similar pagesFederal Bureau of Investigation - Uniform Crime Reports
Hate Crime Statistics: ...
Description: Crime statistics for the US for the years 1995-2000.
Category: Society>Crime
www.fbi.gov/ucr/ucr.htm - 17k - Dec. 12, 2002 - Cached - Similar pages
[ More results from www.fbi.gov ]Internet Fraud Complaint Center
The Internet Fraud Complaint Center (IFCC) is a partnership between the Federal
Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C ...
www1.ifccfbi.gov/index.asp - 7k - Dec. 12, 2002 - Cached - Similar pagesFBI - Freedom of Information Act - Introduction
In early 1975, the FBI assigned a handful of employees the task of handling an anticipated
influx of Freedom of Information Act requests due to new legislation ...
Description: Transcripts of FBI cases which may be of interest to the public.
Category: Society>Issues>Terrorism>ArticlesandRepor ts
foia.fbi.gov/ - 9k - Cached - Similar pagesTRAC: FBI Site - Comprehensive, independent, and nonpartisan
...
Your source for comprehensive independent, and nonpartisan information about
FBI. ... . FBI National Profile & Trends Over Time A good place to begin! ...
trac.syr.edu/tracfbi/ - 9k - Dec. 12, 2002 - Cached - Similar pagesDelay
The FBI Tips Form has moved. It is now located at https://tips.fbi.gov.
you will be forwarded automatically in 5 seconds. if you ...
Description: Reports of confirmed or suspected terrorist activity can be directed to this site.
Category: Regional>NorthAmerica>...>Government>LawEnforcemen t
https://www.ifccfbi.gov/complaint/terrorist.asp - 1k - Dec. 12, 2002 - Cached - Similar pagesTop Finds
www.fbi.com/ - 1k - Cached - Similar pagesFBI - Hopkins FBI Official Web Site - FBI
Hopkins Fbi is a great adventure game . Having a ... a thriller. Version
Française du site visitors currently on Hopkins FBI site. ...
Description: Includes game story, information, and downloads for Linux and Windows.
Category: Games>VideoGames>...>GraphicalAdventures>HopkinsFB I
www.hopkinsfbi.com/ - 7k - Cached - Similar pagesNational Infrastructure Protection Center (NIPC) - Home Page
link - www.nipc.gov, ...
Description: A joint FBI and private sector office charged with protecting US network and computer infrastructures...
Category: Society>Issues>Terrorism>CyberTerrorism
www.nipc.gov/ - 20k - Dec. 12, 2002 - Cached - Similar pagesFBI Jobs
ResultPage:
The FBI. It is like no other career choice you've explored. ... Whatever your background
or expertise, you will find an FBI future exceptionally rewarding. ...
www.fbijobs.com/ - 8k - Dec. 12, 2002 - Cached - Similar pages
1
2
3
4
5
6
7
8
9
10
Next
-
Abe LincolnThe late 16th President of the United States said that whoever represents himself in court has a fool for a client, in not so many words. (Remember, Honest Abe was an attorney.)
Be that as it may, your best advice is to address this letter to the legal department of the company. One thing to mention is that klez will say the virus came from whoever it damn well pleases.
Now consider this: in order for our friendly CEO to determine where to send the paperwork, he has to subpoena your ISP. In order to subpoena the ISP, he or his rep needs to go to court. The subpoena is something that the provider has to comply with, but there may be something where the ISP can ask just why this data is being requested. But I digress.
This is indeed a scenario where you need somebody to be at bat for you. Yes, you can represent yourself, and with the details you can probably countersue for lost time and legal fees - but, like many of us here on
/., IANAL.As for the FBI, you probably have nothing to worry about there. They are fully aware of the virus and its actions as explained by NIPC, at this link. In short, the man now looks like a fool in front of the Federal Bureau of Investigations, and they will probably dismiss him outright. It is in fact probably the case that this will be the undoing of everything, but again, check with an attorney.
-
Re:Just be sure not to give out your name...Well, you got the concept right and all the facts wrong...
The fellow was Brian West, who worked for an ISP, and he did a little more than just "discover" the security hole in the Poteau Daily News website. A link to more info..
-
Of course he's FearMongeringHe *does* work for the FearMonger's Shop, er, Feds' Critical Infrastructure Protection Board after all. But the main article, while a fun rant, didn't really say very much, it just ranted about Schmidt fearmongering.
Some of the studies of fast-spreading worms demonstrate that, if there are simultaneous exploitable bugs in widespread versions of Apache and Microsoft webservers, a Bad Guy could take over and 0wn most of them faster than a credible response could be deployed, and if the Bad Guy wanted to be destructive, lots of those servers could be wiped (your basic Warhol Worm followed by a "Thhhattt's Alll, FFfffolkssss!!!"). Sites that aren't running decently secure environments (serious backups, separation between webservers and critical databases, good firewalls, etc.) would be toast. More fun if you can combine it with an attack on Microsoft Outlook Mail as well. There's far more potential for destruction if the attacker also targets important applications, but at some point it's a tradeoff between successful faster destruction and deeper destruction.
Of course, just because there are things that are worth being afraid of, that doesn't mean that we should immediately let the Feds tell us what to do and start trusting them to take care of us, or even give them whopping big budgets and unlimited powers to "inspect" our computer systems, which are some of the major purposes of government Fearmongering.
By the way, while it is owned by Fearmongers, the NIPC.GOV website really does have some good tools and material there - I found it very helpful when dealing with a Staecheldracht DDOS cracker on my lab machines last year.
-
Of course he's FearMongeringHe *does* work for the FearMonger's Shop, er, Feds' Critical Infrastructure Protection Board after all. But the main article, while a fun rant, didn't really say very much, it just ranted about Schmidt fearmongering.
