29th tf csirt meeting 25 january 2010 grand elysee hotel, hamburg

De
Publié par

SUBJECT Draft minutes of the 29th TF-CSIRT meeting 25 January 2010, Hamburg, Germany Page 1/8 29th TF-CSIRT meeting 25 January 2010 Grand Elysee Hotel, Hamburg, Germany Please note that a seminar was held the following day. 1. Approval of Minutes The minutes of the last meeting held on 25 September 2009 were approved. 2. Actions from last meeting 27.2 Lionel Ferette to circulate some ideas about drill exercises on the mailing list. Done. 28.1 Lionel Ferette to ask TERENA whether they can apply to be a ISO 27035 liaison member. Done, an application was currently being discussed. 3. CZ.NIC and CZ.NIC-CSIRT Presentation Martin Peterka gave a presentation about CZ.NIC and its associated CSIRT (see http://www.terena.org/activities/tf-csirt/meeting29/peterka-cznic.pdf). CZ.NIC is a special interest association founded in 1998 by a number of leading ISPs to operate the Czech (.cz) ccTLD registry. It currently comprises 65 members and 40 employees, and through an MoU with the Czech government is considered a critical part of the state infrastructure. The main activities are to operate the ccTLD and ENUM registries, to develop and support registry software, to train and educate, and to operate a CSIRT. The CZ.NIC-CSIRT is responsible for incident handling within the AS25192 address space, and with respect to the name servers for .cz and 0.2.4.e164.arpa.
Publié le : samedi 25 juin 2011
Lecture(s) : 270
Nombre de pages : 8
Voir plus Voir moins
SUBJECT
Draft minutes of the 29th TF-CSIRT meeting
25 January 2010, Hamburg, Germany
Page 1/8
29th TF-CSIRT meeting
25 January 2010
Grand Elysee Hotel, Hamburg, Germany
Please note that a seminar was held the following day.
1.
Approval of Minutes
The minutes of the last meeting held on 25 September 2009 were approved.
2.
Actions from last meeting
27.2
Lionel Ferette to circulate some ideas about drill exercises on the mailing list.
Done.
28.1
Lionel Ferette to ask TERENA whether they can apply to be a ISO 27035 liaison
member.
Done, an application was currently being discussed.
3.
CZ.NIC and CZ.NIC-CSIRT Presentation
Martin Peterka gave a presentation about CZ.NIC and its associated CSIRT (see
http://www.terena.org/activities/tf-csirt/meeting29/peterka-cznic.pdf
).
CZ.NIC
is
a
special interest association founded in 1998 by a number of leading ISPs to operate the
Czech (.cz) ccTLD registry. It currently comprises 65 members and 40 employees, and
through an MoU with the Czech government is considered a critical part of the state
infrastructure. The main activities are to operate the ccTLD and ENUM registries, to
develop and support registry software, to train and educate, and to operate a CSIRT.
The CZ.NIC-CSIRT is responsible for incident handling within the AS25192 address space,
and with respect to the name servers for .cz and 0.2.4.e164.arpa. They also handle
complaints related to phishing and malware associated with .cz domain names, and work
in cooperation with CSIRT.CZ on these issues.
From the 1
st
of January 2010, they also have the legal power to deactivate a domain if it
is used in a fashion that endangers computer security. Deactivation can be for up to one
month at the decision of CZ.NIC-CSIRT, but further suspensions can be enabled if abuses
continue.
CZ.NIC-CSIRT plans to apply for TI accredited status.
Andrew Cormack asked whether there was a published procedure for deciding when to
suspend domains, and what happens after they have been suspended. Martin replied
there was an internal process that was followed, particularly with respect as to who was
informed, but this was not published.
Lionel asked how many domains had been suspended so far. Martin replied none had
actually been suspended to date, although domains had been cancelled in the past.
SUBJECT
Draft minutes of the 29th TF-CSIRT meeting
25 January 2010, Hamburg, Germany
Page 2/8
4.
