×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Behind the Scenes and Inside Workings of a CERT

timothy posted more than 3 years ago | from the with-retsin dept.

Security 30

An anonymous reader writes "Ireland's Computer Emergency Response Team differs from what you can find in most other countries, since it's not government-backed and relies mainly on the good will of several security professionals. In this interview, the founder and head of the CERT, Brian Honan, talks about how the CERT was formed, what equipment they use and what challenges they face in their daily work without having a government to back them up."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

30 comments

Niggers? (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33497472)

Why do white people get so enraged by someone saying niggers? Niggers! Niggers! Niggers! Niggers! Mod me down you fucking, crackas.

Re:Niggers? (0)

Anonymous Coward | more than 3 years ago | (#33498962)

Dude, what's with you? You steaming racist. Refer to them as what they are: African American Wildlife.

Behind the Scenes and Inside Workings of FIRST (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33497476)

First. First post that is.
 
Call me at 818-867-5309.

What is a tight-knight? (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33497702)

Subject says it all.

lol!! (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#33497944)

internets

My experience with CERT Malaysia (4, Interesting)

rshxd (1875730) | more than 3 years ago | (#33498206)

I run a Tor exit node on a VPS provider.

CERT Malaysia sent my VPS provider an "abuse" complaint because someone with a exploit scanning script decided to launch a RFI attack against a CERT Malaysia honeypot. CERT MY (what I will refer to them from now on) sent an automated complaint to my provider about this "attack". My provider's abuse department freaked out and suspended my server.

I emailed and used the reference number that was emailed to the abuse department to CERT MY. I've never seen such a level of technical ignorance. First, the IP address that was attacked, was omitted in the report. It was listed as "XXX.XXX.XXX" and after about six or so emails, they refused to give it to me or give me an IP address range for me to block in my firewall so I wouldn't get in trouble with them for hitting their honeypots.

I got nothing. They have the English skills of a 3 year old. My provider finally realized their lack of professionalism and unsuspended my server. These groups think they are doing something when actually, it's delusions of grandeur. Yes, listening for "new" attacks is great but sending out automated, unsolicited emails (doesn't that technically qualify as spam?) to providers without review is hardly security. If they had looked at my hostname on my VPS, they would have realized it was a Tor exit node (hostname: tor-exit-node.domain.com)



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Sir,

According to our records, we do sent an alert to your ISP about the intrusion
attempt, and it was coming from the IP (omitted). It is not the issue of
whether we are using snort or what software, we have captured the intrusion
attempt, and we sent the alert to your ISP.

We understand you concern, providing anonymous and transparent browsing to all
of your user, but it have been abused, and you should do something about it. It
would not be a reason for us to whitelist TOR network from our system.

Hope your TOR network were up and running again now, and no such thing will
happen again in the future.




It's funny how they suggest I "do something" about it but fail to reveal their IP blocks or even the IP address of the sensor in question. They stopped responding to my emails after I told them I was going to email Jaring, their ISP, for sending out bulk spam and unsolicited emails to ISPs. Jaring never responded, so if you need to run a spam operation overseas, sign up with Jaring.

Re:My experience with CERT Malaysia (4, Insightful)

Draknor (745036) | more than 3 years ago | (#33498396)

I actually agree with CERT MY in this case. By providing a TOR exit node, you are acting as an access provider. Someone is abusing TOR, and you are their gateway. Seems like you have a responsibility, just like an ISP does.

And I agree with their methodology -- if they don't want people specifically targeting (or specifically avoiding) their honeypot, then of course they don't want to publish the IP.

Re:My experience with CERT Malaysia (1)

rshxd (1875730) | more than 3 years ago | (#33498434)

How can you agree in broken Engrish?

Re:My experience with CERT Malaysia (1)

Ihmhi (1206036) | more than 3 years ago | (#33500304)

How can you agree in broken Engrish?

Easy! Like this:

Me am thing CERT is do good idea this time. You give TOR exit, you provider of access. Someone make bad no-no with TOR and you let them. You is just as bad as them who is doing bads.

There way of doing things is be good - they no want people to know about secret numbers so they no give you secret numbers.

Re:My experience with CERT Malaysia (1, Interesting)

FuckingNickName (1362625) | more than 3 years ago | (#33498518)

if they don't want people specifically targeting (or specifically avoiding) their honeypot, then of course they don't want to publish the IP.

And if you want people to actually take any notice of your abuse reports, you'd better identify the target of abuse. "a.b.c.d is abusing us, but we're not telling you who we are," is completely unacceptable. No-one cares about your elite honeypot and the fact that you think you're important enough to run one and be taken on your word when you say it's being attacked.

Re:My experience with CERT Malaysia (1)

rshxd (1875730) | more than 3 years ago | (#33498550)

Plus a blacklist for Tor is widely available. They could incorporate checking that IP address against the Tor BL to help prevent things like this. Like I said, very unprofessional..