Some of the studies of fast-spreading worms demonstrate that, if there are simultaneous exploitable bugs in widespread versions of Apache and Microsoft webservers, a Bad Guy could take over and 0wn most of them faster than a credible response could be deployed, and if the Bad Guy wanted to be destructive, lots of those servers could be wiped (your basic Warhol Worm followed by a "Thhhattt's Alll, FFfffolkssss!!!"). Sites that aren't running decently secure environments (serious backups, separation between webservers and critical databases, good firewalls, etc.) would be toast. More fun if you can combine it with an attack on Microsoft Outlook Mail as well. There's far more potential for destruction if the attacker also targets important applications, but at some point it's a tradeoff between successful faster destruction and deeper destruction.
Of course, just because there are things that are worth being afraid of, that doesn't mean that we should immediately let the Feds tell us what to do and start trusting them to take care of us, or even give them whopping big budgets and unlimited powers to "inspect" our computer systems, which are some of the major purposes of government Fearmongering.
By the way, while it is owned by Fearmongers, the NIPC.GOV website really does have some good tools and material there - I found it very helpful when dealing with a Staecheldracht DDOS cracker on my lab machines last year.
-
Text of Newsbytes ArticleBy Brian McWilliams, Newsbytes
CAMBRIDGE, MASSACHUSETTS, U.S.A.
18 Sep 2001, 11:18 AM CST
A new, malicious worm targeting Microsoft Web servers is in the wild and is frenetically scanning the Internet, security experts said today.
Starting this morning, numerous system administrators have observed a dramatic increase in probes from remote systems, according to reports on several mailing lists. The probes, coming sometimes hundreds per minute, appear to be attempting to access several commonly exploited files on sites running Microsoft's Internet Information Server.
According to Johannes Ullrich, operator of the Dshield.org intrusion reporting service, the scans are already tying up some networks.
"For the last few hours, systems are getting hammered with every IIS exploit on the book. Even though most of these exploits are useless, the bandwidth consumed is large," said Ullrich.
Anti-virus researchers at Symantec have released a preliminary analysis of the worm, which they have dubbed "W32.Nimda.A@mm." According to the firm, besides scanning for vulnerable IIS systems, the worm appears to use e-mail to propagate itself, arriving in a file attachment named "readme.exe." The worm also opens up the computer's hard disk as a network share.
According to Elias Levy, chief technology officer for SecurityFocus, the new worm is "very aggressive" and appears to be using elements of several earlier worms.
Log files posted by participants in one mailing list reveal that infected systems attempt "Get" requests to more than a dozen files on target servers. Among the files is root.exe, a program created by two previous worms, Sadmind and Code Red II. Also targeted is cmd.exe, the command program or "shell" installed on all Windows NT systems. The scans also access a file called "admin.dll" which is used by Microsoft's FrontPage product.
While the worm is likely only to infect IIS systems, its probes are consuming resources and bandwidth of all types of Internet-connected devices, according to reports from administrators.
The Computer Emergency Response Team (CERT) said it has begun receiving reports today of a "massive increase in scanning directed at port 80."
Ten days ago, malicious code experts identified a new self-propagating worm which they dubbed Code Blue. Because it exploits a nearly year-old flaw in Microsoft's IIS software known as the Web Server Folder Traversal vulnerability, experts said they did not expect Code Blue to spread widely.
Symantec said Nimda appears to attempt to spread using the same vulnerability as Code Blue.
In an advisory released Monday, the FBI's National Infrastructure Protection Center warned that it expects an increase in denial of service attacks from pro-American vigilantes in the wake of the terrorist attacks on New York and Washington, D.C., last week.
Symantec's information on Nimbda is at
http://www.sarc.com/avcenter/venc/data/w32.nimda.a @mm.html
NIPC's advisory on potential denial of service attacks is at http://www.nipc.gov/warnings/advisories/2001/01-02 1.htm .
Reported by Newsbytes, http://www.newsbytes.com .
11:18 CST
Reposted 11:47 CST
-
Re:Is this just the old Unicode exploit?
Indeed.. The NIPC did issue that warning of activity on September 18.
-
Coordinated DDOS?
If we really are seeing a marked increase in worm traffic (and it's not just everyone suddenly noticing, now that others have brought it up -- just being cautious, eh?), then could it be possible that this might be part of, or a prelude to, a DDOS attack?
The NIPC issued the following advisory: Potential Distributed Denial of Service (DDoS) Attacks on Monday, talking about reports of people preparing for DDOS attacks on computer and commerce infrastructures. In particular: On September 12, 2001, a group of hackers named the Dispatchers claimed they had already begun network operations against information infrastructure components such as routers. The Dispatchers stated they were targeting the communications and finance infrastructures. They also predicted that they would be prepared for increased operations on or about Tuesday, September 18, 2001.
Of course, this could just be an ill-timed release of yet another worm (like there're "well-timed" releases?). I just thought that this was particularly spooky, reading this alert after seeing this worm story... -
InfraguardThe closest thing to CERT in a government agency that I know of is the FBI's National Infrastructure Protection Agency, or NIPC. They exist primarily to protect critical government infrastructure, but that obviously has a lot to do with private systems as well.
The FBI and NIPC have also started a system called Infraguard, which is designed to be a bridge to the private sector. It's a pretty recent development.
-Keslin, the naked nerd girl -
Rather worringly
Not mentioned in the SANS report but in the NIPC advisory the trojan also installs the Tribe tfn2k flood util, giving this the potential to launch a massive DoS attack.
-- -
Oops, make that UBS
More info here. That's dated August 17th, so given the usual lead times of dead-tree publications, it makes sense that it appeared in this week's edition.