CIRCL Presentation
Pascal Steichen have a presentation about CIRCL (see
http://www.terena.org/activities/
tf-csirt/meeting29/steichen-circl.pdf
). This was the government CSIRT for Luxembourg,
which provided incident handling for government departments, municipalities, and other
public organisations. It also supported critical infrastructures in sectors such as banking
and ICT that were important to national interests. The team had recently become a
member of FIRST, and was now also TI accredited.
CIRCL took a three way approach to security – responding to incidents and distributing
alerts and warnings, taking a proactive approach by following trends and circulating
advisories,
and
finally
providing
security
training
and
consultancy.
This
included
development of the LEWIS project (Luxembourg Early Warning and Information Sharing
System) which was based on locating sensors at strategic network points to provide
active and passive intrusion detection, as well as honeypot facilities for capturing and
analysing malware. This facilitated correlation and exchange of information, which was
provided to members of the project in a standardised format.
Another initiative was SMILE (Security Made In Letzebuerg) which was a publicly funded
private agency with eight employees that had been established to advise less technically
knowledgeable organisations about security. This would start in Spring 2010 and would
focus on schools, municipalities, and small/medium enterprises.
5.
Delivering services in a user-focused way
Marcus Pattloch gave a presentation about the new DFN-CERT portal that aimed to
improve handling of incident warnings and alerts (see
http://www.terena.org/activities/tf-
csirt/meeting29/pattloch-dfncert-portal.pdf
). The issue was that the DFN-CERT had seen
ever increasing numbers of vulnerabilities over the years, and had been circulating more
and more information in an attempt to raise awareness of these. However, not everything
was useful to every site, and this had led to information overload that decreased the
effectiveness of what was trying to be achieved.
As
a
result,
the
DFN-CERT
portal
(
https://portal.cert.dfn.de/
)
aimed
to
provide
information that was only relevant to individual sites, as identified by their site
certificates. For example, only advisories related to platforms operated by a particular
site, or incident warnings affecting particular networks would be received. In addition, the
portal would shortly offer network scanning for IP address ranges in order to show open
ports, services being advertised, and potential system vulnerabilities.
The portal was not intended to replace directly replace incident response operators, but to
improve distribution of information, identity potential problems in advance, and ensure
the right people were aware of issues when they did arise.
Benôit Moreau asked how they knew who was responsible for IP address ranges when a
check was requested. Marcus replied that DFN maintained site contact information for all
addresses under its authority.
6.
ICANN and DNS Security, Stability and Resiliency Activities
Greg Rattray gave a presentation on DNS security issues (see
http://www.terena.org/
activities/tf-csirt/meeting29/rattray-dns-security.pdf
). ICANN was ultimately responsible
for the DNS which was critical to the entire Internet infrastructure, so need to take
SUBJECT
Draft minutes of the 29th TF-CSIRT meeting
25 January 2010, Hamburg, Germany
Page 3/8
measures to ensure its security and stability. The DNS root servers were an obvious
target for direct attacks, but equally the system could be compromised through poorly
run or malicious actors.
The measures being taken included support for DNSSEC through the signing of the root
zone by mid-2010, and authenticating communication with TLD managers. In addition,
vetting had been implemented to ensure new TLD applicants offered stable operations
and proper security controls. This included the Attack and Contingency Response Plan
(ACRP) being drawn up in conjunction with ISOC and regional ccTLD associations. In the
longer term, there were proposals to disallow wildcards and glue records, and undertake
more checks on Whois information.
Another initiative was to provide specific DNS training to CSIRTs, and initial outreach
efforts had begun at FIRST 2009 in Kyoto. This would continue at a joint ICANN-FIRST
Cybersecurity Workshop that would be held on 5-8 March 2010 in Nairobi, and at FIRST
2010 on 13-18 June 2010 in Miami.
In addition, ICANN proposed to establish a Global DNS CERT to coordinate responses to
DNS incidents. This would involve important stakeholders in the DNS community, and
would operate in conjunction with the broader cybersecurity community.
Kauto Huopio asked whether ICANN had considered that many national CSIRTs were
operated by the same organisation (and in some cases the same people) as the ccTLD
registry, and were already involved in DNS activities. Greg replied they were aware of
some relationships, but need to investigate this further.
7.
