Slashdot Mirror
NIST Releases Guide to Cyber Attacks
treerex writes "NIST (the US National Institute of Standards and Technology) has just released a 148 page report entitled Computer Security Incident Handling Guide (PDF). It covers the gamut, from setting up a response team to dealing with specific types of attacks: DoS, trojans, worms, malicious code, and unauthorized access. While written by a team from NIST and the contractor Booz-Allen Hamilton (BAH), they appear to have taken input from CERT and luminaries like Spafford. It is an interesting read."
for GNAA.
love you niggers
If you still have the old goatse.cx IP in your DNS cache, you will see this message from the goatse.cx webmasters:
ALERT The CX Registry has shut off the goatse.cx domain suddenly and without warning. They have cowardly cited a section of their AUP with allows them to remove sites at their discretion. Please e-mail info@nic.cx with your opinion of this matter.
*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*
g_______________________________________________g
o_/_____\_____________\____________/____\_______o
a|_______|_____________\__________|______|______a
t|_______`._____________|_________|_______:_____t
s`________|_____________|________\|_______|_____s
e_\_______|_/_______/__\\\___--___\\_______:____e
x__\______\/____--~~__________~--__|_\_____|____x
*___\______\_-~____________________~-_\____|____*
g____\______\_________.--------.______\|___|____g
o______\_____\______//_________(_(__>_\___|_____o
a_______\___.__C____)_________(_(____>_|__/_____a
t_______/\_|___C_____)/______\_(_____>_|_/______t
s______/_/\|___C_____)__RIP__|_(___>_/__\_______s
e_____|___(____C_____)\______/__//__/_/_____\___e
x_____|____\__|_____\\_________//_(__/_______|__x
*____|_\____\____)___`----___--'_____________|__*
g____|__\______________\_______/____________/_|_g
o___|______________/____|_____|__\____________|_o
a___|_____________|____/_______\__\___________|_a
t___|__________/_/____|_________|__\___________|t
s___|_________/_/______\__/\___/____|__________|s
e__|_________/_/________|____|_______|_________|e
x__|__________|_________|____|_______|_________|x
*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*
Important Stuff: Please try to keep posts on topic. Try to reply to other people's comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) Problems regarding accounts or comment posting should be sent to CowboyNeal.
So we establish "standard procedures" to deal with a standard gamut of attacks. That's great.
Are we so naive to believe that following such advice will make us secure?
I have been pwned because my
by Burt Bendover, GNN Reporter
An anonymous phone call from someone claiming being a GNAA member assumed responsibility for Slashdot.org's suicide bombing/downtime earlier today. A source close to Rob Malda was quoted as saying that a large bus full of arabs and gay niggers exploded outside Slashdot Headquarters at around 10:45 pm CST. There were reports of grave injury, death, and damage. Slashdot is the world's leading troll spawning source, in business since 1965.
Recently, an editor by the name of CowboyNeal began making racial comments in IRC chat rooms (one such chat room located at irc.caoine.org #caoine), as well as his website. It is believed this latest attack is retribution from the GNAA, but the representative would only allude to what provoked this attack.
Source: WilWheaton.org
About GNAA
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which
gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.
Are you GAY ?
Are you a NIGGER ?
Are you a GAY NIGGER ?
If you answered "Yes" to all of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!
Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America. You, too, can be a part of GNAA if you join today!
Why not? It's quick and easy - only 3 simple steps!
First, you have to obtain a copy of GAY NIGGERS FROM OUTER SPACE THE MOVIE and watch it.
Second, you need to succeed in posting a GNAA "first post" on slashdot.org, a popular "news for trolls" website
Third, you need to join the official GNAA irc channel #GNAA on EFNet, and apply for membership.
Talk to one of the ops or any of the other members in the channel to sign up today!
If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is EFNet, and you can connect to irc.secsup.org or irc.isprime.com as one of the EFNet servers.
If you do not have an IRC client handy, you are free to use the GNAA Java IRC client by clicking here.
If you have mod points and would like to support GNAA, please moderate this post up.
