
May 1995
Revision 9
JPO#94-478


                   The CERT* Coordination Center FAQ


=======================================================================
= Preface                                                             =
=======================================================================

This document is intended to answer the most Frequently Asked Questions (FAQs)
about the CERT Coordination Center.  The FAQ is a dynamic document that will
change as information changes.  Suggestions for additional sections are
welcome -- please e-mail them to cert@cert.org.  The most recent copy of this
FAQ will be available via anonymous FTP from info.cert.org in the /pub
directory.


Questions answered in this document

A.  Introduction to the CERT Coordination Center
        A1.  What is the CERT Coordination Center?
        A2.  How do I contact the CERT Coordination Center?
        A3.  What's in the CERT Coordination Center name?
B.  Where to go for information
        B1.  What is a CERT advisory?
        B2.  Where can I obtain archived CERT advisories?
        B3.  Can I obtain source code to a patch described in a CERT
             advisory?  
        B4.  What security mailing lists, newsgroups, and other sources of
             information does the CERT Coordination Center recommend?
        B5.  What information is available via anonymous FTP from the
             CERT Coordination Center?
        B6.  What presentations, workshops, and seminars does the CERT 
             Coordination Center offer?
        B7.  What books or articles does the CERT Coordination Center
             recommend?  
C.  Incident Response
        C1.  What kind of information should I provide to the CERT
             Coordination Center when my site has experienced an intrusion?


=======================================================================
= Section A.   Introduction to the CERT Coordination Center           =
=======================================================================

A1.     What is the CERT Coordination Center?

        The CERT Coordination Center is the organization that grew from the 
        computer emergency response team formed by the Defense Advanced 
        Research Projects Agency (DARPA) in November 1988 in response to the
        needs exhibited during the Internet worm incident. The CERT charter 
        is to work with the Internet community to facilitate its response to 
        computer security events involving Internet hosts, to take proactive
        steps to raise the community's awareness of computer security issues, 
        and to conduct research targeted at improving the security of existing
        systems.

        CERT products and services include 24-hour technical
        assistance for responding to computer security incidents,
        product vulnerability assistance, technical documents, and
        seminars.  In addition, the team maintains a number of
        mailing lists (including one for CERT advisories) and
        provides an anonymous FTP server:  info.cert.org, where
        security-related documents, past CERT advisories, and
        tools are archived.   

A2.     CERT Coordination Center contact information:

        U.S. mail address
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh, PA 15213-3890
          U.S.A.

        Internet E-mail address
          cert@cert.org

        Telephone number
          +1 412-268-7090 (24-hour hotline)
            CERT Coordination Center personnel answer 
            8:30 a.m.- 5:00 p.m. EST(GMT-5)/EDT(GMT-4), on call for
            emergencies during other hours.

        FAX number
          +1 412-268-6989 


A3.     What's in the CERT name?

        Since its beginning in 1988, the CERT Coordination Center has acquired
        its name through an evolutionary process. Because of this, you may see
        the CERT Coordination Center referred to by several different names. 
        While you may hear us called Computer Emergency Response Team,
        CERT/CC, or CERT, our proper name is the CERT Coordination Center.

        CERT(sm) is a service mark of Carnegie Mellon University.

        The CERT e-mail address has undergone a similar evolution. We use the 
        e-mail address:  

                cert@cert.org

        Any references to:  

                cert@cert.sei.cmu.edu 
                        or 
                cert@sei.cmu.edu 

        should be changed to the new address (cert@cert.org).


=======================================================================
= Section B.   Where To Go for Information                            =
=======================================================================

B1.     What is a CERT advisory?

        A CERT advisory provides information on how to obtain a patch or
        details of a workaround for a known computer security problem.
        The CERT Coordination Center works with vendors to produce a 
        workaround or a patch for a problem, and does not publish 
        vulnerability information until a workaround or a patch is available. 
        A CERT advisory may also be a warning to our constituency about ongoing
        attacks (e.g., "CA-91:18.Active.Internet.tftp.Attacks").

