CERT (Computer Emergency Response Team) and CSIRT (Computer Security Incident Response Team) are organizations responsible for responding to and solving computer security incidents, coordinating security responses; they also try to prevent security incidents.
Mutual sharing of information, personal contacts and trust are fundamental for cooperation of CSIRTs. An appropriate working basis for regular meetings of European CERTs/CSIRTs is the TF-CSIRT, working group, initiated and coordinated by the TERENA organisation. Its global counterpart is FIRST.
These acronyms stand for working teams, international organisations and fora as follows:
CSIRT - Computer Security Incident Response Team
CERT - Computer Emergency Response Team (a registered trademark of the Carnegie-Melon University)
TF-CSIRT - international forum for CSIRT cooperation at the European level. It consists of two groups – a closed one, accessible only to accredited teams, and an open one which is accessible to any party interested in CSIRT matters. TF-CSIRT is one of the activities of the international organisation TERENA. The TF-CSIRT working group usually meets several times a year.
TERENA - Trans-European Research and Education Networking Association, a European organisation supporting Internet and infrastructure activities and services within the academic community.
FIRST - Forum of Incident Response and Security Teams, a global CSIRT forum.
All information about CSIRT.CZ’s activities will be published on its website www.csirt.cz. We plan to publish basic information about the most interesting cases which CSIRT.CZ has dealt with, including the most frequently occurring or most serious incidents.
All CSIRT.CZ contact information is published here. However, communication and cooperation with CSIRT.CZ relating to internet incidents requires some degree of professionalism and knowledge. As such, it serves primarily as a "Last resort institution" for other CSIRTs in solving incidents and not as a “help-line“ for ordinary users. These should turn to their corporate/school network administrator or to a local CSIRT team of their Internet Service Provider.
The key objective of CSIRT.CZ activities is communicating and sharing its experience among CSIRTs. CSIRT.CZ will be carrying out common activities, such as in particular
The CSIRT.CZ is provided and funded by CZ.NIC since 1st January 2011.
The RIPE database holds data on TCP/IP networks and their administrators in Europe, the Middle East and parts of Asia (former USSR). In addition, it can also supply information about domains belonging to top-level domains from this area. Administrators of appropriate top-level domains, e.g., the CZ.NIC in the Czech Republic, are responsible for data about these domains.
The RIPE DB provides information about the organisations and administrators responsible for IP address allocations using the "whois" service.
For example, this service can find out that an IP address block containing the 22.214.171.124 address of the main WWW server www.cesnet.cz of the CESNET Association might contain RIPE DB data such as:
inetnum:126.96.36.199 - 188.8.131.52 netname:CESNET-BB4 descr:CESNET, z.s.p.o. descr:Prague 6 country:CZ admin-c:XY1234-RIPE tech-c:XY1234-RIPE status:ASSIGNED PA mnt-by:TENCZ-MNT mnt-lower:TENCZ-MNT remarks:Please report network abuse -> email@example.com source:RIPE # Filtered person:Xaver Ypsilon address:CESNET, z.s.p.o. address:Zikova 4 address:Praha 6 address:160 00 address:The Czech Republic phone:+420 224351111 fax-no:+420 224359999 abuse-mailbox:firstname.lastname@example.org nic-hdl:XY1234-RIPE source:RIPE # Filtered % Information related to '184.108.40.206/16AS2852' route:220.127.116.11/16 descr:CESNET2 origin:AS2852 mnt-by:AS2852-MNT remarks:Please report abuse -> email@example.com source:RIPE # Filtered
Anyone can access the RIPE DB data. However, its data is copyrighted and may be used for agreed Internet operational purposes only. It must not be used without prior permission of the RIPE NCC for any other purposes, e.g., for sending bulk Unsolicited Commercial E-mail (spam).
