IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Google Ads

NIPC - A Failure To Communicate

Richard Forno

Essay #2000-06

2 September 2000

Once again, NIPC has stepped all over themselves and provided us in the security community (i.e., those of us with a clue about Internet operations) with a late-in-the-week yukk heading into the Labor Day weekend.

This past Thursday morning started with a bang. As director of security for a major 'net company, I received early-morning voicemail messages from professional colleagues telling me to check my inbox for the latest security vulnerability from the National Infrastructure Protection Center. NIPC is located within the FBI and is the organization charged with cyber-security matters within the Department of Justice. Thinking it was something akin to a DNS attack or some significant attack against our ënet infrastructure, I scrambled to a vacant NOC console to check my e-mail and see what the brohaha was about.

Much to my surprise, the NIPC alert page being referred to by my associates read, IN ITS ENTIRETY:

(NIPC Text In Bold)

Philippines Alert
Issued 09/01/2000

It has been reported that a new virus has spread in the Philippines.

That was it. No technical details, no virus signature information, no description of what it was or how it propogated. My first thought was that it was a sexually-transmitted virus that was previously undiscovered in that part of the Pacific rim, and I therefore made a mental note to check my immunization records with my doctor at the next opportunity. This was a typical FBI-approved-for-release document that was of no value to anyone. If you think I'm kidding, check out this screen shot from the NIPC homepage last Thursday.

Anyway, after I stopped laughing long enough to think clearly (and tell my NOC folks that I wasnít having a seizure) I called NIPC's watch center to see if this was a mistake. In all seriousness, it wouldnít be the first time that a government document was rushed out the door half-baked. Maybe it was a mistake?

The agent manning the phone was more than understanding of my concern. After identifying myself, I told her that the ALERT mentioned above was utterly useless to anyone, and that they (NIPC) was once again being laugned at by the private sector for providing such incomplete information as a "source" for security information. According to the agent, there was some discussion about whether or not to release the advisory as shown above, but the decision was made to do so anyway. (Can anyone say "damn the torpedoes?")

About two hours later that day, I revisited the NIPC site to see if there was anything new posted regarding that ALERT. Instead of the one-liner shown above, I saw:

(NIPC Text In Bold)

September 1, 2000

Philippines Trojan Horse

On September 1, 2000, the NIPC Watch Office received notification that a Trojan horse was reported in the wild. This Trojan horse is spread as an e-mail attachment with the President of the Philippines Joseph Estrada's nickname ("erap estrada") in the subject line. Once the attachment is opened the DonaldD.trojan is executed and can be exploited to collect user names and passwords from the victim. Currently, the Trojan horse is proliferating mainly in the Philippines and is considered a low threat to the United States by the anti-virus industry. Commercial anti-virus software that is updated in accordance with the anti-virus industry's recommendations will detect the DonaldD.trojan.

The second notice shown above is substantially-better than the first alert that NIPC ran with.  Personally, I think the second note is a more appropriate first alert type of advisory, but that is just personal preference.

NIPC puts out is the very well-organized bi-weekly CyberNotes that summarizes major exploits and vulnerabilities. I honestly love this report and commend it to others to read regularly. They also publish other stuff and have it available on thier website for the public. The day after this alert was posted, I revisited the NIPC website, where I have their Warnings pages bookmarked for easy reference. I looked under Alerts and Advisories for the Philippines Trojan information, but it was nowhere to be found. Yet, when I went to the NIPC home page, there it was, listed as a "Press Release" on their home page! So, although I bookmarked where NIPC tells us securityfolk to reference their Alerts and Advisories, they don't follow their own website design rules and put the information where they tell visitors to go look!

NIPC also puts out Alerts, Advisories, and Assessments as well as Press Releases. It may mean something at FBI Headquarters at 10th and Pennsylvania Avenues NW in Washington, but in the 'net security community, breaking information about a new attack, vulnerability, or exploit would be considered an ALERT, not a "Press Release." (If that's the case, news outlets should monitor NIPC's "Alerts" and "Assessments" pages for information on Congressional testimonies, staff changes, and related information.) Almost three years into existence and they still haven't got their information distribution system (i.e., the method used to distribute alerts and information) organized yet.

Remember that during NIPC's formative months in 1998-99, it released an advisory about the 'Budwiser Frogs' that referenced the virus hoax the security community knew about for months beforehand. This was the same agency that - during the RingZero Trojan event of 1999 - published an alert/advisory that included the wrong technical information on how to indentify systems compromised by that trojan....NIPC provided one set of TCP ports, SANS.ORG and the rest of the net community provided another, and the Trojan was found living on the SANS-provided ports, not the ones in the NIPC release.

Some of these faux paus can be explained as "growing pains" by any new organization, and I will acknowledge that NIPC has had its fair share of growing pains since its birth in 1998. However, this is almost three years later....and in Internet time, that is an eternity. If they're still having these problems, what does that tell us securityfolk in the private sector about NIPC's true capabilities as a peer partner in the cyber-security arena?

NIPC also has contractors from the Washington Beltway - MITRE and others to name a few - that provide technical support to their operations. It was because of a contract clause by its vendor that prevented the source code for the NIPC trinoo detector from being released to the net community for review. By now, one would hope that NIPC (and perhaps more importantly, the FBI) would wake up and realize that the ënet security community does NOT TRUST CLOSED-SOURCE OR PROPRIETARY PRODUCTS.  Unfortunately, that does not seem to be the case.

As alluded to above, the 'net security community operates on two key precepts - the idea of "trust" between organizations and the concept of "total disclosure" regarding technical security information. It does nobody any good to hear an alert that reads "someone, somewhere, is doing something bad, perhaps against you, at some time down the road." NIPC is supposed to be the US Governmentís vaunted Guardians of Cyberspace and Prosecutors of Online Varmints.  A truly noble charter, and a much-needed capability in todayís online world. However, as long as it continues on its track of providing information that is not timely or useful, they will never be considered an "authority" in cyber-security areas. The organization must re-evaluate its information-distribution process away from the traditional FBI model of "we've got, but don't ask to see" to one of "we've got, can you confirm or deny?" that is synonymous with today's 'net security dialogues.

For example, it's well-known that computer security mailing lists and IRC are the first signs and analysis of new security issues. We know that security vendors (hardware, software, anti-virus) actively monitor and some openly interact with others in such forums to more closely-examine security problems. When necessary, the vendor(s) publish alerts and advisoiries through as many ways as practical to get the word out on the problem affecting their products. Subsequently, more often than not, news media run stories discussing the problem and associated solution. Note that nowhere in this process did I mention someone releasing an alert but witholding more technical information than it releases to the security community for review.

That process WORKS and WORKS WELL.

NIPC would be wise to learn from the 'net security community the most effective and acceptable methods of information exchange regarding security information. Only when it drops its elitist, Holier-Than-Thou ego and bellies up to the bar to interact with the security vendors, consultancies, and specialists in an open, trusted, forum, will NIPC truly be considered a credible government cyber-security organization worthy of our support and trust.

And, just to be on the safe side, I'm going to check my immunizations on Tuesday. Just in case I have to visit the Philippines anytime soon.

(c) 2000 by Richard Forno. All Rights Reserved.




IWS Mailing Lists

Mailing Lists Overview