By moderating this post as "Underrated", you cannot be Meta-Moderated! Please consider this.
________________________________________________
| ______________________________________._a,____ |
| _______a_._______a_______aj#0s_____aWY!400.___ |
| __ad#7!!*P____a.d#0a____#!-_#0i___.#!__W#0#___ |
| _j#'_.00#,___4#dP_"#,__j#,__0#Wi___*00P!_"#L,_ |
| _"#ga#9!01___"#01__40,_"4Lj#!_4#g_________"01_ |
| ________"#,___*@`__-N#____`___-!^_____________ |
| _________#1__________?________________________ |
| _________j1___________________________________ |
| ____a,___jk_GAY_NIGGER_ASSOCIATION_OF_AMERICA_ |
| ____!4yaa#l__________________________
this is interesting... how?
DoS, trojans, worms, malicious code, and unauthorized access
RIAA?
Blarf.
all your base belong to us
Our government is telling _us_ how to handle computer security?!? Last time I was playing the gray side of the field *.gov sites were the easy targets.
AC
At the tone, the time will be %^&^#$&*&* [NO CARRIER]
Yes! I listen to NYC Speedcore and do math at 3AM. I suggest you try it too.
This might be unnescessary for "professionals", people who know these things from before and work with it. But for the average sysadmin, this is just great! He/she could know how to:
;)
1. Find out what happened
2. Close the breach
3. Report the breach.
If the sysadmin doesn't know how to do this, they also know where to seek help.
I'll probably get messages back saying this is just dumb and generic, but it's better than not knowing anything at all. A lot better. All too few people know how to handle situations like this, and they will need somewhere to start.
I'll give this thing a skim read (just read contents and some interesting paragraphs now) and get back to this
return. Loss of radio contact cannot be attributed to this by fluke accident as was the case back in 1997. Oh no, it's a bona fide "tiny computerised brain" screw-up. The latest in a long history of failures, the Linux operating system has flushed half of a US$820 million project out of the crapper hole on the side of the space shuttle. It seems that somebody came up with the bright idea of running the Mars rover on an Apple Macintosh "Supercomputer" controlled by Linux.
Oh, I suppose that that extra license fee for an actual quality operating system would have broken that $410M dollar budget. There's no way they could have afforded an embedded operating system that isn't cheap communist software. They could have gone with QNX RTOS, VxWorks or any number of other quality and time-tested real-time operating systems for the Mars rover, from a reputable company. But NOOOOO, they went with bullshit free-as-in-fix-everything-yourself Linux. Some long-haired balding fat Linux zealot, sucking up oodles of tax money with his blob-like presence in the NASA "engineering corps", with a certain penchant for cheap software, came up with the brilliant idea of running embedded Linux on an Apple Macintosh of all things. Of all the idiotic things that have happened under the current administration, this by far makes me most ashamed.
The International Journal of Digital Evidence is also worth keeping up with, if this type of stuff interests you.
I think one thing sums it up:
bah
With the government's love of microsoft windows, word .doc formats etc I was under the assumption that they were unaware of the concept of computer security.
while sco {
wget -O
}
Beyond the typical vapid governmental reports, this is a step in the right direction. Anything to create a buzz around security, especially computer security, will serve the public well. This is what needs to happen: standardization. The government has done a commendable job in creating standards for dealing with national security - why not extend that to computer security. All these posts that do nothing to note the fact that this is a good thing don't see past the .gov TLD
Not too long ago, they were in hot water with the US Navy for letting some websites get hacked by leaving the default admin passwords in place. No joke, my friends work there!
It's all Hood
It seems quite apropos to revisit this thread, considering the article topic.
-JT
Here's a mirror
Mirror provided by Coded Networks
Sponsored by Dedicated Gamer
The fact that the guvmint machines are the easy targets is apparently the point.
This if for federal agency use, and anyone elses.
This also effectively says "You WILL do it like this" to the federal agencies.
There will be a quiz.
