From: Richard A. Peters (rap_at_socrates.berkeley.edu)
Date: Wed Aug 27 2003 - 13:54:46 PDT
>We are proposing a change in our procedures to handle this particular
>problem.
Craig,
I think this change in procedure should not be only for this particular
problem, but for any of this class of problem. While I understand the
importance of not removing hosts from the network until a reasonable effort
has been made to contact the person responsible for the host, the need to
protect important campus assets and resources from a host compromised with
a high impact worm must become primary. And the decision that a particular
worm is high impact should be made by your group before it has had the
chance to spread widely on the campus.
..Richard Peters
At 11:12 AM 8/26/2003 -0700, Craig Lant wrote:
>The Blaster worm is beginning to spread rapidly across the campus
>network. This is, no doubt, exacerbated by the fact that thousands of
>computers are suddenly being connected to our network and many of them are
>already infected. SNS is finding hundreds of new infections every day.
>
>Our standard procedure is to send notifications to security contacts, wait
>one to two working days, then block them if the problem isn't
>resolved. Unfortunately, this is hampering our ability to stay on top of
>the problem and it's giving the virus more time to spread.
>
>We are proposing a change in our procedures to handle this particular
>problem. We would like to send another CalMail warning to all faculty,
>staff, and students explaining that we need to begin immediately blocking
>computers that are found to be infected and attacking other
>computers. We'll still send individual notifications to security contacts
>as hosts are blocked. But, we would no longer allow infected computers to
>continue attacking others for a day or two before taking action.
>
>I'm distributing this proposal as widely as I can (short of CalMail). If
>you feel that this proposal is unacceptable or will cause more harm than
>good, let us know ASAP. I also welcome alternative ideas at any time.
>
> Thanks,
> Craig
>
> Craig Lant
>------- Campus Information Systems Security Officer -------
> ----- University of California, Berkeley -----
> 510-643-0596 craig_at_ack.Berkeley.edu
>
>-------------------------------------
>Sent via the ucb-security mailing list.
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Wed Aug 27 2003 - 13:59:29 PDT