        CERT advisories are published on the USENET newsgroup:  
        
                comp.security.announce 

        and are distributed via the cert-advisory mailing list.  Both
        of these publication methods are described below. 

        CERT advisory archives are available via anonymous FTP from 
        info.cert.org in the /pub/cert_advisories directory. 


B2.     Where can I obtain archived CERT advisories?

        CERT advisories are available via anonymous FTP from info.cert.org
        in the /pub/cert_advisories directory.  The "01-README" file provides
        a short summary of each of the  advisories.


B3.     Can I get source code to a patch described in a CERT advisory?

        The CERT Coordination Center does not provide source-level patches.  
        Some vendors make source-level patches available to their source 
        customers while others only distribute binary patches.  Contact your
        vendor for more information.   


B4.     What security mailing lists, newsgroups, and other sources of
        information does the CERT Coordination Center recommend?

        (a) CERT mailing lists
        
                (1) CERT advisory mailing list

                    The CERT Coordination Center maintains a CERT
                    advisory mailing list for those members of the
                    constituency who are unable to access USENET news
                    or who would like to have advisories mailed
                    directly to them or to a mail exploder at their
                    site.  If you would like to be added to the
                    mailing list, please send mail to:  

                        cert-advisory-request@cert.org

                    You will receive confirmation mail when you have
                    been placed on the list.


                (2) CERT tools mailing list

                    The purpose of this moderated mailing list is to
                    encourage the exchange of information on security
                    tools and techniques.  The list should not be used
                    for security problem reports.    

                    The CERT Coordination Center will not formally
                    review, evaluate, or endorse the tools and
                    techniques described.  The decision to use the
                    tools and techniques described is the
                    responsibility of each user or organization, and
                    we encourage each organization to thoroughly
                    evaluate new tools and techniques before
                    installation or use. 

                    Membership is restricted to system programmers,
                    system administrators, and others with a
                    legitimate interest in the development of computer
                    security tools.  If you would like to be
                    considered for inclusion, please send mail to:  
        
                        cert-tools-request@cert.org 

                    You will receive confirmation mail when you have
                    been placed on the list.


        (b) Other security-related mailing lists

                (1) VIRUS-L mailing list (see comp.virus newsgroup
                        below) 

                    VIRUS-L is a moderated mailing list with a focus
                    on computer virus issues.  For more information,
                    including a copy of the posting guidelines, see
                    the file "virus-l.README", available by anonymous
                    FTP from cs.ucr.edu.  To be added to the mailing 
                    list, send mail to:  

                        listserv@lehigh.edu

                    In the body of the message, put nothing more than:

                        SUB VIRUS-L your name

                (2) Firewalls mailing list

                    The Firewalls mailing list is a discussion forum for
                    firewall administrators and implementors. To subscribe 
                    to Firewalls, send mail to:

                        Majordomo@GreatCircle.COM

                    In the body of the message, put only:

                        subscribe firewalls

                (3) Firewalls digest

                    The Firewalls digest is a compilation of messages from the
                    Firewalls mailing list. To subscribe to the Firewalls 
                    digest, send mail to:

                        Majordomo@GreatCircle.COM

                    In the body of the message, put only:

                        subscribe firewalls-digest

                    Compressed back issues are available via anonymous FTP
                    from: 

                        FTP.GreatCircle.COM 

                    in pub/firewalls/digest/vNN.nMMM.Z (where "NN" is the
                    volume number and "MMM" is the issue number).


        (c) USENET newsgroups

                (1) comp.security.announce

                    The comp.security.announce newsgroup is moderated
                    and is used solely for the distribution of CERT
                    advisories.  

                (2) comp.security.misc

                    The comp.security.misc is a forum for the
                    discussion of computer security, especially as it
                    relates to the UNIX(r) Operating System. 

                (3) alt.security 

                    The alt.security newsgroup is also a forum for the
                    discussion of computer security, as well as other
                    issues such as car locks and alarm systems.  

