Date: Wed, 12 Aug 92 15:57:02 EDT From: Kim Clancy Subject: File 4--Re: Quick reality check..... ((MODERATORS' NOTE: We heard about the AIS BBS from several readers, and checked it out. We we impressed by the collection of text files, the attempt to bring different groups together for the common purposes of security and civilizing the cyber frontier, and the professionalism with which the board is run. AIS BBS is a first-rate resource for security personnel who are concerned with protecting their systems)). 1. What is this Board? (name, number, who runs it (dept & sysop). What kind of software are you using? When did the Board go on-line? The Bulletin Board System (BBS) is run by the Bureau of the Public Debt's, Office of Automated Information System's Security Branch. The mission of the Bureau is to administer Treasury's debt finance operations and account for the resulting debt. The OAIS security branch is responsible for managing Public Debt's computer systems security. The AIS BBS is open to the public and the phone number for the Board is (304) 420-6083. There are three sysops, who manage the Remote Access software. The BBS operates on a stand-alone pc and is not connected to any of other Public Debt systems. The Board is not used to disseminate sensitive information, and has been up operating for the past 15 months. 2. What are the goals and purposes of the Board? The BBS was established to help manage Public Debt's security program. Security managers are located throughout Public Debt's offices in Parkersburg, WV and Washington DC. The security programmers saw a need to disseminate large amounts of information and provide for communication between program participants in different locations. Because the Board was established for internal purposes, the phone number was not published. However, the number was provided to others in the computer security community who could provide information and make suggestions to help improve the bureau's security program. Gradually, others became aware of the Board's existence. 3. What kinds of files and/or programs do you have on the Board? Why/how do you choose the files you have on-line? There is a wide variety of files posted. In the beginning, we posted policy documents, newsletter articles from our internal security newsletter, bulletins issued by CERT, such as virus warnings, and others for internal use. I located some "underground" files that described techniques for circumventing security on one of the systems we manage. The information, from Phrack magazine, was posted for our security managers to use to strengthen security. When we were called by others with the same systems, we would direct them to those files as well. Unexpectedly, the "hacker" that had written the file contacted me through our BBS. In his article he mentioned several automated tools that had helped him take advantage of the system. I requested that he pass on copies of the programs for our use. He agreed. This is how our "hacker file areas" came to be. Other hackers have done the same, and have we also received many files that may be useful. It is, indeed, an unusual situation when hackers and security professionals work together to help secure systems. However, this communication has been beneficial in strengthening an already secure system. 4. Since you and the Secret Service are both part of the U.S. Treasury, was the Board set up to catch "hackers?" No, the BBS was designed to manage our internal security program. We do not allow individuals to sign on with "handles." We do not know if people are hackers when they sign on unless they identify themselves. 5. How did you get the idea to set it up? The security branch accesses many BBSs on a daily basis for research purposes, information retrieval and to communicate with others. Since our security program is decentralized, the BBS seemed to be an effective way of communicating with program participants in diverse locations. 6. What distinguishes your board from sources like CERT, or from "underground" BBSes? First, there is a wide diversity to our files, ranging from CERT advisories to the 40Hex newsletters. Also, many of the files on our system are posted as a resource we use for the implementation of our security program. For example, the Board lists computer based training modules that we have developed, policy documents, and position descriptions. These are files that other security programs can use to implement or help start their programs. On the message side of the BBS, what distinguishes it would have to be the open interaction between hackers, virus writers, phone phreaks and the security community. 7. What kinds of difficulties or problems have you encountered, either from superiors or from users, in operating the Board? I can recall few, if any, difficulties from anyone, users or superiors. Upper management understands the value of the technology and has been extremely supportive. All users have been courteous, professional, and supportive. Security professionals constantly thank us for providing "underground" information for them. It allows others in the field to gain access to valuable information without having to access "underground" systems. Users appreciate the opportunity to share their knowledge with others and seem grateful to have an avenue to communicate with security professionals who will listen to "hackers" experiences. 8. Can you describe any unusual or humorous experiences you have had with users while running the Board? It is unusual for "hackers" and security professionals to work together to help secure systems, but that is what is occurring on our system. I have had requests from other government agencies asking for resumes of "hackers" that may assist them. I have been contacted by numerous government and private agencies asking for our "contacts." I just direct them to the BBS and advise that they post messages regarding the questions they need answered. If anyone is interested in helping, they will respond. It is an unusual situation, but, in my opinion, I can attest that the information we have received has been very useful to our security program. 9. What future plans do you have for improving the hardware, such as upgrading modem, number of lines, or storage capacity, or for developing the services of the Board? Starting July 13th, the Board will be down periodically for system upgrades. We are adding an additional phone line, and a 315 mb hard drive. Also, we are going to make a few changes to reorganize files. It is hoped that group information will be more efficient in this manner. We are also adding RIME relay net conferences and will carry topics such as Data Protection. 10. What should potential users know about the Board or your policies before attempting to receive access? Users must be aware that we do not allow handles on the BBS. If they sign on with a handle it will be deleted. We also reserve the right to review all E-mail, public and private. All users have access to the BBS upon sign on. If a user wants access to the "hacker" file area, they need to send a message to the sysop requesting access. Potential users should know they are welcome to call in and communicate with us and others. ------------------------------ Downloaded From P-80 International Information Systems 304-744-2253