Guide for Sysadmins: Upon learning that your systems have been penetrated, proper incident response is as follows:
Microsoft Windows is, fittingly, the official Desktop OS of Olig
I'm sorry but sometimes ./ers talk way more than you should. Sure, the government doesn't have a perfect track record with regards to security...but before opening your big mouths you should read the document and see if you learn a thing or two. Let me tell you, you think you are hot stuff but if you knew so much about security and how to secure a network YOU would be the one writing these papers, publishing them and raking in loads of cash because of it.
Instead you spend your time blasting other people and their works without even reviewing it.
YES - I MEAN YOU!
And no, I don't post as an anonymous coward because I'm afraid of you retaliating (I hope you're not that childish) but because I see there no added benefit to creating an account and logging on to such.
...what to do in case of a Slashdotting?
Sheesh, evil *and* a jerk. -- Jade
???
SLIPPERY ROCK, Pa. - The life of the late Fred Rogers will be celebrated here next month with an 11-movement composition titled Memoriam: A Requiem for Mr. Rogers.
The genital Rogers became famous around the world as the sweater-wearing host of the PBS program Mister Rogers' Neighborhood. He died last year.
The one-hour piece will be presented by a 25-piece orchestra accompanied by a 65-member choir.
It includes English, Hebrew and Latin lyrics, poetry and dramatic readings.
Luke Mayernik, 21, the music director at St. Justin Church in Pittsburgh, began writing the composition after Rogers passed away. He did so at the urging of St. Justin parishioner Maggie Stewart, who played Mayor Maggie on Rogers' show.
"I believe Mr. Rogers was a modern-day prophet. He was living gospel," Mayernik told the Associated Press.
The tribute to Rogers will debut February 29th at Mayernik's church.
If you want to get hacked use Debian.
If you want to stay secure don't use Debian.
Debian's main servers were hacked recently because Debian is such an old distro filled with remote holes.
Major hack attack on the U.S. Senate
In the free world the media isn't government run; the government is media run.
What the NIST fails to mention here is that most of this comes from internal policies they have implemented to counteract their previous approach to computer security, which was incredibly lax. These recommedations come first hand.
Read an account of their extensive security lapses in the late 90's here
You're going to need a text editor that supports lines longer than 80 charachters, but if you have one, I've made a decent zipped text file from the PDF for people with slow connections. As always NO WARRENTY WHATSOEVER.
Computer Security Incident Handling Guide.zip (113K) (zipped text file)
I think it's actually a good use of taxpayer money, which is the first time that I've said that in public.
If nothing else, it provides a good framework to start from, especially small companies/non-profits etc, where they don't have the resources to hire a full-time crack security team. This helps them set priorities and useful business things like that.
I'm really quite surprised people are being negative about it.
teh fun never stops!!!
I don't understand why people immediately dismiss a report coming from NIST as being worthless USG noise while many of the same "arguments" against this paper could be made against books like Incident Response: Investigating Computer Crime or Counter Attack or any of the other n+1 books on this topic that exist.
Harumph.
How come Homer and Krusty look like clones?
I think Homer and Krusty look a like because originally, the Simpson's premise was about a boy who hated his father but was in awe with a clown who looked exactly like his father. Thus they look a like.
Standard response to standard attacks? Sounds like someone's played too much Mike Tyson's punchout. If he tries to do a stack overflow, I log it as a possible attack, then I give him a power punch and his pants fall down.
Seriously, though the vast majority of attacks are of a common variety. The average hacker is a stupid high-school student that thinks it is cool, and has found a hacking website that tells him how to do it.
The problem with security is that it makes you think your secure. If people have passwords they can tell someone else their's and all the ssh updates in the world won't help you. How many of you can honestly say they have never given anyone else there password for anything? Simple things like forgetting your work some where and giving someone your password to email it to you is a bigger security risk, than a dozen highschool hackerz.com readers.
failing in tuo poasts nd all!!!
tehdawgkow is sooper31337!!!!
BOOF!!!!
"... Consider limiting outbound connections that use encrypted protocols, such as SSH, HTTPS, IPsec. Permitting unncessary encrypted connections may allow users to perform actions that security controls cannot monitor. For example, a user could establish a SSH connection to an external server and download illegal materials; because the connection is encrypted, network security controls would not determine the nature of the activity. Possible methods for limiting the traffic include firewall rulesets and URL filtering..."