                (4) comp.virus

                    The comp.virus newsgroup is a moderated newsgroup
                    with a focus on computer virus issues.  For more
                    information, including a copy of the posting
                    guidelines, see the file "virus-l.README",
                    available via anonymous FTP on info.cert.org
                    in the /pub/virus-l directory.  

                (5) comp.risks

                    The comp.risks newsgroup is a moderated forum on
                    the risks to the public in computers and related
                    systems. 


        (d) NIST (National Institute of Standards and Technology)
                Computer Security Bulletin Board

            Information posted on the bboard includes an events
            calendar, software reviews, publications, bibliographies,
            lists of organizations, and other government bulletin
            board numbers.  This bboard contains no sensitive 
            (unclassified or classified) information.  

            If you have any questions, contact NIST by phone at:
            301-975-3359; by FAX at:  301-590-0932; or by e-mail at:
            csrc@csrc.ncsl.nist.gov. 


B5.     What information is available via anonymous FTP from CERT? 

        The CERT Coordination Center has a variety of computer security 
        information available by anonymous FTP to info.cert.org in /pub 
        directory. In the /pub directory, the file "ls-lR" lists the
        subdirectories and the files found in those subdirectories. Examples 
        of what you will find in the /pub directory are listed below.

        /pub/CERT_Press_Release_8812:  The file
        "CERT_Press_Release_8812" is a copy of the December 1988 DARPA
        press release announcing the formation of the CERT
        Coordination Center. 

        /pub/FIRST:  The /pub/FIRST directory contains a file,
        "first-contacts".  FIRST, the Forum of Incident Response and
        Security Teams, is an organization whose members work together
        voluntarily to deal with computer security problems and their
        prevention.  General information on FIRST is available via
        anonymous FTP from csrc.ncsl.nist.gov in the /pub/first
        directory.  The name of the file is "op_frame.txt".  The
        document begins with a description of the CERT System, which
        was later renamed "FIRST".  Also in that directory are the
        minutes from meetings, a list of FIRST contacts (also
        duplicated in the CERT anonymous FTP area on info.cert.org
        in the /pub/FIRST directory), and other related
        information.  

        /pub/cert_advisories:  The /pub/cert_advisories directory
        contains archived copies of past CERT advisories, the
        "01-README" file, a copy of the CERT press release from
        December 1988 announcing the formation of the CERT Coordination 
        Center, an article from the March 1990 issue of Bridge, a magazine 
        published by the Software Engineering Institute (SEI), describing 
        CERT, and a file containing information on the status of the rdist
        patch.  

        /pub/clippings:  The /pub/clippings directory is an archive
        service for computer security. This archive is a central
        repository for selected security related USENET News and
        mailing list postings.  The archive will not be restricted to
        any one newsgroup or mailing list.  To submit an article for
        the clippings archive, please send e-mail to: 

                clip@cert.org

        /pub/cops:  The /pub/cops directory includes the information
        for the COPS package.  COPS is a publicly available collection
        of programs that attempts to identify security problems in the
        UNIX Operating System.  COPS does not attempt to correct
        any discrepancies found; it simply produces a report of its 
        findings. 

        /pub/info:  The /pub/info directory contains online copies of 
        security-related books and papers, including Dave Curry's May
        1990 SRI Tech Report "Improving the Security of Your Unix
        System", "Computer Emergency Response - An International
        Problem" by Richard D. Pethia and Kenneth R. van Wyk, the
        report "Coping with the Threat of Computer Security Incidents:
        A Primer from Prevention through Recovery" by Russell Brand,
        and the Department of Defense Trusted Computer System
        Evaluation Criteria CSC-STD-001-83 often referred to as the
        "Orange Book".  (Note:  This is the Aug 1983 version of this
        document; this document was revised in Dec 1985.)

