Follow Slashdot stories on Twitter


Forgot your password?
Security The Internet IT

Behind the Scenes and Inside Workings of a CERT 30

An anonymous reader writes "Ireland's Computer Emergency Response Team differs from what you can find in most other countries, since it's not government-backed and relies mainly on the good will of several security professionals. In this interview, the founder and head of the CERT, Brian Honan, talks about how the CERT was formed, what equipment they use and what challenges they face in their daily work without having a government to back them up."
This discussion has been archived. No new comments can be posted.

Behind the Scenes and Inside Workings of a CERT

Comments Filter:
  • If you're talking everyone's talk, what does it matter how effective computer security really is?

  • by rshxd ( 1875730 ) on Tuesday September 07, 2010 @11:18AM (#33498206)
    I run a Tor exit node on a VPS provider.

    CERT Malaysia sent my VPS provider an "abuse" complaint because someone with a exploit scanning script decided to launch a RFI attack against a CERT Malaysia honeypot. CERT MY (what I will refer to them from now on) sent an automated complaint to my provider about this "attack". My provider's abuse department freaked out and suspended my server.

    I emailed and used the reference number that was emailed to the abuse department to CERT MY. I've never seen such a level of technical ignorance. First, the IP address that was attacked, was omitted in the report. It was listed as "XXX.XXX.XXX" and after about six or so emails, they refused to give it to me or give me an IP address range for me to block in my firewall so I wouldn't get in trouble with them for hitting their honeypots.

    I got nothing. They have the English skills of a 3 year old. My provider finally realized their lack of professionalism and unsuspended my server. These groups think they are doing something when actually, it's delusions of grandeur. Yes, listening for "new" attacks is great but sending out automated, unsolicited emails (doesn't that technically qualify as spam?) to providers without review is hardly security. If they had looked at my hostname on my VPS, they would have realized it was a Tor exit node (hostname:

    Hash: SHA1

    Dear Sir,

    According to our records, we do sent an alert to your ISP about the intrusion
    attempt, and it was coming from the IP (omitted). It is not the issue of
    whether we are using snort or what software, we have captured the intrusion
    attempt, and we sent the alert to your ISP.

    We understand you concern, providing anonymous and transparent browsing to all
    of your user, but it have been abused, and you should do something about it. It
    would not be a reason for us to whitelist TOR network from our system.

    Hope your TOR network were up and running again now, and no such thing will
    happen again in the future.

    It's funny how they suggest I "do something" about it but fail to reveal their IP blocks or even the IP address of the sensor in question. They stopped responding to my emails after I told them I was going to email Jaring, their ISP, for sending out bulk spam and unsolicited emails to ISPs. Jaring never responded, so if you need to run a spam operation overseas, sign up with Jaring.
    • by Draknor ( 745036 ) on Tuesday September 07, 2010 @11:36AM (#33498396) Homepage

      I actually agree with CERT MY in this case. By providing a TOR exit node, you are acting as an access provider. Someone is abusing TOR, and you are their gateway. Seems like you have a responsibility, just like an ISP does.

      And I agree with their methodology -- if they don't want people specifically targeting (or specifically avoiding) their honeypot, then of course they don't want to publish the IP.

      • by rshxd ( 1875730 )
        How can you agree in broken Engrish?
        • by Ihmhi ( 1206036 )

          How can you agree in broken Engrish?

          Easy! Like this:

          Me am thing CERT is do good idea this time. You give TOR exit, you provider of access. Someone make bad no-no with TOR and you let them. You is just as bad as them who is doing bads.

          There way of doing things is be good - they no want people to know about secret numbers so they no give you secret numbers.

      • Re: (Score:2, Interesting)

        if they don't want people specifically targeting (or specifically avoiding) their honeypot, then of course they don't want to publish the IP.

        And if you want people to actually take any notice of your abuse reports, you'd better identify the target of abuse. "a.b.c.d is abusing us, but we're not telling you who we are," is completely unacceptable. No-one cares about your elite honeypot and the fact that you think you're important enough to run one and be taken on your word when you say it's being attacked.

        • by rshxd ( 1875730 )
          Plus a blacklist for Tor is widely available. They could incorporate checking that IP address against the Tor BL to help prevent things like this. Like I said, very unprofessional..
      • Re: (Score:1, Interesting)

        by Anonymous Coward

        Tor exit node operators have limited control over how their node is used by Tor clients beyond IP and port number filtering.

        If CERT thinks this behavior should be stopped they need to provide the means for the TOR operator to effectively filter the traffic.

        They are basically attacking the Tor network - since Tor can be used to abuse and since CERT refuses to provide the necessary information to stop the attacks, they are basically asking the ISP to disable the Tor exit node. This is neither reasonable or ma

        • this is why Tor is pointless. Oh sure you can ban one IP. But if someone set up a botnet to make attacks through Tor? And who are you banning, the originator of the attack or the node that passed it along to you? If you can track down the originator of the attack, can't you also track down people who are criticizing totalitarian governments?

          And who maintains the blacklists? Could the government of say, Iran get every IP within Iran put on the blacklist, making Tor unavailable to everyone in the country?


          • by rshxd ( 1875730 )
            Already done. I love how the Slashdot crowd loves to chime in. I guess you don't know what a RFI attack is all about. I'll fill you in: its just a standard HTTP request. Thanks for your input though. It was very intelligent and extremely helpful.
            • ok so then you're saying Tor is completely useless then since it can't even do http without endangering other servers.

              • by WNight ( 23683 )

                Yes, the entire internet is useless because you can't expose broken servers in total safety.

                Pack it up.

          • by rshxd ( 1875730 )
            Also, you obviously show no knowledge about how Tor operates. You can block the exit nodes on the BL, however there are connections that make an exit connection that are not listed on the Tor exit node list.
            • sure I don't know much about Tor. What you haven't answered is how can someone administering a Tor node prevent others from using it to attack other systems?

              • by rshxd ( 1875730 )
                You can't. EOD
        • Tor does not inherently have the right to exist. If you run an exit node, you take on the responsibility of all the anonymous traffic that goes through it, as though you were the source of that abuse. I can see how the malaysians may have to provide IP address details to your ISP, but I don't see why they should have to provide it to you. That's the price you pay for participating I guess. GP is right. Honeypots lose their effectiveness when their IP addresses are compromised.

      • With what exactly do you agree with? That he's responsible, but shouldn't be able to fix it?

        Darnit, the whole web filtering dillema is hard. On one hand, I'd like individuals to be responsible, not service providers. On the other hand, I fully support unplugging servers/people for illegal activities other than file-sharing (call me bias). Also with the former, taking down individuals would require authentication of some sort, and that's unacceptable, but that is now besides the point.

        About this case however

  • The correct spelling is Retsyn [].

The last thing one knows in constructing a work is what to put first. -- Blaise Pascal