Who the hell wrote this crap?
I am not going to waste time downloading this monster, so maybe can tell me: does anyone associated with that document recommend throwing Microsoft in the trash bin? If so, that's all they ever needed to print.
I can tell that certain parts of the document were not written by people who have actually done the work. For example, a portion of it talks about write-protection software. Unfortunately it is in the wrong section where they talk about a live response. I'd love to see them apply a write protection device on an active Windows system!
Typical Booz-Allen crud. We hated these guys when I worked in the gov. Our command once paid over 250k for a 2" high report that simply re-hashed the interviews they conducted.
please ignore, testing again
Description courtesy of Bruce Schneier's Crypto-gram:
Apparently, somebody who knows how smart slacker geeks get their porn, and wants to put a stop to it.
No really, blocking SSH/ESP and tracking HTTPS is a reasonable suggestion -- if anything, I'd say the above doesn't go far enough. The excerpted paragraph doesn't mention the more serious risks of SSH (port forwarding, tunneling, etc).
I'm not particularly worried about a smart internal user establishing an SSH session to the Internet and downloading "illegal materials",
I'm worried about the airhead secretary who brings in a floppy provided by her uberhacker boyfriend, and runs a rootkit, setting up an outbound SSH session providing him with a command prompt on her workstation...
That's just one risk of permitting outbound crypto channels...
I do not deploy Linux. Ever.
Would you like to play a game?
Run around in circles, screaming and shouting.
Blame Microsoft.
Thank you.
You moron, didn't you read the (friendly) article? On page 146, it said... [insert fact here] ... and if you read it, you wouldn't have posted that comment.
Ok, quick poll, how many people read the report before posting?
A section on telling organizations to test the policies and procedures that are put into place to work out any kinks in detection and reporting.
If you put all these policies, processes, and procedures into place and don't have a Mock intrusion or emergency, you won't know how good or bad your incident response will be.
Dolemite
____________________
Save the World! Use a Quote!
Reasonable? Pointless.
Applications which tunnel through the HTTP application layer (not just SSH o port 80) using fully obscured forms encryption are prevalent and readily available to the non-technical PC user. Such applications are very popular in Saudi Arabia and China, for example. Primarily because there are, at this time, no proxies capable of blocking them.
And as soon as such proxies appear, the HTTP application layer tunnels will go polymorphic in their protocols. There is no hint of evidence that the proxies have any chance of keeping up.
It is well-known to the steganography community that any open channel, even email, are insecure. Unless such channels are closely monitored by a professional cryptographer, there is no chance that they can reliably be monitored to prevent unfriendly traffic.
Sadly, they exist more to make a quick buck by giving ignorant admins a false sense of security.
Transports which tunnel through the HTTP application layer (not just SSH on port 80) using fully obscured forms of encryption are prevalent and readily available to the non-technical PC user. Such applications are very popular in Saudi Arabia and China, for example, primarily because there are presently no proxies capable of blocking them.
As soon as such proxies appear, the HTTP application layer tunnels will implement polymorphic protocols. There is no hint of evidence that the proxies have any chance of keeping up.
It is well known in the steganography community that any open channel, even email, is transparently insecure. Unless such channels are closely monitored by a professional cryptoanalyst, there is no chance that they can reliably prevented from carrying unwanted traffic.
Just a DOS attack by Democrats on behalf of special interest groups trying to control the Federal courts. It is described here (pdf).
Not to be confused with the planned social engineering of the Senate Intelligence Committee. That was a plan to probe for weaknesses, and announce an investigation whether weaknesses are found or not. There effectively was a DOS when the attack was discovered and the interfaces were turned off to block the attack.
Overall, I agree that limiting SSH and HTTPS connections makes sense. However, if you are in a NOC or any other environment where engineers or technicians access routers and other equipment using SSH instead of telnet, then you have to be careful about this. Even with RADIUS and TACACS, many organizations prefer to use SSH instead of telnet for remote access. This is an unusual case since it applies to ISPs and other companies managing networks.
