Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

vetted operations discussion list [was Re: Fwd: URGENT: bot net with keylogger]

From: Doug Pearson <dodpears () INDIANA EDU>
Date: Wed, 14 Apr 2004 10:00:21 -0500
Good point regarding the need to confine operational discussion of incidents to a vetted community. The REN-ISAC is 
near to offering an option for that sort of forum based around a Cybersecurity Registry for Higher Education. The idea 
behind the Registry is to establish a database of contact and network information for cybersecurity in higher 
education. The primary registration at an institution will be kicked-off by the CIO, IT Security Officer or equivalent. 
That registration would be manually vetted by the REN-ISAC. The primary registrant then assigns delegates. Rich contact 
information, e.g. cell, pager, home, and SMS numbers, and public key is solicited of the primary and delegate 
registrants. Designation of a 24x7 contact is requested. Site information collected includes URL for the institution's 
security web pages and information regarding network blocks owned by the institution.

Access to the Registry contents will be open to all individuals who are members of the trusted circle established by 
the Registry, to REN-ISAC for communications regarding incidents, and with case-by-case permissions the REN-ISAC can 
serve to direct queries for contacts made by entities outside the trusted circle, e.g. ISPs, law enforcement, etc.

In addition, registrants will have the option to join two mailing lists: (1) general cybersecurity news, and (2) a 
listserv for the purpose of operational discussion of incidents. Both lists will be naturally vetted according to the 
processes of the Registry.

We're just about to put the web-based Registry process out to a pilot group. The actual release date will depend on how 
many changes are identified out of that pilot - but we're aiming for the beginning of May.

Comments are welcome!


Regards,

Doug Pearson
Research and Education Networking ISAC
http://www.ren-isac.net
Watch Desk 24x7: +1(317)278-6630




At 04:24 PM 4/13/2004 -0700, Eli Dart wrote:


In reply to "Dave Monnier, IT Security Office, Indiana University" <dmonnier () IU EDU> :


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gary Flynn wrote:



I hope I didn't ruin somebody's investigation by posting that
site info. I thought it might be important for people to
know to block that site. I'm seeing incoming IM messages
carrying that link on an ongoing basis now. Its hard to
know when to keep quiet about sources and details to aid
law enforcement and when to post information that may keep
more machines from being compromised.


I hadn't disclosed that information publicly to the list because at the
moment it is the only static piece of intelligence on the botnet.  We've
shut the botnet down 3 times now already and "itr"'s determination at
keeping the network alive by changing IRC networks was what prompted
that decision.  We'll have to hope "itr" doesn't subscribe to EDUCAUSE-sec.


Hmmm....if this list is going to be used for real-time (or
quasi-real-time) discussion of operational security issues and
incidents, subscriptions _must_ be vetted.  Otherwise, the attackers
will be able to see what you do as you do it.  If they can't now,
it's only a matter of time till they figure it out.

Not sure what the criteria should be for subscription (I2 member?
Connected to I2?  R&E Network infrastructure?).....  I only fit into
the last category (NERSC networking and security -- NERSC is a DOE
entity, but having cross-pollination is a Good Thing in my book).

Anyway, I could be off in left hyperspace here, but Gary's comment
made me think the issue worth raising....

               --eli




**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.


--

Doug Pearson; Indiana University; dodpears () indiana edu
Phone: 812-855-3846; ViDeNet: 0018128553846
PGP: http://mypage.iu.edu/~dodpears/dodpears_pubkey.asc

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: