General Sources The following sources have both up-to-the-minute information and legacy information. The Computer Emergency Response Team (CERT) Computer Emergency Response Team (CERT) Coordination Center Software Engineering Institute Carnegie-Mellon University Pittsburgh, PA 15213-3890 URL: http://www.cert.org The Computer Emergency Response Team (CERT) was established in 1988, following the Morris Worm incident. Since then, CERT has issued hundreds of security advisories and has responded to more than 200,000 reports of Internet break-ins. CERT not only issues advisories whenever a new security vulnerability surfaces, but it also Remains on call 24 hours a day to provide vital technical advice to those who have suffered a break in Uses its Web site to provide valuable security information, both new and old (including papers from the early 1980s) Publishes an annual report that can give you great insight into security statistics There was a time when CERT did not publish information on a hole (a vulnerability) until after a fix has been developed. Opinion on this stance varied. Some felt it was counterproductive to advertise an exploit until it was fixed. On the other side of the fence were those who believed that, by the time the "white hat" community became aware of a vulnerability, the "black hat" cracking community was well aware of it and probably had been circulating information about it through their channels for some time. By not publishing the information right away, CERT was keeping the ethical hacking community unaware and vulnerable. In October 2000, CERT compromised by adopting a policy whereby it will issue an alert 45 days (in most cases) after its initial report, regardless of vendor action. Complete details on CERT's disclosure policy can be found on its Web site at http://www.cert.org/faq/vuldisclosurepolicy.html. CERT advisories generally contain location URLs for patches and vendor-initiated information. From these sites, you can download code or other tools that will help proof your system against the vulnerability. CERT is also a good starting place to check for older vulnerabilities. The database goes back to 1988. Note A bit of trivia: The first CERT advisory was issued in December 1988. It concerned a weakness in FTPD. There are several sources where you can obtain CERT advisories, including The CERT mailing list. The CERT mailing list distributes CERT advisories and bulletins to members. To subscribe, send email to majordomo@cert.org and include "subscribe cert-advisory" in the body of the message. For more details about signing up, see http://www.cert.org/contact_cert/certmaillist.html. The CERT Web site. If you don't want to clog your email directory with advisories, you can still obtain them from the CERT Web site. To do so, point your browser to http://www.cert.org/nav/alerts.html. The CERT FTP site. If you don't have access to a browser, you can retrieve CERT advisories via FTP at ftp://ftp.cert.org/pub/. The U.S. Department of Energy Computer Incident Advisory Capability Computer Incident Advisory Capability (CIAC) Computer Security Technology Center Lawrence Livermore National Laboratory 7000 East Ave P.O. Box 808 Livermore, CA 94550 URL: http://www.ciac.org/ciac Computer Incident Advisory Capability (CIAC) was established in 1989. CIAC maintains a database of security-related material intended primarily for the U.S. Department of Energy. However, most information (and most tools) housed at CIAC is available to the public. The CIAC site is an excellent information source. Here are some CIAC resources available to you: CIAC virus database. This database contains specifications and descriptions for thousands of viruses. Listings include the virus filenames, aliases, types, features, disk locations, and effects. Often, additional information is available, including identifying information, checksums, and methods of detection and elimination. CIAC security bulletins. CIAC bulletins are very much like CERT advisories. They describe particular vulnerabilities and possible solutions. CIAC has a search engine, as well, so you can rake through past bulletins, looking for interesting information. CIAC security documents. CIAC has an interesting and ever-growing collection of security documents. Some are how-to in nature (for example, how to secure X Window), whereas others are informational (such as lists of security information links). Most are available in both plain text and PDF formats. CIAC tools. CIAC has links to excellent security tools, most of which are free. There are tools that support DOS/Windows 9x, NT/2000, UNIX, and Macintosh. Some are free only to government agencies and their contractors. CIAC has a searchable archive of advisories and bulletins at http://www.ciac.org/cgi-bin/index/bulletins. Important information provided by CIAC to the public includes the following: Defense Data Network advisories CERT advisories NASA advisories A computer security journal by Chris McDonald The National Institute of Standards and Technology Computer Security Resource Clearinghouse Computer Security Resource Clearinghouse (CSRC) National Institute of Standards and Technology (NIST) Gaithersburg, MD 20899-0001 URL: http://csrc.nist.gov/ The NIST CSRC Web site offers a sizable list of publications, tools, pointers, organizations, and support services. In particular, the following resources are extremely helpful: NIST Information Technology Laboratory (ITL) computer security bulletins. Bulletins from ITL cover various topics of current interest. Although ITL documents seldom deal with specific vulnerabilities, they do apprise readers of the latest developments in security technology. CSRC drafts. CSRC drafts record important security research being conducted at NIST and elsewhere. These documents can help you define security plans and policy. (A sample title is User Guide for Developing and Evaluating Security Plans for Unclassified Federal Automated Information Systems. This document explains ways to develop and evaluate security plans.) In particular, CSRC has a multitude of documents that deal with security policy. The CSRC search engine. CRSC provides a search engine that links information from a wide range of agencies and resources. The CSRC advisory page has links to other valuable references including the Federal Computer Incident Response Capability (FedCIRC), CERT, the National Infrastructure Protection Center (NIPC),and the Forum of Incident Response and Security Teams (FIRST). These sources provide up-to-the-minute warnings about various vulnerabilities. You can retrieve FedCIRC advisories (without visiting CSRC) by pointing your browser to http://www2.fedcirc.gov/alerts/advisories_2001.html. The BUGTRAQ Archives The BUGTRAQ archives contain all messages sent to the BUGTRAQ mailing list. The majority of these messages describe holes in the UNIX operating system. The site is of particular interest because it features a search mechanism that enables you to search based on platform (Sun, Linux, Microsoft) viruses, IDSs, advisories, and other topics. The BUGTRAQ list is an excellent resource because it isn't inundated with irrelevant information. The majority of posts are short and informative. Chris Chasin, the founder of BUGTRAQ, describes the list as follows: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. BUGTRAQ is probably the Internet's most valuable resource for online reporting of UNIX-based vulnerabilities. There are more than 20 different mailing lists that focus on specific platforms and security issues including forensics, security basics, VPN's, mobile code, and others. Visit it at http://www.securityfocus.com. The Forum of Incident Response and Security Teams (FIRST) FIRST is a coalition of many organizations, both public and private, that work to circulate Internet security information. Some FIRST members are DoE Computer Incident Advisory Capability (CIAC) NASA Automated Systems Incident Response Capability Purdue University Computer Emergency Response Team Stanford University Security Team IBM Emergency Response Service Australian Computer Emergency Response Team FIRST exercises no centralized control. All members of the organization share information, but no one exercises control over any of the other components. FIRST maintains a list of links to all FIRST member teams with Web servers. Check out FIRST at http://www.first.org/team-info/. |