        /pub/network_tools:  The /pub/network_tools directory contains
        network tools made available via anonymous FTP.  The file
        "tcp_wrapper.xx" is a TCP daemon wrapper program that will
        provide additional logging information and access control for
        many network services (also duplicated in the /pub/tools
        directory). 

        /pub/papers:  The /pub/papers directory contains the
        announcement of the CERT tools mailing list. 

        /pub/ssphwg:  The /pub/ssphwg directory contains archived
        information from the IETF Site Security Policy Handbook
        Working Group and the IETF Security Policy Working Group. 
        RFC 1244, "Site Security Handbook" was the result of the Site
        Security Policy Handbook Working Group; and RFC 1281,
        "Guidelines for the Secure Operation of the Internet" was the
        result of the Security Policy Working Group.  Both of these
        RFCs are available in the /pub/info directory, as mentioned
        above. 

        /pub/tech_tips:  The /pub/tech_tips directory contains
        documents on anonymous FTP configurations, packet filtering,
        and the CERT security checklist. 

        /pub/tools:  The /pub/tools directory contains various
        software programs, including COPS, Crack, TCP daemon wrappers,
        and virus-detection programs. 

        /pub/virus-l:  The /pub/virus-l directory contains the
        archives and other VIRUS-L and VALERT-L mailing list
        documents. 


B6.     What presentations, workshops, and seminars does the CERT
        Coordination Center offer? 

        (a) Presentations

            Throughout the year, members of the CERT Coordination
            Center give presentations at various technical
            conferences, seminars, and regional networks.
            Periodically, special arrangements can be made to tailor
            the presentation to fit the requirements of the specific
            site.  For further information regarding presentations,
            please contact the CERT Coordination Center. (Contact information
            is in section A.2.)

        (b) Workshops

            From 1989 to 1992 the CERT Coordination Center hosted and
            co-sponsored the FIRST Workshop on Incident Handling. CERT has 
            also participated in subsequent workshops.  For further information
            about the FIRST Workshop on Incident Handling, please contact the 
            CERT Coordination Center. 
                
        (c) Seminars

            (1) Internet Security for Managers

                Description:  This seminar is to help 
                managers understand what needs to be done to ensure 
                that their computer systems and networks are as 
                securely managed as possible when operating within
                the Internet community.  Attendees will be provided 
                with information that will enable them to formulate 
                realistic security policies, procedures, and
                programs specific to their operating environment.  

                Audience:  This seminar is designed for managers of
                computing centers/facilities, individuals tasked to
                evaluate/initiate Internet connectivity, senior system
                administrators, and others interested in computer
                security within the Internet community.

            (2) Internet Security for UNIX System Administrators

                Description:  The information presented in this
                seminar is based on incidents reported to the CERT
                Coordination Center.  The topics covered will include
                defensive and offensive strategies for system
                administration, site-specific security policies, and
                incident handling.

                Audience:  This seminar is designed for users and
                system administrators of hosts using the UNIX
                Operating System.  It is especially suited for system 
                administrators of systems connected to a wide
                area network based on TCP/IP such as the Internet.
                Some system administrator experience is assumed. 


B7.     What books or articles does the CERT Coordination Center
        recommend?   

        [Bishop 87]     Bishop, Matt.  "How to Write a Setuid
                        Program."  ;login: 12, 1 (Jan/Feb 1987):
                        5-12. 

        [Cheswick 94]   Cheswick, William R.; Bellovin, Steven M.
                        Firewalls and Internet Security: Repelling the Wily 
                        Hacker. New York: Addison-Wesley Publishing Company, 
                        1994.

        [Curry 90]      Curry, Dave.  "Improving the Security of Your
                        UNIX System" (Technical Report
                        ITSTD-721-FR-90-21). Menlo Park, CA:  SRI
                        International, April 1990. 