In the land of the blind, the one-eyed man is usually crucified.
Allowing encrpyted communication with untrusted hosts is rather like meeting a stranger in a dark alley; whatever happens there won't be any witnesses.
Whats the standard response to republicans peeping at your internal files?
Drinking habits can be dangerous. You can choke on the cloth and the nuns will wonder where their clothes are.
I recently did a lot of work with various Booz-Allen contractors in the government, and I noticed that without fail every single team they had included at least one hot 25 year old girl. It was amazing, and when I talked to a guy who used to work there he confirmed that was pretty much the case. I know where I'll be looking when I hit the private sector.
I guess, since all security measures are ultimately subject to some sort of circumvention, that we should just not bother?
The point is to reduce exposure in cases where it cannot be completely removed. This limits the focus of where you need to manually apply the use logs, IDS's, leaps of inspiration, etc.
Forcing everyone out the same few, comparatively unusual gates is far better than leaving them all open.
This is not a standard, it is a GUIDE. The purpose of which is to help establish a framework to protect your network. Use it as the basis for your security procedure and extend it as necessary. Nowhere in the document does it say following the recommended procedures will make you network secure. But it damn well will help.
While you all give mad props to each other about how much you know and how silly this is, there really are thousands of admins and others who need to be told to scratch their ass with THIS finger. Whether it's institutional paranoia, fear or lack of knowledge, skill or training - most of the problems we experience out there are easily preventable if someone enforced it, someone audited it, someone got educated in it or someone was simply TOLD to do it.
its interesting that microsofts security bug solution of, "Just Don't Write Them", and "Don't Tell Anyone About It" was loudly ignored.
YARRA
Yet another right-wing Republican apologist
The more you make people go through things that don't appear to be gates, the less you can keep track of what is coming and going.
If you have SSH ports open, at least you can log the traffic. If you force users to rely on an HTTP application layer tunnel like HTTPort, then you'll never know what they are doing or where they are doing it.
This work from the NIST is better than nothing. Even if it makes some organizations' responses predictable, it is better than the predictability of total disarray. And it gives consistency to policy. Plus, once I've ploughed through the entire 148 pages, I'm sure I'll find at least the seeds of a "DIY" policy that requires organizations to figure it out for themselves, based on information and training, rather than just giving up, passing the buck, and getting 0wn3d.
--
make install -not war
That link is a redireect to goatse.cx
With the NIST releasing their new report; is there a "third party" agency that is doing any independant review of the suggestions in these reports/guides released by certain US govt agencies?
The ones that really interests me are the "Security Recommendation Guides" supposedly by that "Three Letter Agency"
--
Time is on my side
Like restrictive nations, one benefit of banning encryted protocols and logging all traffic is that you do not need to know what the user is doing with the connection, just proving that they are using unapproved connectivity is sufficient to fire the offender.
As a related example, I've heard from Saudi visitors that the government run dialup ISPs will drop your session (not sure if they drop carrier, or just shun your IP address) the moment you try to bring up an encrypted session to a foreign destination.
No, this doesn't stop the spies, but it does discourage the average visitor from using encrypted sessions, and the log of attempts gives the defenders an idea of who might deserve closer scrutiny.
True, though latency on email (assuming inbound/outbound email is passed through a chain of SMTP relays, not just "permit TCP 25" packet filters) is high enough that it's not an effective way to tunnel IP traffic.I don't know about others, but I do traffic analysis on the raw volume of sessions and bytes in/out by source (by IP, by subnet, etc), and by the internet source/destination of the traffic. The average porn hound is going to be caught not by the nature of the HTTP sites he visits, but by the sudden spike in bandwidth, and the sudden increase in traffic to and from an internet destination not commonly seen.
There are exceptions, e.g. Google Image Search. OTOH, most of the porn hounds we fire are caught first by their poor job performance, any logs or evidence on their PC are just insurance against the former employee filing a "wrongful dismissal" lawsuit...
I do not deploy Linux. Ever.