[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [CERT-INFO#23917] Re: subscription request
From: "CERT Coordination Center (sm)" <cert () cert ! org>
Date: 1995-12-18 16:53:54
[Download RAW message or body]
>
> Dear Ladies and Gentlemen,
> I'm a student (American Cultural Studies) at the LM University in Munich,
> Germany. At the moment I'm working on my doctoral thesis about "forms of
> crimes in cyberspace" and would be very thankful for informations
> from/about your organization/magazine.
>
> Yours sincerley
>
> Thomas Baernthaler
>
> P.S. If possible please add me to your subscription/mailing list.
>
> Thank you very much
>
>
In response to your request for information, we have attached a copy of the
Frequently Asked Questions (FAQ) for the CERT Coordination Center. The FAQ
includes general information about our organization and answers to questions
we often receive. Additional information is available for anonymous FTP from
ftp://info.cert.org/pub/
and from other locations mentioned in the FAQ. We believe you will find the
information you need in the FAQ and these other sources.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
December 1995
Revision 10
JPO# pending
The CERT(sm) Coordination Center FAQ
=======================================================================
= Preface =
=======================================================================
This document is intended to answer the most Frequently Asked Questions (FAQs)
about the CERT Coordination Center. The FAQ is a dynamic document that will
change as information changes. Suggestions for additional sections are
welcome -- please email them to cert@cert.org. The most recent copy of this
FAQ is available from
ftp://info.cert.org/pub/
http://www.sei.cmu.edu/technology/cert.cc.html
Questions answered in this document
A. Introduction to the CERT Coordination Center
A1. What is the CERT Coordination Center?
A2. How do I contact the CERT Coordination Center?
A3. Where can I find online information about the CERT Coordination
Center?
A4. What's in the CERT Coordination Center name?
B. Where to go for information
B1. What is a CERT advisory?
B2. Where can I obtain archived CERT advisories?
B3. Can I obtain source code to a patch described in a CERT
advisory?
B4. What other alerts does the CERT Coordination Center publish?
B5. What mailing lists does the CERT Coordination Center offer?
B6. What information is available via anonymous FTP from the
CERT Coordination Center?
B7. What presentations, workshops, and seminars does the CERT
Coordination Center offer?
B8. Where can I get information about firewalls?
B9. Where can I get information about viruses?
B10 What other online information sources does the CERT Coordination
Center recommend?
B11. What books or articles does the CERT Coordination Center
recommend?
C. Incident Response
C1. What kind of information should I provide to the CERT
Coordination Center when my site has experienced an intrusion?
=======================================================================
= Section A. Introduction to the CERT Coordination Center =
=======================================================================
A1. What is the CERT Coordination Center?
The CERT Coordination Center is the organization that grew from the
computer emergency response team formed by the Defense Advanced
Research Projects Agency (DARPA) in November 1988 in response to the
needs exhibited during the Internet worm incident. The CERT charter
is to work with the Internet community to facilitate its response to
computer security events involving Internet hosts, to take proactive
steps to raise the community's awareness of computer security issues,
and to conduct research targeted at improving the security of existing
systems.
CERT products and services include 24-hour technical assistance for
responding to computer security incidents, product vulnerability
assistance, technical documents, and seminars. In addition, the team
maintains a number of mailing lists (including one for CERT
advisories) and provides an anonymous FTP server, info.cert.org, where
security-related documents, CERT advisories, and tools are archived.
A2. How do I contact the CERT Coordination Center?
U.S. mail address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
U.S.A.
Internet email address
cert@cert.org
Telephone number
+1 412-268-7090 (24-hour hotline)
CERT Coordination Center personnel answer
8:30 a.m.- 5:00 p.m. EST(GMT-5)/EDT(GMT-4), on call for
emergencies during other hours.
FAX number
+1 412-268-6989
Warning: When sending sensitive information by email, please use
encryption. The CERT public PGP key is available from
ftp://info.cert.org/pub/CERT_PGP.key
If you prefer to use DES, please call the CERT hotline to
exchange DES keys over the phone.
