[nsp-sec] Changes Coming

Hank Nussbacher hank at efes.iucc.ac.il
Sun Feb 24 00:04:24 EST 2013 

At 08:19 14/02/2013 -0500, Dave Monnier wrote:
>----------- nsp-security Confidential --------
>
>Team,
>
>Bottom line up front, Daily Reports will go away on March 20, 2013.  It
>will be replaced by another service.  Read on if you are a subscriber.
>
>One of the services we've offered to the NSP-Sec community over the
>years in our Daily Reports service.  List subscribers have been able to
>retrieve daily infection reports for their ASN using their list
>credentials at no cost or obligation.  This service has run for years
>without much trouble and has hopefully been a great asset to the community.
>
>The large majority of the data provided via these reports has been
>generated by Team Cymru or via data relationships we've established
>outside of NSP-Sec.  This same data has gone on to feed one of our other
>community projects, TC Console. TC Console is a very similar concept to
>the Daily Reports. The system provides daily infection information for
>ASN or prefixes and is available for download and parsing by IR teams.
>In addition to this report capability, TC Console also shows a graphical
>representation of the data allowing teams to track remediation over
>time, etc.  The console also allows individual subscribers to report
>incidents to one another allowing for collaboration, etc.

First off, I would like to thank Team Cymru for providing this free service 
to the community for many years.  It has proven invaluable in our efforts 
to stamp out malware.

Having played a bit more now with TcConsole, IMHO, you cancelled the wrong 
system.  The Daily Reports are "pushed" to us - if I am have a phishing 
problem in my network, I see that report in the morning.  Same goes for 
malware or openresolver or any other category.  But with TcConsole, nothing 
is pushed to me.  I have to actively go to the website and check what is 
new today as opposed to yesterday.  This in itself will cause more 
"badness" to go unhandled by the memberws of nsp-sec.

The website is somewhat slow to respond.  It only shows IPs for the past 24 
hours.  CC appears to not be C&C but rather something else, since every 
time I have had a spam IP report, I have an exact match in the number of 
CCs listed.

If I ignore the GUI which I don't really need (more suited for newbies) and 
focus on something like:
https://www.tcconsole.com/export/20130223/malevolence.txt
Suddenly in this report I see there is an Openresolver than is not viewable 
by the GUI.  I also don't know how far back the exported reports will go 
since it only started as of 6 days ago.

So what this means is I have to create a script to every day go to 
malevolence .txt file to see what is new for my ASN.

I'll use it but am disappointed.

Regards,
Hank


>Maintaining these two, yet very similar, systems at no-cost for the
>community has grown to be a bit of a burden for us.  For this reason
>we've decided to make available to all NSP-Sec members an account on our
>TC Console system. TC Console is considerably more modern and capable
>and is a large upgrade compared to the standard Daily Reports system.
>
>Normally TC Console requires community contribution from its members.
>For NSP-Sec subscribers we've waived this requirement.  While we
>certainly welcome contributions, the long history of action from this
>community is enough of a contribution in our eyes.
>
>We do have a few members of the NSP-Sec community who share data into
>the daily reports system as "NSP-Sec only" for distribution.
>Unfortunately we're not presently able to accommodate just sharing the
>data with TC Console members who are also list members.  This means that
>for now that data will not be able to make its way into the reports.  If
>you are a source of data with this restriction and are willing to open
>the scope of the recipients, please let me know.
>
>The migration to TC Console will be simple.  Users need only sign-up at
>the console site and request an account. We'll get people signed up as
>quickly as we can. A URL is at the end of this
>message[1].
>
>A few details however.
>
>1. You MUST sign-up using the mail account used to subscribe to the list.
>
>2. You must have verifiable authority for the ASN or prefixes you're
>requesting.  If you've been pulling data fro networks that are not your
>responsibility as a favor, etc, our apologies. We would welcome these
>parties to the new system as well.
>
>3. The FORMAT OF THE FEEDS WILL CHANGE.  Daily reports was pipe
>delimited. The TC Console system uses a tab delimiter. This is why we're
>giving a long runway to get started.
>
>If you have any questions at all, please let me know directly, or reach
>out to us at outreach at cymru.com
>
>On behalf of Team Cymru,
>-Dave
>
>1. https://www.tcconsole.com/signup.html
>
>--
>Dave Monnier
>Team Cymru
>https://www.team-cymru.org/
>PGP: https://www.cymru.com/dmonnier/0x7C1AAE55_pub.asc
>
>
>
>
>
>_______________________________________________
>nsp-security mailing list
>nsp-security at puck.nether.net
>https://puck.nether.net/mailman/listinfo/nsp-security
>
>Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
>community. Confidentiality is essential for effective Internet security 
>counter-measures.
>_______________________________________________

More information about the nsp-security mailing list