I don't know what
NISER (National ICT Security & Emergency Response Centre) is preaching these days. I downloaded their
2nd quarter newsletter and decided to figure what they're preaching. This edition contains a few topics, ranging from general article about first generation honeypots, introduction to computer forensic, a few bits about worms, viruses, trojan horse, adware and spyware, tips to secure your personal PC, and others. Included in this edition is the usual MyCERT quarterly summary.
To me, the MyCERT quarterly report section is of no use because of few reasons:
- the accompanying graphs are of little value since the images are all blur. in fact, most of the images in the newsletter are blur.
- the statistics itself is questionable. reading through section "Significant Drop on Intrusion Incidents", it mentioned defacements due to IIS Unicode traversal attack. this is bewildering since unicode traversal attacks were discovered and in 2000, and patch were available since then. 5 years on, and we're getting a newsletter from NISER informing us about unicode traversal. this makes me wonder wether the statistics that NISER get is based on real and successful attacks or just statistics massaged from IDS logs. i think that these statistics were based on IDS logs since it is highly likely that things like unicode traversal are generated by scanners, such as Nikto.
- Under the section "High Surge in 445/TCP Port Scanning", the graph and statistics do not mean anything because it only tell me the the scanning frequency for each port, but other metrics that will make the data more useful are missing. for example, how many host were scanned for port 445? how many unique source IPs were scanning the port? with this information missing, or an explanation of how the data were gathered, i may very well deduce that the statistics is from a single machine, and i can interpret it as "for this quarter, our Windows 2000 server which has port 445 opened to the public internet has been scanned up to a total of 3500 times".
A few articles caught my attention. One of this is
WLAN Security. Towards the end of the article, the author writes the first criteria to decide on WLAN security is based on the type of data that needs to travel in it, and then decide on authentication and encryption system for security. Oh please! Does this mean that if an organization decides to pasang a wireless AP, they don't have to bother securing it, let alone implementing some kind of authentication, simply because data that traverse in it is just inane chatter? If this is the case, then Siti, Rupi and Ah Mei, whose interest is not in the data or the organization, can hook into the wireless network, and use that network to launch attacks against other network.
NISER, what are you preaching?
I browsed through most of the articles, but the last article is just ridiculously useless. In
Tips on Protecting Your Personal Computer (which is a series as the introduction say) the author touches on user accounts, and user accounts only! To be frank, if you want to produce article about securing personal PC, don't make it into a series, especially if your newsletter is published like, 4 times a year. If you really want to help the general public secure their PC, write an article that will at least, if the reader decides to follow your advice, her PC will be secured hopefully until your next newsletter comes out!
- Choose strong administrator password
- Disable guest account
- Install anti virus. AVG Free Edition is a good one.
- If you're using Windows XP, update it to SP2
- Install Microsoft AntiSpyware
- Update your PC regularly
- Use alternative web browser, such as firefox
Assuming the main points above, is it really necessary to split the articles into series?
In my opinion, NISER is not doing a good job as a so-called national ICT security & emergency response centre. This newsletter shows the level of competencies and expertise of their staff. You decide.