A3. Where can I find online information about the CERT Coordination
Center?
Online information about our work, along with advisories, technical
tips, and other security information is available from
ftp://info.cert.org/pub/
http://www.sei.cmu.edu/technology/cert.cc.html
A4. What's in the CERT name?
Since its beginning in 1988, the CERT Coordination Center has acquired
its name through an evolutionary process. Because of this, you may see
the CERT Coordination Center referred to by several different names.
You may hear us called Computer Emergency Response Team,
or just CERT, but our proper name is the CERT Coordination Center.
CERT(sm) is a service mark of Carnegie Mellon University and should
not be expanded into an acronym definition or used as a stand-alone
noun.
The CERT email address has undergone a similar evolution. We use the
email address
cert@cert.org
Any references to
cert@cert.sei.cmu.edu
or
cert@sei.cmu.edu
should be changed to the current address, which is
cert@cert.org
=======================================================================
= Section B. Where To Go for Information =
=======================================================================
B1. What is a CERT advisory?
A CERT advisory is a document that provides information on how to
obtain a patch or details of a workaround for a known computer
security problem. The CERT Coordination Center works with vendors to
produce a workaround or a patch for a problem, and does not publish
vulnerability information until a workaround or a patch is available.
A CERT advisory may also be a warning to our constituency about
ongoing attacks (e.g., "CA-95:18.widespread.attacks").
CERT advisories are published on the USENET newsgroup
comp.security.announce
and are distributed via the cert-advisory mailing list. Both
publication methods are described below.
B2. Where can I obtain archived CERT advisories?
CERT advisories are available from
ftp://info.cert.org/pub/cert_advisories/
The CA-xx:xx.README file associated with each advisory contains updates
we receive after the advisory has been released.
The "01-README" file provides a short summary of each advisory.
At the following URL, you can search the advisory list as well as
link to the FTP archive.
http://www.sei.cmu.edu/technology/cert.cc.html
B3. Can I get source code to a patch described in a CERT advisory?
The CERT Coordination Center does not provide source-level patches.
Some vendors make source-level patches available to their source
customers while others only distribute binary patches. Contact your
vendor for more information.
B4. What other alerts does the CERT Coordination Center publish?
(a) CERT vendor-initiated bulletins
Vendor-initiated bulletins contain verbatim text from vendors about
a security problem relating to their products. They include enough
information for readers to determine whether the problem affects
them, along with steps readers can take to avoid problems. Our goal
in creating these bulletins is to help the vendors' security
information get wide distribution quickly.
CERT vendor-initiated bulletins are distributed the same way as CERT
advisories. They are sent to the cert-advisory mailing list and
posted to comp.security.announce. They are archived at
ftp://info.cert.org/pub/cert_bulletins/
(b) CERT Summary
The CERT Summary calls attention to the types of attacks currently
being reported to the CERT Coordination Center. The summary also
contains a list of new or updated files in our FTP archive.
Summaries are published 4-6 times a year. Like advisories and
vendor-initiated bulletins, they are sent to the cert-advisory
mailing list and posted to comp.security.announce. They are
archived at
ftp://info.cert.org/pub/cert_summaries/
B5. What mailing lists does the CERT Coordination Center offer?
(a) CERT advisory mailing list
The CERT Coordination Center maintains a mailing list for those
members of our constituency who do not have access to USENET news
or who would like to have advisories, bulletins, and the CERT
Summary mailed directly to them or to a mail exploder at their
site.
If you would like to be added to the CERT mailing list, please
send email to
cert-advisory-request@cert.org
You will receive confirmation mail when you have been placed on
the list.
(b) CERT tools mailing list
The purpose of this moderated mailing list is to encourage the
exchange of information on security tools and techniques. The list
should not be used for security problem reports.
Note that the CERT Coordination Center does not formally review,
evaluate, or endorse the tools and techniques described. The
decision to use a tool or technique is the responsibility of
each user or organization, and we encourage each organization to
thoroughly evaluate new tools and techniques before installing
or using them.