Grid Security Developments
Daniel Kou
ř
il gave a presentation on the latest Grid Security developments (see
http://www.terena.org/activities/tf-csirt/meeting29/kouril-gridsec.pdf
). The EGEE project
currently coordinated many National Grid Initiatives (NGIs) that involved around 250
sites, 150,000 CPUs and 30 PB of storage, processing thousands of jobs per day.
However, EGEE was due to finish in April 2010, and would be replaced by the longer-term
European Grid Initiative (EGI).
Operational security was currently coordinated by EGEE CSIRT, in cooperation with
individual sites and virtual organisations that remained responsible for their own
resources, but signed up to binding policies. NGIs were now establishing their own
CSIRTs in response to several incidents that had been experienced, but such incidents
were not confined to Grid systems and closer collaboration with NREN CSIRTs was
welcomed. With the transition to EGI, utilising the skills and experiences of existing
CSIRTs could save a lot of effort.
Marcus Pattloch asked why the Grid community was establishing its own CSIRTs and
didn’t simply use existing CSIRTs. Daniel replied one problem was that existing CSIRTs
were usually nationally-based, whereas Grids often spanned a number of countries. In
addition, Grid incidents often had different characteristics, and whilst the processes to
handle them were similar, some familiarity with the Grid community was needed.
8.
TRANSITS update
Don Stikvoort provided a short update on the latest TRANSITS developments (see
http://www.terena.org/activities/tf-csirt/meeting29/stikvoort-transits.pdf
).
The
next
workshop would be held on 4-5 March 2010 in Uppsala, Sweden, with the deadline for
SUBJECT
Draft minutes of the 29th TF-CSIRT meeting
25 January 2010, Hamburg, Germany
Page 4/8
applications being 8 February 2010. The cost was EUR 500 for participants from not-for-
profit organisations, and EUR 750 for participants from commercial companies which
included all accommodation and meals.
There were also plans for a TRANSITS-2 workshop later in the year. This would be
focused on more advanced topics such as network monitoring and forensics.
9.
Trusted Introducer overview
As there were many new people at the meeting, Don Stikvoort gave a short overview of
the Trusted Introducer service (see
http://www.terena.org/activities/tf-csirt/meeting29/
stikvoort-ti.pdf
). This accredited CSIRTs in Europe and surrounding regions according to
established criteria, and maintained a secure database of contacts that were actively
checked and updated. It also provided a trusted forum
to meet and exchange
information, provided supporting services such as out-of-band communication, and
worked on issues such as data exchange standardisation and certification.
The first stage towards accreditation was to have one’s CSIRT listed. This was free-of-
charge and required the support of two accredited teams. A CSIRT could subsequently
apply for accreditation, which provided access to the TI services supported by the TI
team. More information was available at
http://www.trusted-introducer.org/
10. GN3 Security Activities
Maurizio Molina and Baiba Kaskina gave a presentation on the latest developments in the
GN3-SA2/T4 security activities, in particular the survey on multi-domain anomaly
handling in NRENs (see
http://www.terena.org/activities/tf-csirt/meeting29/kaskina-gn3-
security.pdf
).
The aim of the survey was to obtain a detailed picture on how multi-domain anomalies
were handled. A series of 36 questions were asked about anomaly classification, the tools
used for detection, and workflows and procedures. 38 NRENs were contacted and 22
responses were received.
An average of 26.8 anomalies were seen per day, with malicious code, abusive content,
fraud, intrusion detection and information gathering being the most common. The most
popular method for detecting and combating these were NetFlow, log analysis and
intrusion detection systems. Other methods included honeypots, DNS blackholing, and
darkspace detectors.
Prioritisation was usually based on the source of the anomalies, with preference given to
one’s own network. However, the number of hosts originated and targeted, and whether
events were repeated, also influenced these decisions. The methods used to identity the
responsible people on other networks/sites, often came down to personal contacts or
through CSIRT contact databases. Failing that Whois or even Google were be resorted to.
Baiba thanked those who had participated in the survey, and mentioned there was still
time for other NRENs to be involved which would help provide a more comprehensive
picture. In addition, there was an idea to extend the survey to other CSIRT teams from
outside the NREN community.