Key sources of IP address allocation data are databases maintained by Regional Internet Registries which allocate IP ranges to Local Internet Registries. At present, there are five Regional Internet Registries:ARIN, LACNIC, AfriNIC, RIPE NCC, and APNIC
Source: RIPE NCC Annual Report 2006
Information about every IP address allocation together with basic data on organisations administering these addresses is recorded in database of one of the Regional Internet Registries named above. Every organisation must keep its data there up-to-date.
Anyone can access the IP address databases listed above. Regional Internet Registries as well as many top-level domain administrators allow searching for data on IP address allocations, and possibly also on domains.
Most top-level domain administrators run the WHOIS service which allows searching for data on domains registered under their TLD. Usually, WHOIS can be accessed using the WHOIS protocol or using a web-based graphic user interface.
Information on the ".cz" top-level domains can be found:
Some web pages or programs can forward requests for data on IP address allocation or domain to appropriate WHOIS servers and display their responses, e.g.,
Some WHOIS clients have the same functionality. The following is available under Un*x systems:
The jwhois program is available for Microsoft Windows as well:
Examples of use:
$ whois 18.104.22.168
$ whois domain.cz
$ whois google.com
Information about every IP address allocation together with basic data on organisations administering these addresses is recorded in database of one of the Regional Internet Registries (the RIPE NCC in Europe). One of the most important data there is the firstname.lastname@example.org e-mail address which is used for reporting security incidents originating from this address allocation. Let us find the following information about IP address 10.0.0.138 from the RIPE DB:
inetnum:10.0.0.0 - 10.0.0.255 netname:HOME-NETWORK descr:Home Network country:ZZ admin-c:ME1-RIPE tech-c:ME1-RIPE status:ALLOCATED PI mnt-by:I-MNT remarks:Please report network abuse -> email@example.com source:RIPE # Filtered person:Me Myself and I address:Home Alone address:No Street 123 address:No City address:123 45 address:No Country phone:+11 22 33445 fax-no:+11 22 33445 abuse-mailbox:firstname.lastname@example.org nic-hdl:ME1-RIPE source:RIPE # Filtered
One can see that reports on security incidents originating from this IP address allocation should be sent to "email@example.com".
If no "firstname.lastname@example.org" exists in the database records, the incident report should be sent to e-mail addresses of administrative and technical managers given in the database. If the domain address of the suspect machine is known, e.g., if machine 10.0.0.138 has a domain address "www.my-home.tld", the incident report should be sent also to "email@example.com".
Computer Security Incident is every misuse of a computer, network element or network for unlawful purposes. Some most common examples are:
Usually, the computer behaves strangely:
However, the computer may also be compromised for a long time (e.g., by a keylogger) and user may not know it at all.
Disconnect the computer from the network (Ethernet cable, switch off its Wi-Fi card).
Run one or preferably several reliable and up-to-date antivirus and antispyware programs from trusted sources and try to find/remove the cause of the incident (virus, spyware). Complete new operating system installation from distribution media (CD-ROM) may be necessary if the problem persists.
Monitor network traffic, usually in cooperation with the network administrator. Check recent computer logs if available. Hard disks should be archived to be checked later.
Learn from this accident:
If your computer started acting strangely and if you think that this is a matter of security, please follow the instructions given in the previous paragraph or ask your network administrator, computer shop staff or Internet Service Provider for help. Please do NOT contact CSIRT.CZ.
If your network has become a target of network attack and if you are not sure that you can correctly identify the network where this target originated, please ask for help your experienced fellow administrators, administrators of your parent network, your Internet Service Provider, etc., who should be able to handle this incident for you. Please do NOT contact CSIRT.CZ.
If your network has become a target of network attack and if you are sure you have correctly identified the originating network as well as the e-mail addresses of administrators responsible, please send them your incident report as soon as possible to minimise the overall damages.
If you have already sent your incident report but received no reasonable response within several days and the attack still continues, you can send your original incident report together with a covering letter to the CSIRT.CZ which will try to handle this incident for you and inform you about the outcome.