Is anyone running an automated Terror Alert system that's
real time with the DHS?
-M
Yes.
But, until elections 2004, the "FUD" field is hardcoded to "High".
However, if there are changes to the -=actual=- dhs.gov status,
it sends out an automatic Amazon.Com order for
Hip Boots for all members of the list.Would you like to subscribe to the notification list ?
[ snip ]
>Is anyone running an automated Terror Alert system that's
>real time with the DHS?
Ok, that was interesting. 
The diving thing is my fun stuff. I'm actually working in
Security.
I was writing a little tool that scanned their page for the alert
image name change, but that's subject to them making changes to
their site and the images are multi layer graphics, etc. etc.
I'm going to call them and see if they can offer
a place to poll something simple that we can trip
changes off in the NOC.
If anyone does have some insight to anything they are
doing, or a good contact number for the DHS webite, please
ping me in email and I'll follow up if I find something
or get them to do something.
-M
"People who bought HIP BOOTS also shopped for:
* Duct Tape
* Jack Daniels
* Def Leppard CD's
* Clean Underwear"
on-topic: I use a plug-in for my NMS that looks for abnormalities in the
load times of various popular sites. (it's helped me spot routing problems
more than once). Looking back at historical data, all the news-related ones
show a clear change immediately after events like the Columbia disaster. I
was not using the same system on 9/11 so I don't know how quickly one would
have spotted an abnormality.
All of this begs the question, what specifically would you do if the alert
level went to red or yellow? Would you broadcast the change to customers,
place disaster recover teams on stand-by or stand-down, implement an
expanded ACL, etc.? Seriously, I'm interested in a response to this.
Regarding your suggestion of a simple place to poll, I can probably get this
implemented if there is sufficient interest. I'm reviewing response plans
from others now. If you care to provide them, I'd be interested in comparing
them.
John S. Maddaus
Veridian
Ok,
What we really need is something like what NOAA has for space weather:
http://www.maj.com/sun/noaa.html
Currently, the weather is "active and unsettled"...
Eric 
CNN (or Fox, MSNBC, etc) news satellite feed (for national alerts)
Radio Shack National Weather Service Alert radio (for local alerts)
Individual states have other alert systems. For example, California
has EDIS, Oklahoma and Florida have their own systems.
When the alert level was raised from Yellow to Orange, the DHS web site
was updated long after all the 24-hour news networks were running
scrolls across the bottom of the screen announcing the upcoming press
conference about the change.
But what would you do with the information?
Hey - I have a Def Leppard CD and MP3 collection that I am VERY proud of!!!
Regarding the HLS thing, could you not just do a simple automated
screenscrape of the DHS website and then flag an alert if the code for the
alert changed from one scrape to another?
And no, even though I'm in DC, I don't own a pair of hip-boots.
-Rick,
who submitted the HLAS Scheme as "Stupid Security Scheme" last week
Let the noc know what’s up so they can be more vigilant based on the the threat level.
Perhaps even use different sets of ACL’s on the edge, etc. It could also be used
to explain an unexpected surge in traffic, calls, or other things. Ever look at some traffic stats and see a major surge and want to make sure you understand why?
I’d take it serious and consider NBC as well as “cyberAttacks”.
But what would you do with the information?
Let the noc know what's up so they can be more vigilant based on the the
threat level.
I'm not trying to be sarcastic, because lots of people have been going
through these same conversations.
"Threat level" is different from an attack.
Isn't your NOC normally vigilant? If the DHS lowered the threat level to
"Green" would you stop monitoring your network just because the government
says there is no more threat? Do you have more or fewer people on duty in
your NOC as the government threat level goes up or down watching the big
TV screens?
Perhaps even use different sets of ACL's on the edge, etc. It could also
be used
to explain an unexpected surge in traffic, calls, or other things. Ever
look at some traffic stats and see a major surge and want to make sure
you understand why?
Again wouldn't you also do all of these things "normally?" If an ACL is a
good idea at "Orange" wouldn't you protect your network with those ACL's
when the level is "Yellow." Or would you remove those ACL's when the
threat level is reduced. How do would you explain to your management when
you are hacked at level "Yellow" you had better ACL's, but you only used
the good ACL's at level "Orange."