Membership is restricted to system programmers, system
administrators, and others with a legitimate interest in the
development of computer security tools. If you would like to be
considered for inclusion, please send mail to
cert-tools-request@cert.org
You will receive confirmation mail when you have been placed on
the list.
B6. What information is available via anonymous FTP from the CERT
Coordination Center?
The CERT Coordination Center has a variety of computer security
information available from ftp://info.cert.org/pub/
The 01-README file contains a short description of each directory, as
well as the files that are at the /pub level of the FTP area.
The file "ls-lR" lists the subdirectories and the files found in those
subdirectories. Examples of what you will find in the /pub directory
are listed below.
FIRST/
This directory contains contact information for members of the
Forum of Incident Response Teams (FIRST), listed according to the
constituency they serve. (Additional information on FIRST is
available from http://www.first.org/first.)
cert_advisories/
In this directory are all the CERT advisories released since the
CERT Coordination Center was established in December 1988. README
files associated with individual advisories contain updated
information and clarifications.
cert_bulletins/
This directory contains CERT vendor-initiated bulletins, which we
started publishing in late 1994. The bulletins include text written
by vendors about security problems and solutions related to their
platforms and systems.
ietf/
This directory contains the output of several Internet Engineering
Task Force (IETF) working groups. It includes the Site Security
Handbook (RFC 1244) and Guidelines for the Secure Operation of the
Internet (RFC 1281).
papers/
This directory contains postscript (.ps) versions of papers by Bill
Cheswick, Steve Bellovin, and others, along with the original
announcement of the cert-tools mailing list.
tech_tips/
This directory contains practical advice on topics such as
anonymous FTP configurations and packet filtering. It also contains
security checklists, which system administrators can use to assess
and improve the security of their sites.
tools/
This directory contains software packages such as COPS, Crack, and
Tripwire. It includes daemon wrappers, virus-detection programs, MD5,
and the text of RFC 1321.
whois_how_to
This file contains instructions for using the InterNIC whois databases
to find the point of contact for an Internet site.
B7. What presentations, workshops, and seminars does the CERT
Coordination Center offer?
(a) Presentations
Throughout the year, members of the CERT Coordination Center give
presentations at various technical conferences, seminars, and
regional networks. Periodically, special arrangements can be made
to tailor presentations to fit the requirements of the specific
site. For further information regarding presentations, please
contact the CERT Coordination Center. (Contact information
is in section A.2.)
(b) Workshops
From 1989 to 1992 the CERT Coordination Center hosted and
co-sponsored the annual FIRST Workshop on Incident Handling. CERT
staff has continued to participate in subsequent workshops. For
further information about the FIRST Workshop on Incident Handling,
please contact the CERT Coordination Center or refer to
http://www.first.org/first/
(c) Seminars
(1) Internet Security for Managers
Description: This seminar helps managers understand what
needs to be done to ensure that their computer systems and
networks are as securely managed as possible when operating
within the Internet community. Attendees will be provided
with information that will enable them to formulate realistic
security policies, procedures, and programs specific to their
operating environment.
Audience: This seminar is designed for managers of computing
centers/facilities, individuals tasked to evaluate/initiate
Internet connectivity, for senior system administrators, and
for others interested in computer security within the Internet
community.
(2) Internet Security for System and Network Administrators
Description: The information presented in this seminar is
based on incidents reported to the CERT Coordination Center.
Topics include fundamental security practices for UNIX system
administration, the latest information network security, and
establishing an appropriate site security policy.
Audience: This seminar is designed for practitioners (UNIX
system and network administrators) who need to build and
maintain trustworthy network systems, for UNIX system
programmers, and for practitioners who evaluate or initiate
Internet connectivity. Some system administrator experience
is assumed.
B8. Where can I get information about firewalls?
