JPCERT/CC Blog

G’day! This is Shiori Kubo from JPCERT/CC, serving as a member of the APCERT Secretariat. Today I would like to cover APCERT’s 10th anniversary, commemorated at the APCERT AGM & Conference 2013, held on 23rd - 27th March 2013 in Brisbane, Australia, very warmly and successfully hosted by CERT Australia.

About APCERT
For readers who are not familiar with APCERT, please let me briefly introduce – APCERT stands for Asia Pacific Computer Emergency Response Team, and as the name implies, it is a forum of CSIRTs/CERTs in the Asia Pacific region, currently consisting of 20 teams from 30 economies. APCERT maintains a trusted contact of computer security experts in the Asia Pacific region to improve the region’s awareness and competency in relation to computer security incidents.

APCERT’s History in Brief
The dawn of APCERT traces back to the late 1990s, when a vision was developed by the leading CSIRTs/CERTs in the Asia Pacific to establish a regional forum for cross border cooperation and Internet security incident handling. In March 2002, JPCERT/CC hosted the Asia Pacific Security Incident Response Coordination Conference (APSIRC) in Tokyo, aiming to improve working relationships among the CSIRTs/CERTs in the region. A key outcome was the decision to form APCERT as the vehicle for regional cross border cooperation and information sharing in mitigating cyber threats. In February 2003, all this becomes a reality – and APCERT was established consisting of 15 teams from 12 economies. Since then, APCERT has steadily broadened its membership and activities as represented by its annual cyber security drills, annual events (AGM & Conference) and outreach to various international and regional meetings. For further information, please visit the APCERT website.

“APCERT & Cyber Security: Then, Now and Beyond”
This was the theme of the 10th anniversary milestone event in Brisbane. During the past decade, the rapid development of the Internet has dramatically changed our surroundings and has increased our dependency on the Internet as seen in various business, government and critical infrastructure services online. Along this change, cyber attacks have also increased in frequency, sophistication and scale. Accordingly, Internet security has become a key issue to protect the economic and political stability of a nation and within the region. APCERT has taken a collaborative approach to fight against this growing threat, and will continue to strengthen its information sharing framework and incident response capabilities.

Group Photo at APCERT AGM & Conference 2013

JPCERT/CC’s Involvement in APCERT
JPCERT/CC has had the privilege of serving as a Steering Committee member and Secretariat since APCERT’s establishment. Furthermore, JPCERT/CC currently serves as the APCERT Chair and takes a lead role in developing outreach activities in particular. Our commitment requires hard work, but we enjoy the chance to take part in leading and supporting the operations and directions of APCERT. And to our pleasant surprise, JPCERT/CC was awarded by APCERT during the APCERT AGM & Conference 2013 event for our contribution. The beautiful crystal plaque was generously prepared and presented by KrCERT/CC.

JPCERT/CC awarded by APCERT

We express our sincere gratitude for the award and reassure our commitment to do what we can in realizing APCERT’s vision: “APCERT will work to help create a Safe, Clean and Reliable cyber space in the Asia Pacific Region through global collaboration.”

I feel that the expertise that exists in each Team, and the trust relationship and friendship that reside among us, all brings our working experience a very inspiring one. I personally learn much from working in APCERT too, and this time I learned a new word from our host, CERT Australia – “Wheels Up party.” When an event is over and the visitors takeoff home on the plane (wheels up), the host throws a Wheels Up party for the “job well done!” So, as a final note, I would like to thank and wish CERT Australia a big Wheels Up party, and also a Wheels Up party to all APCERT members on this 10th anniversary milestone – and sincerely look forward to our continuous journey on board APCERT!

- Shiori Kubo

Hello, it's Taki here and it has been a long time since I last wrote here.

Today's topic is about the following:

Call for Public Feedback on Upcoming CVE ID Syntax Change
https://cve.mitre.org/news/index.html#jan242013a

Before I get into the details of what is said here, I would like to quickly introduce CVE. CVE stands for Common Vulnerabilities and Exposures and it is managed by The MITRE Corporation in the US. CVE identifiers are unique, common identifiers for publicly known information security vulnerabilities. For more details on CVE identifiers, please refer to the following:

About CVE Identifiers
https://cve.mitre.org/cve/identifiers/index.html

So getting back to the discussion topic, CVE is about to undergo a change in the syntax for CVE identifiers. The current syntax, CVE-YYYY-NNNN can only support a maximum of 9,999 unique identifiers for a given year.

