Behind the Scenes and Inside Workings of a CERT 30
An anonymous reader writes "Ireland's Computer Emergency Response Team differs from what you can find in most other countries, since it's not government-backed and relies mainly on the good will of several security professionals. In this interview, the founder and head of the CERT, Brian Honan, talks about how the CERT was formed, what equipment they use and what challenges they face in their daily work without having a government to back them up."
My experience with CERT Malaysia (Score:4, Interesting)
CERT Malaysia sent my VPS provider an "abuse" complaint because someone with a exploit scanning script decided to launch a RFI attack against a CERT Malaysia honeypot. CERT MY (what I will refer to them from now on) sent an automated complaint to my provider about this "attack". My provider's abuse department freaked out and suspended my server.
I emailed and used the reference number that was emailed to the abuse department to CERT MY. I've never seen such a level of technical ignorance. First, the IP address that was attacked, was omitted in the report. It was listed as "XXX.XXX.XXX" and after about six or so emails, they refused to give it to me or give me an IP address range for me to block in my firewall so I wouldn't get in trouble with them for hitting their honeypots.
I got nothing. They have the English skills of a 3 year old. My provider finally realized their lack of professionalism and unsuspended my server. These groups think they are doing something when actually, it's delusions of grandeur. Yes, listening for "new" attacks is great but sending out automated, unsolicited emails (doesn't that technically qualify as spam?) to providers without review is hardly security. If they had looked at my hostname on my VPS, they would have realized it was a Tor exit node (hostname: tor-exit-node.domain.com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear Sir,
According to our records, we do sent an alert to your ISP about the intrusion
attempt, and it was coming from the IP (omitted). It is not the issue of
whether we are using snort or what software, we have captured the intrusion
attempt, and we sent the alert to your ISP.
We understand you concern, providing anonymous and transparent browsing to all
of your user, but it have been abused, and you should do something about it. It
would not be a reason for us to whitelist TOR network from our system.
Hope your TOR network were up and running again now, and no such thing will
happen again in the future.
It's funny how they suggest I "do something" about it but fail to reveal their IP blocks or even the IP address of the sensor in question. They stopped responding to my emails after I told them I was going to email Jaring, their ISP, for sending out bulk spam and unsolicited emails to ISPs. Jaring never responded, so if you need to run a spam operation overseas, sign up with Jaring.
Re:My experience with CERT Malaysia (Score:2, Interesting)
if they don't want people specifically targeting (or specifically avoiding) their honeypot, then of course they don't want to publish the IP.
And if you want people to actually take any notice of your abuse reports, you'd better identify the target of abuse. "a.b.c.d is abusing us, but we're not telling you who we are," is completely unacceptable. No-one cares about your elite honeypot and the fact that you think you're important enough to run one and be taken on your word when you say it's being attacked.
Re:My experience with CERT Malaysia (Score:1, Interesting)
Tor exit node operators have limited control over how their node is used by Tor clients beyond IP and port number filtering.
If CERT thinks this behavior should be stopped they need to provide the means for the TOR operator to effectively filter the traffic.
They are basically attacking the Tor network - since Tor can be used to abuse and since CERT refuses to provide the necessary information to stop the attacks, they are basically asking the ISP to disable the Tor exit node. This is neither reasonable or mature behavior.