11. Date of next meeting
SUBJECT
Draft minutes of the 29th TF-CSIRT meeting
25 January 2010, Hamburg, Germany
Page 5/8
The next meeting will be held on 20-21 May 2010 in Heraklion, Greece (hosted by FORTH
CERT).
Lionel Ferette pointed out that as FORTH was located a few kilometres outside of
Heraklion, it would be necessary to arrange transportation to take participants from the
hotels to the meeting venue. It was therefore important that the local organisers had
accurate numbers in good time, and for this reason registration would close two weeks in
advance.
12. Any other business
Marco Thorbruegge mentioned that the list of incident handling tools on the CHIHT
website had recently been updated following the ACOnet survey. This could be found at
http://www.enisa.europa.eu/act/cert/support/chiht/
Open Actions
There are currently no open actions.
SUBJECT
Draft minutes of the 29th TF-CSIRT meeting
25 January 2010, Hamburg, Germany
Page 6/8
Participants
Name
Organisation
Country
H
i
l
l
a
r
A
a
r
e
l
e
i
d
C
E
R
T
-
E
E
E
s
t
o
n
i
a
Bente Christian Åsgård
UiO-CERT
Norway
Jordi Aguila
La Caixa
Spain
Shehzad Ahmed
DK-CERT (UNI-C)
Denmark
A
n
t
t
i
A
l
i
n
e
n
E
r
i
c
s
s
o
n
F
i
n
l
a
n
d
Jimmy Arvidsson
TeliaSonera CERT
Sweden
I
o
a
n
n
i
s
A
s
k
o
x
y
l
a
k
i
s
F
O
R
T
H
C
E
R
T
G
r
e
e
c
e
J
a
v
i
e
r
B
e
r
c
i
a
n
o
I
N
T
E
C
O
-
C
E
R
T
S
p
a
i
n
W
i
m
B
i
e
m
o
l
t
S
U
R
F
c
e
r
t
T
h
e
N
e
t
h
e
r
l
a
n
d
s
Vladimir Bodor
TS-CERT (TeliaSonera)
Sweden
P
h
i
l
i
p
p
e
B
o
u
r
g
e
o
i
s
C
E
R
T
-
I
S
T
F
r
a
n
c
e
G
o
r
a
z
d
B
o
z
i
c
S
I
-
C
E
R
T
S
l
o
v
e
n
i
a
M
a
t
e
j
B
r
e
z
n
i
k
S
I
-
C
E
R
T
S
l
o
v
e
n
i
a
Martin Camilleri
mtCERT
Malta
Robert Cecchini
GARR-CERT
Italy
Matthew Cook
EMMAN/Loughborough Univ.
United Kingdom
J
o
r
g
e
C
h
i
n
e
a
L
o
p
e
z
I
N
T
E
C
O
-
C
E
R
T
S
p
a
i
n
I
a
n
C
o
o
k
T
e
a
m
C
y
m
r
u
U
n
i
t
e
d
K
i
n
g
d
o
m
Andrew Cormack
JANET(UK)
United Kingdom
F
r
e
d
e
r
i
c
o
C
o
s
t
a
R
N
P
B
r
a
z
i
l
G
o
r
a
n
C
u
l
j
a
k
C
E
R
T
Z
S
I
S
C
r
o
a
t
i
a
Michelle Danho
CERT-RENATER
France
Jerome Devigne
BELNET CERT
Belgium
T
i
l
l
D
ö
r
g
e
s
P
R
E
-
C
E
R
T
/
P
R
E
S
E
N
C
E
G
e
r
m
a
n
y
R
a
l
f
D
ö
r
r
i
e
D
e
u
t
s
c
h
e
T
e
l
e
k
o
m
G
e
r
m
a
n
y
Serge Droz