Re:My experience with CERT Malaysia (1, Interesting)

Anonymous Coward | more than 3 years ago | (#33498540)

Tor exit node operators have limited control over how their node is used by Tor clients beyond IP and port number filtering.

If CERT thinks this behavior should be stopped they need to provide the means for the TOR operator to effectively filter the traffic.

They are basically attacking the Tor network - since Tor can be used to abuse and since CERT refuses to provide the necessary information to stop the attacks, they are basically asking the ISP to disable the Tor exit node. This is neither reasonable or mature behavior.

Re:My experience with CERT Malaysia (1)

boxwood (1742976) | more than 3 years ago | (#33499134)

this is why Tor is pointless. Oh sure you can ban one IP. But if someone set up a botnet to make attacks through Tor? And who are you banning, the originator of the attack or the node that passed it along to you? If you can track down the originator of the attack, can't you also track down people who are criticizing totalitarian governments?

And who maintains the blacklists? Could the government of say, Iran get every IP within Iran put on the blacklist, making Tor unavailable to everyone in the country?

Perhaps you should be limiting what people can do through Tor, ie. just http or https through port 80 only. That way you aren't going to be aiding the black hats and getting your internet connection turned off.

Re:My experience with CERT Malaysia (1)

rshxd (1875730) | more than 3 years ago | (#33499462)

Already done. I love how the Slashdot crowd loves to chime in. I guess you don't know what a RFI attack is all about. I'll fill you in: its just a standard HTTP request. Thanks for your input though. It was very intelligent and extremely helpful.

Re:My experience with CERT Malaysia (1)

boxwood (1742976) | more than 3 years ago | (#33500196)

ok so then you're saying Tor is completely useless then since it can't even do http without endangering other servers.

Re:My experience with CERT Malaysia (1)

WNight (23683) | more than 3 years ago | (#33501858)

Yes, the entire internet is useless because you can't expose broken servers in total safety.

Pack it up.

Re:My experience with CERT Malaysia (1)

rshxd (1875730) | more than 3 years ago | (#33500082)

Also, you obviously show no knowledge about how Tor operates. You can block the exit nodes on the BL, however there are connections that make an exit connection that are not listed on the Tor exit node list.

Re:My experience with CERT Malaysia (1)

boxwood (1742976) | more than 3 years ago | (#33500250)

sure I don't know much about Tor. What you haven't answered is how can someone administering a Tor node prevent others from using it to attack other systems?

Re:My experience with CERT Malaysia (1)

rshxd (1875730) | more than 3 years ago | (#33501794)

You can't. EOD

Re:My experience with CERT Malaysia (0)

Anonymous Coward | more than 3 years ago | (#33506238)

Nuh-uh. You've just proven his point boyo - They were right, you were wrong.
Providing an internet service (TOR) but refusing to accept responsibility for the abuse-traffic emanating therefrom isn't "cool" or "hacktivism", it's being an impolite internet peer, and your upstream has every right (and indeed a duty, less the taint should spread to them) to cut you off.

Re:My experience with CERT Malaysia (1)

boxwood (1742976) | more than 3 years ago | (#33507392)

yup. Running a Tor node is no different from running a compromised server.

If someone is running a compromised server, A resposible ISP is supposed to disconnect it from the network.

Re:My experience with CERT Malaysia (1)

initialE (758110) | more than 3 years ago | (#33506416)

Tor does not inherently have the right to exist. If you run an exit node, you take on the responsibility of all the anonymous traffic that goes through it, as though you were the source of that abuse. I can see how the malaysians may have to provide IP address details to your ISP, but I don't see why they should have to provide it to you. That's the price you pay for participating I guess. GP is right. Honeypots lose their effectiveness when their IP addresses are compromised.

Re:My experience with CERT Malaysia (1)

paxcoder (1222556) | more than 3 years ago | (#33513290)

With what exactly do you agree with? That he's responsible, but shouldn't be able to fix it?

Darnit, the whole web filtering dillema is hard. On one hand, I'd like individuals to be responsible, not service providers. On the other hand, I fully support unplugging servers/people for illegal activities other than file-sharing (call me bias). Also with the former, taking down individuals would require authentication of some sort, and that's unacceptable, but that is now besides the point.

About this case however: Tor-node-provider-guy isn't to blame, he had no knowledge of wrongdoing whatsoever (unlike when you get a take-down notice), and was willing to rectify the situation. CERT guys on the other hand, weren't willing to help him. So if you're looking to blame somebody...

Re:My experience with CERT Malaysia (0)

Anonymous Coward | more than 3 years ago | (#33504036)

You're surprised that a group from within a country that has a non-English official language has poor English skills ?

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...