I'd take it serious and consider NBC as well as "cyberAttacks".
Secretary Ridge has said to keep the plastic sheets and duct tape in
storage. Don't start sealing your house (or NOC) yet. The FEMA/Red Cross
prepardness recommendations are a good idea irregardless of the alert
level.
Okay, I'll bite...
Isn't your NOC normally vigilant?
Of course.
> Perhaps even use different sets of ACL's on the
edge, etc. It could also
> be used
> to explain an unexpected surge in traffic, calls,
or other things. Ever
> look at some traffic stats and see a major surge
and want to make sure
> you understand why?Again wouldn't you also do all of these things
"normally?" If an ACL is a
good idea at "Orange" wouldn't you protect your
network with those ACL's
when the level is "Yellow." Or would you remove
those ACL's when the
threat level is reduced. How do would you explain
to your management when
you are hacked at level "Yellow" you had better
ACL's, but you only used
the good ACL's at level "Orange."
Well, an example could be "if threat level is yellow,
permit traffic from $foreign_country_x, but if it goes
to orange, deny all from $foreign_country_x, or
perhaps log all from there.
I know that there are certain ISPs which deny all mail
traffic from certain ASes, because of the volume of
Spam. The same principle could be at work here: if
(threat_level++) then deny(unknown_from_Source[nasty])
else permit.
-David Barak
fully RFC 1925 compliant
> But what would you do with the information?
>
> Let the noc know what's up so they can be more vigilant based on the the
> threat level.I'm not trying to be sarcastic, because lots of people have been going
through these same conversations.
Not a problem.
"Threat level" is different from an attack.
Pearl Harbor.
Isn't your NOC normally vigilant? If the DHS lowered the threat level to
"Green" would you stop monitoring your network just because the government
says there is no more threat? Do you have more or fewer people on duty in
your NOC as the government threat level goes up or down watching the big
TV screens?
The NOC is always vigilant. Based on different threat levels
I think it's prudent and realistic to examine different staffing
strategies, different views of alarms and datas, potentially
different reactions, engaging LEA's on issues you may not normally
engage on, etc.
Example: DHS sets RED level. Reaction: Move some third level
engineers into the SOC. Audit the DR plan if it's not on schedule
to be audited. Audit the backup plans if not on schedule to be
audited. Light the medium warm NOC to HOT NOC level.
> Perhaps even use different sets of ACL's on the edge, etc. It could also
> be used
> to explain an unexpected surge in traffic, calls, or other things. Ever
> look at some traffic stats and see a major surge and want to make sure
> you understand why?Again wouldn't you also do all of these things "normally?" If an ACL is a
good idea at "Orange" wouldn't you protect your network with those ACL's
when the level is "Yellow." Or would you remove those ACL's when the
threat level is reduced. How do would you explain to your management when
you are hacked at level "Yellow" you had better ACL's, but you only used
the good ACL's at level "Orange."
I'd like to have a more standard application to risk analysis.
As you know, security policy is always reviewed and risk analysis
applied to determine how and what you are going to protect. Or not
protect.
I think these risk analysis' are now affected by these "new" threats,
or in a lot of cases, threates that noone really paid much
attention to before.
> I'd take it serious and consider NBC as well as "cyberAttacks".
Secretary Ridge has said to keep the plastic sheets and duct tape in
storage. Don't start sealing your house (or NOC) yet. The FEMA/Red Cross
prepardness recommendations are a good idea irregardless of the alert
level.
Secretary Ridge hasn't really established a credibility level. Not
yet anyways. I respect what they are doing and understand they need
time, but we all have businesses to run. If he says "Buy plastic
and duct tape" I take that as he knows something we don't and
it's reasonable to evaluate and re apply the risk analysis.
I have my duct tape and plastic, but haven't applied it to the
windows.
conf t
warning you cannot configure a router
with this one....
Martin Hannigan wrote:
I have my duct tape and plastic, but haven't applied it to the
windows.
I hear it is more effective, if you wrap the plastic
around your head, and seal it with the duck tape....
Never had a -single- complaint, from users of this
methodology..... as long as they don't cheat.
Nothing gets through ... (of course, including air..)