SWITCH-CERT
Switzerland
J
u
s
s
i
E
r
o
n
e
n
C
E
R
T
-
F
I
F
i
n
l
a
n
d
Lionel Ferette (Chair)
B
E
L
N
E
T
C
E
R
T
B
e
l
g
i
u
m
C
a
r
l
o
s
F
u
e
n
t
e
s
I
R
I
S
C
E
R
T
S
p
a
i
n
S
v
e
n
G
a
b
r
i
e
l
N
I
K
H
E
F
T
h
e
N
e
t
h
e
r
l
a
n
d
s
C
h
r
i
s
G
i
b
s
o
n
c
i
t
i
U
n
i
t
e
d
K
i
n
g
d
o
m
M
i
c
h
a
e
l
G
r
o
e
n
i
n
g
D
F
N
-
C
E
R
T
G
e
r
m
a
n
y
P
e
t
e
r
H
a
a
g
S
W
I
T
C
H
-
C
E
R
T
S
w
i
t
z
e
r
l
a
n
d
T
i
l
m
a
n
n
H
a
a
k
D
F
N
-
C
E
R
T
G
e
r
m
a
n
y
S
v
e
n
H
a
l
l
b
e
r
g
P
R
E
S
E
N
S
E
G
e
r
m
a
n
y
A
n
d
e
r
s
H
a
r
d
a
n
g
e
n
N
o
r
C
E
R
T
N
o
r
w
a
y
N
i
c
o
l
a
s
H
o
l
i
n
C
E
R
T
A
F
r
a
n
c
e
Kauto Huopio
FICORA/CERT-FI
Finland
Y
u
r
i
e
I
t
o
J
P
C
E
R
T
/
C
C
J
a
p
a
n
Pawel Jacewicz
CERT Polska (NASK)
Poland
Thorben Jändling
SWITCH
Switzerland
Xander Jansen
SURFcert
The Netherlands
N
i
n
o
J
o
g
u
n
C
A
R
N
e
t
C
r
o
a
t
i
a
Baiba Kaskina
SigmaNet
Latvia
Piotr Kijewski
CERT Polska (NASK)
Poland
Georgia Killcrece
CERT/CC
United States
M
a
r
k
K
o
e
k
F
o
x
-
I
T
T
h
e
N
e
t
h
e
r
l
a
n
d
s
Jan Kohlrausch
DFN-CERT
Germany
Jószef Komli
CERT-Hungary
Hungary
Klaus-Peter Kossakowski
DFN-CERT
Germany
D
a
n
i
e
l
K
o
u
r
i
l
C
E
S
N
E
T
C
E
R
T
C
z
e
c
h
R
e
p
u
b
l
i
c
T
h
o
r
s
t
e
n
K
r
a
f
t
1
&
1
I
n
t
e
r
n
e
t
G
e
r
m
a
n
y
Andrea Kropacova
CESNET
Czech Republic
SUBJECT
Draft minutes of the 29th TF-CSIRT meeting
25 January 2010, Hamburg, Germany
Page 7/8
Morten Linneman
DK-CERT (UNI-C)
Denmark
A
n
t
o
n
i
o
L
i
u
P
R
E
S
E
C
U
R
E
G
e
r
m
a
n
y
S
t
e
f
a
n
L
u
e
d
e
r
s
C
E
R
N
-
Scott McIntyre
KPN-CERT
The Netherlands
S
t
e
l
i
o
s
M
a
i
s
t
r
o
s
G
R
N
E
T
-
C
E
R
T
G
r
e
e
c
e
M
i
r
o
s
l
a
w
M
a
j
C
E
R
T
P
o
l
s
k
a
(
N
A
S
K
)
P
o
l
a
n
d
Egil Mannerheim
Swedbank
Sweden
Detlev Matthies
DFN-CERT
Germany
G
i
r
t
s
M
a
ž
o
n
i
s
D
D
I
R
V
L
a
t
v
i
a
A
r
t
u
r
s
M
e
d
e
n
i
s
C
E
R
T
N
I
C
.
L
V
L
a
t
v
i
a
Stefan Metzger
DFN-CERT/LRZ
Germany
Kevin Meynell (Secretary)
TERENA
-
Maurizio Molina
DANTE
-
K
l
a
u
s
M
ö
l
l
e
r
D
F
N
-
C
E
R
T
G
e
r
m
a
n
y
Francisco Monserrat
RedIRIS
Spain
B
e
n
ô
i
t
M
o
r
e
a
u
C
E
R
T
A
F
r
a
n
c
e
Leif Nixon
National Supercomputer Centre
Sweden
Tomasz Nowocien
PIONIER-CERT/PSNC
Poland
C
a
r
o
l
O
v
e
r
e
s
G
O
V
C
E
R
T
.