        [Curry 92]      Curry, David A.  UNIX System Security:  A
                        Guide for Users and System Administrators.
                        Reading, MA: Addison-Wesley Publishing Co., Inc., 
                        1992. (ISBN 0-201-56327-4)

        [Denning 91]    Denning, Peter J., ed.  Computers Under
                        Attack: Intruders, Worms, and Viruses.  ACM
                        Press, New York: Addison-Wesley Publishing Company,
                        Inc., 1990. (ISBN 0-201-53067-8)

        [Ellis 94]      Ellis, Jim; Fraser, Barbara; Pesante, Linda. "Keeping
                        Internet Intruders Away." UNIX Review 12, 9 (September
                        1994): 35-44.

        [Farrow 91]     Farrow, Rik.  How to Protect Your Data and
                        Prevent Intruders:  UNIX System Security.
                        Reading, MA: Addison-Wesley Publishing Company, Inc., 
                        1991. (ISBN 0-201-57030-0)

        [Fithen 94]     Fithen, Katherine; Fraser, Barbara. "CERT Incident
                        Response and the Internet." Communications of the ACM 
                        37, 8 (August 1994):108-113.

        [Garfinkel and Spafford 91]     
                        Garfinkel, Simson; Spafford, Gene.  Practical
                        UNIX Security.  Sebastopol, CA: O'Reilly & Associates,
                        Inc., 1991. (ISBN 0-937175-72-2) 

        [Grampo and Morris 84]  
                        Grampo, M.; Morris, R.T.  "UNIX Operating
                        System Security."  AT&T Technical Journal
                        63, 8 (Oct 1984):  1649-1672.

        [Hafner and Markoff 91]
                        Hafner, Katie; Markoff, John.  Cyberpunk:
                        Outlaws and Hackers on the Computer Frontier.
                        New York, NY: Simon & Schuster, 1991. 

        [Morris and Thompson 79]
                        Morris, R.T.; Thompson, K.  "Password
                        Security: A Case History."  Coomunications of the ACM 
                        22, 11 (November 1979):  594-597.

        [Nemeth, Snyder, and Seebass 89]
                        Nemeth, Evi; Snyder, Garth; Seebass, Scott.
                        UNIX System Administration Handbook.  Englewood
                        Cliffs, NJ: Prentice Hall, 1989.
                        (ISBN 0-13-933441-6)

        [Stoll 89]      Stoll, Clifford.  The Cuckoo's Egg: Tracking a
                        Spy Through the Maze of Computer Espionage.
                        New York, NY: Doubleday, 1989. (ISBN 0-385-24946-2)

        [Wood and Kochran 86]
                        Wood, Patrick; Kochran, Stephen.  UNIX System
                        Security.  Hasbrouck Heights, NJ: Haden Books, 1986.



=======================================================================
= Section C.   Incident Response                                      =
=======================================================================

C1.     What kind of information should I provide to the CERT staff when my 
        site has had an intrusion?

        The CERT Coordination Center would like as much information as
        possible, including opinions and thoughts as to how the
        break-in occurred.  Some specifics include:

                 1) names of host(s) compromised at your site

                 2) architecture and OS (operating system and revision)
                    of compromised host(s)

                 3) whether or not security patches have been applied
                    to the compromised host(s); if so, were patches
                    applied before or after the intrusion

                 4) account name(s) compromised

                 5) other host(s)/site(s) involved in the intrusion and
                    whether or not you have already contacted those
                    site(s) about the intrusion 

                 6) if other site(s) have been contacted, the contact 
                    information used for contacting the site(s)
                    involved 

                 7) if CERT is to contact the other site(s), can we
                    give the other sites your contact information
                    (i.e., your name, e-mail address, and phone number)


                 8) whether or not any law enforcement agencies have
                    been contacted

                 9) appropriate log extracts (including timestamps)

                10) what assistance you would like from the CERT
                    Coordination Center



*CERT is a service mark of Carnegie Mellon University.

UNIX(r) is a registered trademark of UNIX System Laboratories, Inc. 

The CERT Coordination Center is sponsored by the Advanced Research Projects
Agency (ARPA). The Software Engineering Institute is sponsored by the U.S.
Department of Defense.