(a) Firewalls mailing list
The Firewalls mailing list is a discussion forum for firewall
administrators and implementors. To subscribe to Firewalls, send
mail to
Majordomo@GreatCircle.COM
In the body of the message, put only
subscribe firewalls
(b) Firewalls digest
The Firewalls digest is a compilation of messages from the
Firewalls mailing list. To subscribe to the Firewalls digest, send
mail to
Majordomo@GreatCircle.COM
In the body of the message, put only
subscribe firewalls-digest
Compressed back issues are available from
ftp://FTP.GreatCircle.COM/pub/firewalls/digest/
B9. Where can I get information about viruses?
(a) VIRUS-L mailing list
VIRUS-L is a moderated mailing list with a focus on computer virus
issues. For more information, including a copy of the posting
guidelines, see
ftp://cs.ucr.edu/pub/virus-l/virus-l.README
To be added to the mailing list, send mail to
listserv@lehigh.edu
In the body of the message, put nothing more than
SUB VIRUS-L your name
The current archive site for virus-l is
ftp://cs.ucr.edu/pub/
This site contains digests of the mailing list, 1988-present.
In addition, there is a directory containing anti-virus tools.
Back digests of the virus-l mailing list 1988-1993 are also
available from
ftp://info.cert.org/pub/virus-l/
(b) comp.virus
The comp.virus newsgroup is a moderated newsgroup.
For more information, including a copy of the posting
guidelines, see
ftp://info.cert.org/pub/virus-l/virus-l.README
Note: The CERT Coordination Center focuses primarily on
vulnerabilities in networked systems that intruders can
exploit. Viruses, though they may be transmitted over a
network, are generally outside the current scope of our
work. However, we are interested in hearing reports of
UNIX or other mainframe viruses and about worms that could
propagate via the Internet.
B10. What other online sources does the CERT Coordination
Center recommend?
(a) USENET newsgroups
The archive of FAQs for USENET groups can be a good source of
information. These FAQs are available from
http://www.cis.ohio-state.edu/hypertext/faq/usenet/FAQ-List.html
Among the security related newsgroups are the following:
(1) comp.security.announce
The comp.security.announce newsgroup is moderated
and is used solely for the distribution of CERT
advisories.
(2) comp.security.misc
The comp.security.misc newsgroup is a forum for the
discussion of computer security, especially as it relates
to the UNIX operating system.
(3) alt.security
The alt.security newsgroup is also a forum for the
discussion of computer security, as well as other security
topics (such as car locks and alarm systems).
(4) comp.virus
The comp.virus newsgroup is a moderated newsgroup with
a focus on computer virus issues.
(5) comp.risks
The comp.risks newsgroup is a moderated forum on the
risks to the public in computers and related systems.
(b) Mailing lists
A list of publicly accessible mailing lists is available from
http://www.neosoft.com/internet/paml/
(c) NIST (National Institute of Standards and Technology) Computer
Security Bulletin Board
Information posted on the bboard includes an events calendar,
software reviews, publications, bibliographies, lists of
organizations, and other government bulletin board numbers. This
bboard contains no sensitive (unclassified or classified)
information.
If you have any questions, contact NIST by phone at
301-975-3359; by FAX at 301-590-0932; or by email at
csrc@csrc.ncsl.nist.gov.
NIST also has a web site at
http://cs-www.ncsl.nist.gov
(d) Web pages
New information is constantly being made available online,
particularly on the World Wide Web. If you have access to a
web browser or other search engine, we urge you to query for
security-related topics.
B11. What books or articles does the CERT Coordination Center
recommend?
[Bishop 87] Bishop, Matt. "How to Write a Setuid Program."
;login: 12, 1 (Jan/Feb 1987): 5-12.
[Cheswick 94] Cheswick, William R.; Bellovin, Steven M.
Firewalls and Internet Security: Repelling the Wily
Hacker. New York: Addison-Wesley Publishing Company,
1994.
[Curry 90] Curry, Dave. "Improving the Security of Your
UNIX System" (Technical Report ITSTD-721-FR-90-21).
Menlo Park, CA: SRI International, April 1990.
[Curry 92] Curry, David A. UNIX System Security: A Guide for
Users and System Administrators. Reading, MA:
Addison-Wesley Publishing Co., Inc., 1992.