N
L
T
h
e
N
e
t
h
e
r
l
a
n
d
s
M
a
r
c
u
s
P
a
t
t
l
o
c
h
D
F
N
-
C
E
R
T
G
e
r
m
a
n
y
Darko Perhoc
CARNET National CERT
Croatia
Martin Peterka
CZ.NIC
Czech Republic
Jacomo Piccolini
ESR/RNP
Brazil
T
i
m
o
P
o
r
j
a
m
o
F
u
n
e
t
C
E
R
T
F
i
n
l
a
n
d
Christian Proschinger
Raiffeissen Informatik CERT
Austria
Tomislav Protega
CARNet National CERT
Croatia
Peter Quick
Deutsche Telekom
Germany
M
a
r
g
r
e
t
e
R
a
a
u
m
U
i
O
-
C
E
R
T
N
o
r
w
a
y
G
r
e
g
R
a
t
t
r
a
y
I
C
A
N
N
-
W
a
y
n
e
R
o
u
t
l
y
D
A
N
T
E
-
J
ü
r
g
e
n
S
a
n
d
e
r
P
R
E
S
E
N
S
E
G
e
r
m
a
n
y
L
i
n
o
S
a
n
t
o
s
C
E
R
T
.
P
T
P
o
r
t
u
g
a
l
S
h
i
o
r
i
S
a
t
o
J
P
C
E
R
T
/
C
C
J
a
p
a
n
T
i
m
o
S
c
h
ä
p
e
D
F
N
-
C
E
R
T
G
e
r
m
a
n
y
R
o
b
e
r
t
S
c
h
i
s
c
h
k
a
C
E
R
T
.
a
t
A
u
s
t
r
i
a
Jochen Schoenfelder
DFN-CERT
Germany
Jacques Schuurman
SURFcert
The Netherlands
Udo Schweigert
Siemens CERT
Germany
H
a
d
a
s
S
h
a
n
y
I
s
r
a
e
l
C
E
R
T
I
s
r
a
e
l
Derek Simpson
BT CERT CC
United Kingdom
J
o
h
n
S
n
y
d
e
r
B
T
C
E
R
T
C
C
U
n
i
t
e
d
K
i
n
g
d
o
m
L
i
l
i
a
n
a
S
o
l
h
a
R
N
P
B
r
a
z
i
l
P
a
s
c
a
l
S
t
e
i
c
h
e
n
C
I
R
C
L
L
u
x
e
m
b
o
u
r
g
D
o
n
S
t
i
k
v
o
o
r
t
S
-
C
U
R
E
T
h
e
N
e
t
h
e
r
l
a
n
d
s
D
i
e
t
e
r
S
t
o
l
t
e
D
F
N
-
C
E
R
T
G
e
r
m
a
n
y
J
o
e
r
g
S
t
r
e
c
k
f
u
s
s
D
F
N
-
C
E
R
T
G
e
r
m
a
n
y
Egils St
ū
r
m
a
n
i
s
D
D
I
R
V
L
a
t
v
i
a
Y
o
s
h
i
S
u
g
i
u
r
a
N
T
T
J
a
p
a
n
Harri Sylvander
FUNET CERT (CSC)
Finland
Balazs Szekeres
CERT-Hungary
Hungary
Alexander Talos-Zens
ACOnet-CERT
Austria
A
x
e
l
T
h
e
i
l
m
a
n
n
P
R
E
S
E
N
S
E
G
e
r
m
a
n
y
M
a
r
c
o
T
h
o
r
b
r
u
e
g
g
e
E
N
I
S
A
-
Atanai Ticianelli
RNP
Brazil
Bob van der Kamp
GOVCERT.NL
The Netherlands
Jaap van Ginkel
SURFcert/UvA
The Netherlands
Soyez le premier à déposer un commentaire !

17/1000 caractères maximum.