Tag Archives: CERT

IL-CERT finally picking up speed

It’s been a long time since I talked about IL-CERT. My personal story with the IL-CERT (or lack thereof) started somewhere in 2009 when I was dealing with some incidents that affected constituencies in multiple countries – Israel included (which were part of my background research for my Cyber[Crime|War] talk).

It then picked up some speed when I started meeting people with similar interests and vision here in Israel, and we started to discuss how should a CERT be built, given the current situation (a government CERT with minimal constituency and no civil coverage, and an academic CERT that only covered a small part of the universities). There were a lot of toes to step on, and we were trying to map out the dance floor before rolling out to our crazy dance. It also started my own personal research into the CERT world, and led me to meet some great people from the FIRST community.

Incidents came and went, rants were made, I let the project simmer, and almost die completely as we were entangled with bureaucracy, politics, and legal issue.

And then came Stratfor. And then the hackers that broke into a few sites and stole “400,000” credit cards (actually less than 19,000). And then a quick chat between one of the people I trust in this industry – Aviv Raff, who joined into the CERT effort recently. We quickly decided – seeing how the local media addressed the incident, that this would be the right time to get proactive and leave the trolling and waiting-for-something-to-happen aside.

A quick and efficient site was set-up, some scraping of the data that was leaked, a secure lookup system for people to check if they are exposed to the incident, and we were up and running (even in English now). Haven’t had that much fun in some time.

Leaving the usual trolling aside (how come people are great with “you shouldn’t have done this or that”, and really suck at actually doing anything…), we had over 5000 unique visitors to the site in a matter of hours, and some great feedback from people who used the site. Thus far it still is the best and most secure way of checking if you were impacted (don’t even get me started on all the scammers that are asking for your emails to see if it’s on the list or not…).

Hopefully, this is the real start of the IL-CERT. At least I know that we finally picked up the challenge and did something about it.

Local PayPal Phishing – and why we need a CERT

This just came in the mail: (twice – at two different mailboxes – I must be a high value target for these guys)

A classic phishing email, with the only exception that it seems highly targeted at the Israeli market! (yeah – I know, I sound a little excited, but this is the first one I ever got…). Obviously, I am not the new owner of a BROWN denim jeans (eeewww!), so as I am very interested in who may want my PayPal details, a bit of digging brought this up:

 

  1. The phishing site (the one led to by the obvious “CANCEL TRANSACTION” link) is hosted on al3abnt.com.
  2. al3abnt.com is obviously not related to PayPal, and in a very unusual turn of events it is actually registered to a person, or at least something that may lead closer to a person than most phishing sites (that use whois anonymizing).
  3. The Whois registration (see below) also leads to a website on anasblog.me. This seems a personal blog from a local village called Salfit in Israel (I knew it reminded me of something… been around there a couple of times :-)).
  4.  

  5. The blog (see screenshot below) seems pretty anti-Israeli (note the “we are with the third intifada” button on the top-left corner) – thus explaining the interest in local Israeli PayPal accounts.
  6. Obviously – there’s no-one to send the notification to… no CERT would handle this, and the police is almost comical in the way they reacted to calls of this nature…

I’m guessing that a CERT would have done the following:

  1. Publish a warning notification on the offending site, and the email template.
  2. Coordinate with ISP the takedown of the offending site and law-enforcement work to apprehend the scammer (A phone number is listed on the whois information – feel free to try it out 🙂 ).

Be safe out there!

The Turkish hack and another case for IL-CERT

You have been living under a rock if you haven’t heard of the Turkish hack a couple of days ago. Basically – a Turkish hacker forum that bolsters a strong anti-Israeli attitude has been practicing hacking and mostly defacing Israeli sites for the past few months (years).

Now, this is nothing new, and as I stated before, has been going on for years. I’m not even going to go to the political discussion on whether this is sponsored by the government (or have been turned a blind eye by it), as opposed to Israeli hackers that would like to retaliate but know that they would be charged in their country for computer crimes.

No.

The focus here is that there was such a huge media outrage over the fact that so many (more than 100,000) user accounts have been affected, and everyone is scrambling to figure out who should have notified who on what. A couple of funny things to consider in this incident:

  1. There are more than a couple of companies in Israel that specialize in gathering intelligence on such forums as their core business. One company has even been quoted that they knew of this issue months ago.
  2. Some of the accounts that have been breached belong to government personnel (or at least have a .gov.il email account with it’s corresponding password).
  3. The sites that have been breached were not notified until a couple of days ago. They have no-one to consult with in terms of how to handle this incident, or how to fix their issues (ever heard of one-way password hashing??? apparently not…).

Why am I bringing up these specific point? Let’s see, and now from a perspective of a normal CERT that if would have been here would have addressed these as follows:

  1. Companies that deal with security research can send their insights over local security incidents to a coordinating entity – IL-CERT that would manage the anonymous and responsible notification to the affected parties. No need to figure out a local policy for notifications, no need to dig out contact details for obscure police departments and guesstimate whether they even care about your data, and no need to get into the politics of the existing semi-CERTS and who they constituency is.
  2. Coordination and notification to government related bodies would  be handled through the ILGOV-CERT (although their website is not too promising, there are ways to reach them…). Additionally, collateral damage notification would also be handled in the same way (i.e. – a .gov.il site has not been breached, but .gov.il account have been found through breaching a .co.il server. This is the kind of thing that ILGOV-CERT does not know how to handle right now…).
  3. Incident handling support and assistance would have been provided by subject-matter experts to any site that have experienced a breach. No cost associated (unless actual work on the servers or code would have been sought after, in which case the IL-CERT would have probably done a referral as initially it would not be a commercial body).

Simple huh? And you keep wondering how come a place where so much innovation in science, technology and security has come from is still in the dark ages of it’s own internet security…

FIRST and IL-CERT

Funny thing how I got to go to Miami last week…

So, one time, at security camp, I figured that there isn’t a whole lot of infrastructure in my back yard to really call a decent CERT. I have experienced that multiple times (and again and again) when handling major incidents that prompted incident handling in dozens of countries around the world, and when trying to do the same back home (in Israel), I got “bobkes”.

The thing is, there are currently two “CERTs” operating in Israel – an academic one (ILAN-CERT) which only server a portion of the actual academic networks in Israel (surprise surprise…), and CERTGOV-IL (which seems to be mostly in maintenance mode, and only server the government sites). Bottom line – if you want to report an incident that does not fall into these CERTs constituency (about 90% of the cases), you are out of luck…

So, just like the ever-optimistic fool that I am, I decided to give it a try and start a normal IL-CERT. Back at the time when I started to dance the political/bureaucratical dance I figured that it would be a good idea to present at FIRST2010 as IL-CERT would be alive by then. Ahhh, the optimism…

Months went by, emails flew, and meeting were held, and I arrived at the FIRST conference with only a glimmer of hope for a decent CERT. I almost dropped all hope for it, but then had a great time running into the FIRST crowd. Every time I got into a conversation with a member, I usually got the same question: “so, can I send you information on incidents in Israel? Because there isn’t anyone to send data to for years”.

Embarrassing. Nothing less (and to think that there was another Israeli “CERT” member onsite…). Long story short – I’m currently willing to put my hiney on the line and at least be able to say that I tried.

So here goes – I’m publishing an open call to anyone local who would like to participate and contribute to the IL-CERT. Also – if you need/want to report on any incident related to the constituency of a decent IL-CERT, please feel free to pass it my way until we set up the basic infrastructure for IL-CERT.

Wish me (us?) luck and godspeed. And thanks again to everyone who I met at FIRST-2010 and have reinforced my crazy endeavor.