Slashdot Mirror

← Back to Stories (view on slashdot.org)

Behind the Scenes and Inside Workings of a CERT

Posted by timothy on from the with-retsin dept.

An anonymous reader writes "Ireland's Computer Emergency Response Team differs from what you can find in most other countries, since it's not government-backed and relies mainly on the good will of several security professionals. In this interview, the founder and head of the CERT, Brian Honan, talks about how the CERT was formed, what equipment they use and what challenges they face in their daily work without having a government to back them up."

2 of 30 comments (clear)

  1. My experience with CERT Malaysia by rshxd · · Score: 4, Interesting

    I run a Tor exit node on a VPS provider.

    CERT Malaysia sent my VPS provider an "abuse" complaint because someone with a exploit scanning script decided to launch a RFI attack against a CERT Malaysia honeypot. CERT MY (what I will refer to them from now on) sent an automated complaint to my provider about this "attack". My provider's abuse department freaked out and suspended my server.

    I emailed and used the reference number that was emailed to the abuse department to CERT MY. I've never seen such a level of technical ignorance. First, the IP address that was attacked, was omitted in the report. It was listed as "XXX.XXX.XXX" and after about six or so emails, they refused to give it to me or give me an IP address range for me to block in my firewall so I wouldn't get in trouble with them for hitting their honeypots.

    I got nothing. They have the English skills of a 3 year old. My provider finally realized their lack of professionalism and unsuspended my server. These groups think they are doing something when actually, it's delusions of grandeur. Yes, listening for "new" attacks is great but sending out automated, unsolicited emails (doesn't that technically qualify as spam?) to providers without review is hardly security. If they had looked at my hostname on my VPS, they would have realized it was a Tor exit node (hostname: tor-exit-node.domain.com)



    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Dear Sir,

    According to our records, we do sent an alert to your ISP about the intrusion
    attempt, and it was coming from the IP (omitted). It is not the issue of
    whether we are using snort or what software, we have captured the intrusion
    attempt, and we sent the alert to your ISP.

    We understand you concern, providing anonymous and transparent browsing to all
    of your user, but it have been abused, and you should do something about it. It
    would not be a reason for us to whitelist TOR network from our system.

    Hope your TOR network were up and running again now, and no such thing will
    happen again in the future.




    It's funny how they suggest I "do something" about it but fail to reveal their IP blocks or even the IP address of the sensor in question. They stopped responding to my emails after I told them I was going to email Jaring, their ISP, for sending out bulk spam and unsolicited emails to ISPs. Jaring never responded, so if you need to run a spam operation overseas, sign up with Jaring.

    1. Re:My experience with CERT Malaysia by Draknor · · Score: 4, Insightful

      I actually agree with CERT MY in this case. By providing a TOR exit node, you are acting as an access provider. Someone is abusing TOR, and you are their gateway. Seems like you have a responsibility, just like an ISP does.

      And I agree with their methodology -- if they don't want people specifically targeting (or specifically avoiding) their honeypot, then of course they don't want to publish the IP.