« September 2010 | Main | March 2011 »

2 posts from November 2010

Nov 26, 2010

CSIRT Training for Africa

Hello, this is Koichiro "Sparky" Komiyama. I'm the manager of the Global Coordination Division in JPCERT/CC.  Our team's main missions are 1) to communicate with CSIRTs / Security groups in other countries, and 2) to help other countries / economies develop their own CSIRTs.  In this post I would like to introduce readers to one aspect of our CSIRT development work.

By the request by Dr Kilnam Chon, the leader of the Africa Asia Forum , JPCERT gave training for African engineers in Johannesburg, South Africa. It was a three day course held in conjunction with AfriNIC-13 from November 20 to 22.  JPCERT board member Professor Suguru Yamaguchi  and I attended as trainers.

Together with the class, we studied the wide range of technical topics which we think are valuable for engineers working at a CSIRT. It also included hands-on activities, with participants analyzing network traffic with Wireshark on their own.

Aaf_2

More than 25 people from all over Africa joined the course this time, exceeding our expectations.

There are several reasons we think it's important to help others forming CSIRTs.  Personally, I believe in the idea of "Your Security is My Security". In a borderless environment like the internet, we depend on other countries heavily for our own security.  Accordingly, to keep our internet safe, we have to help others keep safe too.  Due to rapid economic growth, African internet usage is expanding.  Africa needs new strategies to cope, CSIRTs being one of these.

I also strongly believe that any CSIRT in Africa should be established by Africans themselves. We may give them materials, support their own training course development, as well as any other support that we can provide, but still we are just supporters. In the past few days, I've talked to many participants and I'm very glad that they are very positive about establishing CSIRTs.  The challenge for the partnership between African teams and JPCERT/CC is not straightforward, however we are confident about its future.

We'll come back to Africa next year to provide training, incorporating the valuable feedback received from participants this time around.  See you all in Dar es Salaam next May.

I would particularly like to express my great appreciation to Dr Kilnam Chon from AAF and AfriNIC for the great opportunity.  I'd also like to thank the Japanese Ministry of Economy Trade and Industry(METI) for their continuous support. Last but not least, thanks to all the training participants - see you next time!

Sa_training_group

Nov 05, 2010

Census phishing? Not quite.

Some weeks ago, JPCERT/CC and various news sites in Japan observed an interesting domain apparently targeting a Japanese government site (do not visit, potentially malicious):

www. e-kokusei. go. jp. net

Note the ".net" at the end. 

So, what is the presumed target, e-kokusei.go.jp?  It's the site of the first national census conducted electronically in Japan.  As well as a traditional paper form, each census information package also contained a sealed, unique ID number and password that allowed residents to log into the census website.  The census has been completed and the official website has now been closed.


Scammers targeting a national census would certainly be a very worrying development.  Is it a phishing site designed to steal all the very private information that goes into a census form?  What was at the suspicious web site?  This:

201009292146341
Source: http://d.hatena.ne.jp/razgriz1/20100929/1285764652

It turns out that whoever has registered jp.net is also allowing wildcard resolution to any subdomain under it.  Type in [anything].jp.net, and it will resolve to one of two IP addresses.
As far as anyone can tell, it was an advertising site, apparently registered to a US organisation.  It's difficult to verify what the precise objective of this site was, though there are reports that the various sites linked off to carried fake anti-virus and other undesirable software at some point.

Census questions are quite detailed (annual income, address, information on family members etc), which could provide useful profiling information for an attacker.  Although most information points to this site not being specifically targeted at Japan's census, it certainly caused some alarm in Japan.