But this -=is=- a time of WAR,
we MUST be willing to make sacrifices.... :*
FACT: Did you know that Government studies show
100% of terrorists, participating in fatal terrorist attacks,
were shown to have been breathing -=air=-, right prior
to the accident.
That's right, AIR!
=-All=- of them do it.
Well, We've got them NOW!
:\
"There are liars, damned liars, and statiticians."
:* 
.Richard.
Do you buy fire extinguishers when there's no fire, or do you do it
when the smoke alarm is already going off? Or is this the converse, where
a leaky roof doesn't get fixed because you can't work on it on rainy days,
and on sunny days it doesn't leak?
If your DR/backup plan isn't already squared away, RED is a *very* bad time to
be screwing with it. Anybody who's read this list for a while has seen
enough examples of "attempt to fix broken network only makes it worse".
If you audit your backup plan, and discover you're low on tapes to send
off-site, what are the chances that we'll still be at RED when the tapes
actually arrive from the vendor?
> Example: DHS sets RED level. Reaction: Move some third level
> engineers into the SOC. Audit the DR plan if it's not on schedule
> to be audited. Audit the backup plans if not on schedule to be
> audited. Light the medium warm NOC to HOT NOC level.Do you buy fire extinguishers when there's no fire, or do you do it
when the smoke alarm is already going off? Or is this the converse, where
a leaky roof doesn't get fixed because you can't work on it on rainy days,
and on sunny days it doesn't leak?
DR is a continous loop. It's not the kind of thing you
develop and then toss on a shelf. Right now is always a good
time to audit your DR planning, or your disaster prevention
planning.
[ SNIP ]
If you audit your backup plan, and discover you're low on tapes to send
off-site, what are the chances that we'll still be at RED when the tapes
actually arrive from the vendor?
If I didn't audit the backup plan, I wouldn't discover I was low
on tapes. The state of the alert is irrelevant when related to the
DR plan. It's the event itself.
I believe there is no bad time to conduct a drill or audit
a DR plan. In fact, confusing or non-standard conditions would
be optimal for such a test or audit.
-M
Um, you're not really serious, are you? Are you worried about some cell
being activated by sending a packet through your servers? I can't think
of one useful purpose to do something like that.
Jeff
I'm certain the government folks working to protect us 24x7 are doing
everything they can, but the fact of the matter is the public alert
systems in the US suck. Some just suck less.
http://www.nj.com/news/gloucester/index.ssf?/base/news-0/104590500555170.xml
"Butts said he often finds out about things like the change in the
national threat level on CNN hours before the Communications Center
receives a teletype about it."
Butts is the Gloucester County Emergency Response Coordinator including
the county 9-1-1 communications center.
ISPs and other communication providers should be prepared to share
information directly and quickly with each other. If you wait to hear
from government officials to decide what sanitized information to share,
it will be hours later. If ever.
ISPs and other communication providers should be prepared to share
information directly and quickly with each other. If you wait to hear
from government officials to decide what sanitized information to share,
it will be hours later. If ever.
If anybody is interested here, I did put together a small group to
experiment with a simple system to exchange and distribute PGP
signed messages quickly.
The basic 'working' of the system is contained within a yet to
be written perl script that will poll a couple of 'master'
servers for updated messages, validate the signatures and post
the messages to a particular URL. Any server pulling these messages
can become a master for other servers, which makes this kind of
a 'P2P network' among web servers. Gateway to usernet/email/pagers/
instant messengers would be possible. New pgp keys would be distributed
as signed control messages within the system. Each PGP key has a
certain number of 'points' assigned, and a message becomes 'valid'
as soon as it has enough signatures to make it past a threshold.
Anyway. Depending on how the water in my basement develops, I may
actually get a first alpha of this out later this weekend. (if not
next weekend). At that point, some testers / coders would be welcome
to work on things like gateways and such.
The overall goal: Make this system fast enough to reach 'everyone'
within an hour. Of course, the system will not work once the
internet is down, but its P2P like structure should provide for
some anti-DDOS robustness.
Yesterday I was asked to install a DISH Network system for the Transportation
Security Administration so their folks at the Airport can get "the news".<s>
--Michael