There are many users of CVE across the globe and a syntax change may affect a number of users, thus the CVE project is soliciting feedback prior to changing the syntax.

There are 3 choices to choose from, and I will list them in my order of preference with some reasoning behind its placement. (For details on the exact syntax for each option, please refer to the MITRE announcement)

1. Option A
This requires the least change, and I expect users that are already familiar with the current CVE syntax should be able to make the transition without too many issues. Being a little selfish, since this option requires the least change, it would make it easier to explain the differences to newer users of CVE and why they were made.

2. Option C
This is quite a drastic change from the current syntax but with the inclusion of the check digit, it would allow users to verify that the CVE identifier is a valid one. However, this syntax may be a little difficult to handle for product developers that incorporate CVE identifiers into their products.

3. Option B
I went back and forth a little between Options B and C. But the check digit that allows for validation (albeit a simple method) made the choice for me. In my opinion, it would be hard to determine whether that ID is a valid one since the number of digits would be arbitrary.

JPCERT/CC has been working with MITRE since 2008 to have CVEs issued for advisories on Japan Vulnerability Notes (JVN). Since then, JVN has become CVE compatible and JPCERT/CC has become a CVE Numbering Authority (CNA). As a member of the vulnerability handling team, I have listed my opinions here and would certainly welcome any feedback or discussion.

As mentioned on the MITRE announcement, there is a mailing list for discussions as well.

Any questions should be directed to the mailing list, but if you would like to have a discussion offline, please feel free to contact me at vultures(at)jpcert.or.jp.

- Taki Uchiyama

Hello, this is Osamu Sasaki. I belong to the Global Coordination Division in JPCERT/CC, responsible for overseas CSIRT trainings. Today I would like to introduce you two of our CSIRT trainings conducted recently - in September/Tokyo and October/Vientiane. I think it turned out to be a good model of CSIRT collaboration by sharing the knowledge and capability that each team have.

Training in September/Tokyo

In late September, two engineers from ThaiCERT came to Tokyo and participated in an on-the-job training on incident response, malware analysis and TSUBAME, a network monitoring system in the Asia Pacific region headed by JPCERT/CC. ThaiCERT, the national CSIRT in Thailand established in 2000, is in the process of extending its services and strengthening the staffs’ capability after it’s reformation in February, 2011.

In the incident response training, JPCERT/CC gave a lecture on JPCERT/CC's workflows/operations. JPCERT/CC also conducted exercises, which would require the knowledge acquired in the lecture. The exercise was designed based on a real incident which happened just recently and it required analysis of log files containing a bunch of texts. It should have been quite tough, but ThaiCERT colleagues managed to handle it with their capability.

In the malware analysis training, JPCERT/CC conducted a variety of analysis methods of malware. JPCERT/CC also conducted some exercises, and the most interesting one for them seemed to be the analysis of a web defacement case. From this exercise, they gained the techniques to understand what has to be done when someone accessed to a defaced site.

Training in Tokyo

As a part of the training, ThaiCERT colleagues visited the SOC (Security Operation Center) of a Japanese private company to learn from their operation.

Training in October/Vientiane

Two weeks after the training held for ThaiCERT colleagues in Tokyo, Sparky, ThaiCERT Colleagues and I traveled to Vientiane, the capital of Lao. JPCERT/CC and ThaiCERT provided a five-day training course for LaoCERT staffs. LaoCERT, the national CSIRT in Lao, is a very new organization established in May, 2012.

The main topics of the training were CSIRT operations/tools and incident response. In the incident response training, JPCERT/CC introduced our ways of incident handling. Additionally, JPCERT/CC gave a lecture on how to use PGP in order to communicate securely. ThaiCERT colleagues conducted a lecture on RTIR. RTIR is a request tracking freeware for incident response. They also conducted hands-on exercise on RTIR, with step-by-step procedures.

Training in Vientiane, conducted by ThaiCERT

The training was conducted in English, but since all of us were non-native English speakers, Lao, Thai and Japanese were also spoken in the room to confirm the correct understanding among us. (How interesting that was for me!) Thanks to ThaiCERT colleagues, they contributed a lot in narrowing the language barrier, because of the similarity in Thai and Lao language and their good skill in English.

As a final word, I would like to extend my sincerest appreciation for LaoCERT staff for their warm hospitality. I would also like to thank the Japanese Ministry of Economy, Trade and Industry (METI) for their understanding of the importance of the overseas CSIRT development. I hope LaoCERT will start their incident response shortly and I look forward to visiting Lao again!

Group photo of LaoCERT Training