NIPC - A Failure To Communicate
2 September 2000
Once again, NIPC has stepped all over themselves and provided us
in the security community (i.e., those of us with a clue about Internet
operations) with a late-in-the-week yukk heading into the Labor
This past Thursday morning started with a bang. As director of
security for a major 'net company, I received early-morning voicemail
messages from professional colleagues telling me to check my inbox
for the latest security vulnerability from the National
Infrastructure Protection Center. NIPC is located within the
FBI and is the organization charged with cyber-security matters
within the Department of Justice. Thinking it was something akin
to a DNS attack or some significant attack against our ënet
infrastructure, I scrambled to a vacant NOC console to check my
e-mail and see what the brohaha was about.
Much to my surprise, the NIPC alert page being referred to by my
associates read, IN ITS ENTIRETY:
(NIPC Text In Bold)
It has been reported that a new virus has spread in the Philippines.
That was it. No technical details, no virus signature information,
no description of what it was or how it propogated. My first thought
was that it was a sexually-transmitted virus that was previously
undiscovered in that part of the Pacific rim, and I therefore made
a mental note to check my immunization records with my doctor at
the next opportunity. This was a typical FBI-approved-for-release
document that was of no value to anyone. If you think I'm kidding,
check out this screen shot from the NIPC
homepage last Thursday.
Anyway, after I stopped laughing long enough to think clearly (and
tell my NOC folks that I wasnít having a seizure) I called
NIPC's watch center to see if this was a mistake. In all seriousness,
it wouldnít be the first time that a government document
was rushed out the door half-baked. Maybe it was a mistake?
The agent manning the phone was more than understanding of my concern.
After identifying myself, I told her that the ALERT mentioned above
was utterly useless to anyone, and that they (NIPC) was once again
being laugned at by the private sector for providing such incomplete
information as a "source" for security information. According to
the agent, there was some discussion about whether or not to release
the advisory as shown above, but the decision was made to do so
anyway. (Can anyone say "damn the torpedoes?")
About two hours later that day, I revisited the NIPC site to see
if there was anything new posted regarding that ALERT. Instead of
the one-liner shown above, I saw:
(NIPC Text In Bold)
FOR IMMEDIATE RELEASE
September 1, 2000
Philippines Trojan Horse
On September 1, 2000, the NIPC Watch Office received notification
that a Trojan horse was reported in the wild. This Trojan horse
is spread as an e-mail attachment with the President of the Philippines
Joseph Estrada's nickname ("erap estrada") in the subject line.
Once the attachment is opened the DonaldD.trojan is executed and
can be exploited to collect user names and passwords from the victim.
Currently, the Trojan horse is proliferating mainly in the Philippines
and is considered a low threat to the United States by the anti-virus
industry. Commercial anti-virus software that is updated in accordance
with the anti-virus industry's recommendations will detect the DonaldD.trojan.
The second notice shown above is substantially-better than the
first alert that NIPC ran with. Personally, I think the second
note is a more appropriate first alert type of advisory, but that
is just personal preference.
NIPC puts out is the very well-organized bi-weekly CyberNotes that
summarizes major exploits and vulnerabilities. I honestly love this
report and commend it to others to read regularly. They also publish
other stuff and have it available on thier website for the public.
The day after this alert was posted, I revisited the NIPC website,
where I have their Warnings pages bookmarked for easy reference.
I looked under Alerts and Advisories for the Philippines Trojan
information, but it was nowhere to be found. Yet, when I went to
the NIPC home page, there it was, listed as a "Press Release" on
their home page! So, although I bookmarked where NIPC tells us securityfolk
to reference their Alerts and Advisories, they don't follow their
own website design rules and put the information where they tell
visitors to go look!
NIPC also puts out Alerts, Advisories, and Assessments as well
as Press Releases. It may mean something at FBI Headquarters at
10th and Pennsylvania Avenues NW in Washington, but in the 'net
security community, breaking information about a new attack, vulnerability,
or exploit would be considered an ALERT, not a "Press Release."
(If that's the case, news outlets should monitor NIPC's "Alerts"
and "Assessments" pages for information on Congressional testimonies,
staff changes, and related information.) Almost three years into
existence and they still haven't got their information distribution
system (i.e., the method used to distribute alerts and information)
Remember that during NIPC's formative months in 1998-99, it released
an advisory about the 'Budwiser Frogs' that referenced the virus
hoax the security community knew about for months beforehand. This
was the same agency that - during the RingZero Trojan event of 1999
- published an alert/advisory that included the wrong technical
information on how to indentify systems compromised by that trojan....NIPC
provided one set of TCP ports, SANS.ORG and the rest of the net
community provided another, and the Trojan was found living on the
SANS-provided ports, not the ones in the NIPC release.
Some of these faux paus can be explained as "growing pains" by
any new organization, and I will acknowledge that NIPC has had its
fair share of growing pains since its birth in 1998. However, this
is almost three years later....and in Internet time, that is an
eternity. If they're still having these problems, what does that
tell us securityfolk in the private sector about NIPC's true capabilities
as a peer partner in the cyber-security arena?
NIPC also has contractors from the Washington Beltway - MITRE and
others to name a few - that provide technical support to their operations.
It was because of a contract clause by its vendor that prevented
the source code for the NIPC trinoo detector from being released
to the net community for review. By now, one would hope that NIPC
(and perhaps more importantly, the FBI) would wake up and realize
that the ënet security community does NOT TRUST CLOSED-SOURCE
OR PROPRIETARY PRODUCTS. Unfortunately, that does not seem
to be the case.
As alluded to above, the 'net security community operates on two
key precepts - the idea of "trust" between organizations and the
concept of "total disclosure" regarding technical security information.
It does nobody any good to hear an alert that reads "someone, somewhere,
is doing something bad, perhaps against you, at some time down the
road." NIPC is supposed to be the US Governmentís vaunted
Guardians of Cyberspace and Prosecutors of Online Varmints.
A truly noble charter, and a much-needed capability in todayís
online world. However, as long as it continues on its track of providing
information that is not timely or useful, they will never be considered
an "authority" in cyber-security areas. The organization must re-evaluate
its information-distribution process away from the traditional FBI
model of "we've got, but don't ask to see" to one of "we've got,
can you confirm or deny?" that is synonymous with today's 'net security
For example, it's well-known that computer security mailing lists
and IRC are the first signs and analysis of new security issues.
We know that security vendors (hardware, software, anti-virus) actively
monitor and some openly interact with others in such forums to more
closely-examine security problems. When necessary, the vendor(s)
publish alerts and advisoiries through as many ways as practical
to get the word out on the problem affecting their products. Subsequently,
more often than not, news media run stories discussing the problem
and associated solution. Note that nowhere in this process did I
mention someone releasing an alert but witholding more technical
information than it releases to the security community for review.
That process WORKS and WORKS WELL.
NIPC would be wise to learn from the 'net security community the
most effective and acceptable methods of information exchange regarding
security information. Only when it drops its elitist, Holier-Than-Thou
ego and bellies up to the bar to interact with the security vendors,
consultancies, and specialists in an open, trusted, forum, will
NIPC truly be considered a credible government cyber-security organization
worthy of our support and trust.
And, just to be on the safe side, I'm going to check my immunizations
on Tuesday. Just in case I have to visit the Philippines anytime
(c) 2000 by Richard Forno. All Rights Reserved.