(ISBN 0-201-56327-4)
[Denning 91] Denning, Peter J., ed. Computers Under Attack:
Intruders, Worms, and Viruses. ACM Press, New York:
Addison-Wesley Publishing Company, Inc., 1990.
(ISBN 0-201-53067-8)
[Ellis 94] Ellis, Jim; Fraser, Barbara; Pesante, Linda. "Keeping
Internet Intruders Away." UNIX Review 12, 9 (September
1994): 35-44.
[Farrow 91] Farrow, Rik. How to Protect Your Data and Prevent
Intruders: UNIX System Security. Reading, MA:
Addison-Wesley Publishing Company, Inc., 1991.
(ISBN 0-201-57030-0)
[Fithen 94] Fithen, Katherine; Fraser, Barbara. "CERT Incident
Response and the Internet." Communications of the ACM
37, 8 (August 1994): 108-113.
[Garfinkel and Spafford 91]
Garfinkel, Simson; Spafford, Gene. Practical UNIX
Security. Sebastopol, CA: O'Reilly & Associates, Inc.,
[1994] c1991. (ISBN 0-937175-72-2)
[Grampo and Morris 84]
Grampo, M.; Morris, R.T. "UNIX Operating System
Security." AT&T Technical Journal 63, 8 (Oct 1984):
1649-1672.
[Hafner and Markoff 91]
Hafner, Katie; Markoff, John. Cyberpunk: Outlaws
and Hackers on the Computer Frontier. New York:
Simon & Schuster, 1991.
[Morris and Thompson 79]
Morris, R.T.; Thompson, K. "Password Security:
A Case History." Communications of the ACM 22, 11
(November 1979): 594-597.
[Nemeth, Snyder, and Seebass 89]
Nemeth, Evi; Snyder, Garth; Seebass, Scott.
UNIX System Administration Handbook. Englewood
Cliffs, NJ: Prentice Hall, 1989. (ISBN 0-13-933441-6)
[Stoll 89] Stoll, Clifford. The Cuckoo's Egg: Tracking a
Spy Through the Maze of Computer Espionage.
New York, NY: Doubleday, 1989. (ISBN 0-385-24946-2)
[Wood and Kochran 86]
Wood, Patrick; Kochran, Stephen. UNIX System
Security. Hasbrouck Heights, NJ: Haden Books, 1986.
=======================================================================
= Section C. Incident Response =
=======================================================================
C1. What kind of information should I provide to the CERT staff when my
site has had an intrusion?
The CERT Coordination Center would like as much information as
possible, including opinions and thoughts as to how the break-in
occurred. Some specifics include:
1) names of host(s) compromised at your site
2) account name(s) compromised
3) architecture and OS (operating system and revision)
of compromised host(s)
4) whether or not security patches have been applied
to the compromised host(s); if so, were patches
applied before or after the intrusion
5) other host(s)/site(s) involved in the intrusion and
whether or not you have already contacted those
site(s) about the intrusion
6) if other site(s) have been contacted, the contact
information used for contacting the site(s)
involved
7) if CERT staff members are to contact the other site(s),
may we give the other sites your contact information
(i.e., your name, email address, and phone number)
8) whether or not any law enforcement agencies have
been contacted
9) appropriate log extracts (including timestamps)
10) what assistance you would like from the CERT
Coordination Center
Incident reporting form
The CERT staff has developed an incident reporting form in an effort
to facilitate our interaction with members of the Internet community.
Note that our policy is to keep confidential any information you
provide unless we receive your permission to release that information.
The form is located at
ftp://info.cert.org/pub/incident.reporting.form
Copyright 1995 Carnegie Mellon University
This material may be reproduced and distributed without permission provided it
is used for noncommercial purposes and the copyright statement is included.
CERT is a service mark of Carnegie Mellon University.
The CERT Coordination Center is sponsored by the Advanced Research Projects
Agency (ARPA). The Software Engineering Institute is sponsored by the U.S.
Department of Defense.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic