7 posts categorized "#APCERT" Feed

Dec 22, 2016

Update from the CyberGreen Project

Hi, this is Moto Kawasaki from Global Coordination Division. It has been a little while since I wrote about the CyberGreen Project last time, and I would like to update the achievements of the Project.

The most impressive news in the first half of this fiscal year 2016 (Apr-Sep in Japan) is the renewal of its web site. Please have a look at the Info site and you'll find nice pages introducing distinguished advisers and board members of the Project, the mission statement and Project goals, and much more.

Figure 1: CyberGreen Info site
Fig_1

It is a good summary and outcome of what we have been aiming for years, and especially the Blog page shows cutting-edge stories around the Project, including investments not only from JPCERT/CC over the years, but also from the newly-joined Foreign & Commonwealth Office of the United Kingdom and Cyber Security Agency of Singapore, which proves the project is well-supported by various organizations.

If you click the Statistics tab, you'll find the Stats site that describes the Beta-2 version of the statistics with a colored map and scores by region and by AS number. These scores are based on the data from the Open Resolver Project and other data sources, as listed in the Data Inventory page. The calculation algorithm is described in the About page, and the score is a kind of density as per the formula: the natural logarithm of the number of open servers found in a region over the natural logarithm of the maximum number of nodes per country in that region, which is expressed by the score between 0 (best) and 100 (worst).

Figure 2: Colored map on Stats site
Fig_2
Figure 3: Scores indicating risks
Fig_3

With these renewed sites, we had several promotions such as CyberGreen Workshop at the APCERT Annual General Meeting & Conference 2016 (please find a blog post on the Conference here), a session on “CyberGreen: Improving Ecosystem Health through Metrics based Measurement and Mitigation Support” at the FIRST Regional Symposium for Arab and African Regions, and another CyberGreen Index proposed as “Measuring CyberGreen Readiness” at the 9th Annual National Conference on Cyber Security, Sri Lanka.

Figure 4: Green Index proposed at the Conference in Sri Lanka
Fig_4

In addition to the continued efforts by the CyberGreen Project team, there was another big news: “CyberGreen Metrics v.2 Method and Report Finalized.” As described in the news page, we will see another revision in the Info and Stats sites, hopefully in early 2017.

As such, we wish you to join CyberGreen to make the Internet safer together.

Thank you very much.

- Moto Kawasaki

Nov 16, 2016

APCERT Annual General Meeting & Conference 2016 in Tokyo and JPCERT/CC’s 20th Anniversary

Hi all, this is Yuka from Global Coordination Division and also serving as APCERT Secretariat.

We are happy to announce that we have just finished one of the big tasks for this year – the host of APCERT Annual General Meeting & Conference 2016, which was held on 24-27 October at Royal Park Hotel in Tokyo. After the official establishment of APCERT in 2003, its annual conference had never been held in Tokyo. There was, though, a meeting in 2002 as Asia Pacific Security Incident Response Coordination Conference (APSIRC; the predecessor of APCERT) where forming a community for CSIRTs in the Asia Pacific region was discussed. Strangely enough, the Conference in 2002 was also held in the same hotel – we actually booked the venue without knowing the fact. We were so thrilled to know about the chance.

The Conference was run for four days:

24 Oct: Working Group Meetings, Team Building, Welcome Cocktail

25 Oct: TSUBAME Workshop, CyberGreen Workshop, Steering Committee Meeting

26 Oct: Closed Conference, Annual General Meeting, Gala Dinner

27 Oct: Open Conference

(Photo taken during TSUBAME Workshop – trainees working on some hands-on exercise)
161025e_0200

From Day 1 through to 3, sessions for APCERT members and invited guests were conducted, and Day 4 was an open session including the general public. Altogether we had APCERT Operational Members from 23 teams of 18 economies in Asia Pacific, Supporting Members, global partners, sponsors and some local guests – which counted up to approximately 200 people. The Conference was themed “Borderless Cooperation, Seamless Action – Towards a Cleaner, Greener Cyber Space –“, which indeed reflects the aim of this community. The Conference program on the 27th was arranged based on “Call For Papers”, with presentations which covered a wide range of topics on recent technical trends and concluded with a panel discussion on CSIRT operations as below.

- IoT Threat and IoT Botnet

- Protecting CNII against Malware Threats: A Coherent Response through Cooperation Amongst OIC Countries

- APT Campaign Targets Japanese Critical Infrastructure

- Ransomware Tracking and AP Region Footprint

- Who’s That Knocking on My Back Door: A Jboss Case

- Sophisticated Financial Fraud Malware (Mobile) in Korea

- Collaborative Research for Development of CSIRTs in Vietnam

- Best Practices and Common Missteps in Responding to Major Incidents

- Engaging the ISPs in Effective National Network Abuse Handling

(Programs available here: https://www.apcert.org/apcert2016/program.html)

(Team JPCERT/CC after the event – Photo by our colleague)
Img_3562

What made this event special was not only the fact that it was hosted in Tokyo for the first time as APCERT, but also that it coincided with the 20th anniversary for JPCERT/CC.

Being established in October 1996, as one of the oldest CSIRTs in the world, JPCERT/CC has been contributing in creating a safer cyber security environment both in Japan and across the globe. To look back over the activities from internal and external perspectives, a symposium was held on 28 October inviting local partners. The symposium contained presentations from JPCERT/CC staff and partners providing the history of activities and ideas for future plans, which was followed by a social cocktail.

What these two events brought us is the fact that JPCERT/CC has been supported by various partners locally and globally. For the anniversary event, some of our foreign counterpart organisations kindly sent us video messages with the words of celebration. From local communities, we received feedbacks about our activities, some positive evaluations and also encouragement. Indeed, since JPCERT/CC is a “Coordination Center”, our activities require coordination with various entities, and creating a safer cyber space cannot be accomplished without the support of such local and global partners. We hope that both events were good opportunities to show our gratitude for the special partnership for the past 20 years, and we look forward to continuing and developing the relationship for the next 10 years and more.

Thanks for reading.

- Yukako Uchida

Oct 13, 2015

APCERT Annual General Meeting and Conference 2015 in Kuala Lumpur

Hi again, it’s Yuka from Global Coordination Division and also serving as APCERT Secretariat. It’s been a while since I wrote here last time.

My entry this time is about the biggest event of APCERT which we just recently attended, the Annual General Meeting (AGM) and Conference 2015 in Kuala Lumpur, Malaysia on 6-10 September. This event, hosted by CyberSecurity Malaysia (MyCERT), marked the 12th annual conference for APCERT. What made the event special was that it was held concurrently with the AGM & Conference for OIC-CERT (Organisation of the Islamic Cooperation – Computer Emergency Response Team) and also Malaysia’s local cyber security exhibition. This was the first conference for APCERT and OIC-CERT to collaborate together, and members of both organisations had a great opportunity to interact with each other through a series of sessions during the week.

The event was conducted as follows:

6 September

AM: Workshops including Cyber Green

PM: APCERT Closed Session (Working Groups)

7 September

AM: APCERT Steering Committee Meeting

PM: APCERT Annual General Meeting (AGM)

8 September

AM: TSUBAME Workshop

PM: APCERT & OIC-CERT Desktop Exercise

9 September

AM: APCERT Closed Conference

PM: APCERT & OIC-CERT Steering Committee Discussion

10 September

All: APCERT & OIC-CERT Open Conference

For the APCERT AGM on 7 September, 26 Operational Members were present to discuss APCERT business matters and share information on the previous year’s activities of APCERT. As Secretariat, I would like to take this opportunity to thank Microsoft for providing the fellowship for our event, which significantly supported the participation of APCERT members.

JPCERT/CC completed our 4th consecutive term as Chair at this AGM, and CERT Australia was elected for this position. Also, MyCERT was elected as the new Deputy Chair, following KrCERT/CC’s completion of 4-year-term on this position. JPCERT/CC was re-elected as Steering Committee and Secretariat for the next 2-year-term and will keep contributing to the community by providing initiatives and administrative support. Also, we are happy to announce that we have been chosen to host the next APCERT AGM & Conference 2016 in Tokyo. It is also the year for JPCERT/CC’s 20th anniversary since its establishment, and we hope to celebrate such a milestone together with our domestic partners and APCERT members.

A token of appreciation for completing 4 years as Chair was presented from APCERT Steering Committee, and another token for contribution as a Steering Committee member was presented from the conference host (these were surprise gifts!).

JPCERT/CC colleagues with the tokens (Photo by Shikapon)
_dsc1407

JPCERT/CC conducted TSUBAME Workshop and Cyber Green Workshop during the week. This year, TSUBAME workshop focused more on hands-on session rather than lectures, so the participants were more involved and able to familiarise themselves with the system. Our hope is that each member shares what was presented during the session and utilise it for their day-to-day incident handling activities. It was also our pleasure to invite OIC-CERT members to the TSUBAME Workshop for the first time.

For details on the Cyber Green Workshop, which was also a success, our colleague Taki wrote an article which is available on the Cyber Green website:

http://www.cybergreen.net/blog/apcert-oic-cert-annual-conference

Yurie and Taki at the Cyber Green Workshop (Photo by Shikapon)
_dsc1055_2

After all, it was a tense week with full of events – but indeed it was great to see some old and familiar colleagues of APCERT, and some new faces as well. I recall it really was a huge event, involving both APCERT and OIC-CERT. We would like to take this opportunity to thank MyCERT, the host team, for their hospitality and congratulate on the success of the event.

Cheers,

- Yukako Uchida

May 27, 2015

Speaking at Australian Cyber Security Centre Conference 2015

G’day all – It’s Yuka again here from Global Coordination Division.

I would like to quickly update about my recent trip to Canberra, Australia, where I attended the inaugural conference of Australian Cyber Security Centre (ACSC).

The event attracted more than 800 people mainly from the Australian Government and IT related businesses but also some delegates from neighbouring countries.

ACSC consists of the following cyber security related entities in Australia:

ACSC’s first conference took place on 22-23 April at the National Convention Centre in Canberra, Australia.

There was a range of speakers from the above-listed organisations and also some outstanding guest speakers from academia and cyber security related vendors including:

LOCALS:

  • Attorney-General
  • ACSC Coordinator
  • Dept. of the Prime Minister and Cabinet
  • Telstra
  • Google
  • Microsoft
  • Cisco
  • University of South Wales
  • CERT Australia
  • AU Domain Administration

INTERNATIONALS:

  • University of Washington
  • iSIGHT Partners
  • Dell SecureWorks
  • Team Cymru
  • Dutch Government
  • New Zealand Ministry of Defence
  • JPCERT/CC

I myself was given an opportunity to speak on the second day with the title: “International Cooperation on Cyber Space from CSIRT’s perspectives – JPCERT/CC’s outreach – “. The presentation covered:

- Overview of JPCERT/CC

- Incident statistics

- Collaboration with overseas CSIRTs

My presentation highlighted the importance of “collaboration among CSIRTs”. What we need to do in case of incidents across the border is to closely work with our counterpart in the region in question. To be able to timely respond to these urgent situations, constructing "trust relationship and network" on a day-to-day basis (before the incident happens!) is the key. That is why we often participate at international conferences and get engaged in global frameworks. We JPCERT/CC have been working both multi- and bi-laterally with various counterparts.

One of such activities includes JPCERT/CC’s outreach through Asia Pacific Computer Emergency Response Team (APCERT), signing of various Memorandum of Understandings (MOU) and capacity building efforts. Especially for the last item, JPCERT/CC has dispatched experts to establish a CSIRT covering the Pacific Islands and has provided technical support and trainings. Being a close neighbour, Australia has much interest in this topic – and JPCERT/CC is also willing to assist securing the region’s cyber space in any way we can.

Me delivering the talk (Photo provided by ACSC)
Acsc_2015_556_2yu_6

There were also participants from vendors and a range of security related businesses – see how crowded the exhibition hall was!

People and booths at the Exhibition Hall (Photo provided by ACSC)
Exhibition_hall_3_3

What surprised me was the event web app – it seems like some conferences these days have started using similar tools. The biggest feature is that attendees using the web app can post questions to speakers throughout the session, and other attendees can vote “like” or “dislike” to each question. Supported questions are shown on the top of the page, which will be pointed to the speakers. This saves time, visualises what’s being asked (both for speakers and attendees) and allows efficient event running. Also, feedbacks on the sessions were submitted through this app – I believe this saves paper, too!

April in Canberra is a nice autumn season. I saw beautiful tree leaves turning yellow and orange. The city really was filled with lots of trees, and I enjoyed a little bit of early autumn.

As JPCERT/CC, we feel so honoured to be invited to such an important event in Australia. We hope to further collaborate with Australian cyber security related entities.

Thank you for reading.

- Yukako Uchida

May 08, 2014

APCERT Annual General Meeting and TSUBAME Workshop by JPCERT/CC

Hello everyone! This is Yuka from the Global Coordination Division and APCERT Secretariat.

 

Today I would like to tell you about the biggest event of APCERT, the 11th Annual General Meeting (AGM) and Conference - 2014 which was held from 18th to 21st March in Taipei. 21 Operational Member teams participated in this reunion as well as some delegates from invited parties. TWNCERT was a host of this event, and JPCERT/CC assisted them as Chair and Secretariat team.

 

ABOUT APCERT AGM & CONFERENCE 2014

<Event Schedule>

18 March: Steering Committee Meeting and Working Group Meetings/Workshop

19 March: Closed Conference and Team Building Event

20 March: AGM & Closed Conference

21 March: Public Conference

 

At the Conference (photo by Yuka)

 

The event consists of three main different parts: meetings, conference and workshop. In the Steering Committee Meeting and the Annual General Meeting (Members only), APCERT members’ activities (e.g. participation in international conferences) in 2013 were reviewed, and also various topics about APCERT business and policies were presented for discussion. At the AGM, JPCERT/CC was elected as Chair team of APCERT for the 4th consecutive year – we feel honoured to keep our contribution to this community for another term. At the conference, speakers from different expertise areas – not only from CSIRT teams but also security vendors and other organisations - were invited to deliver a presentation.

 

TSUBAME WORKSHOP HOSTED BY JPCERT/CC

Among all the agenda of the event, I would like to highlight on the TSUBAME workshop on the 2nd day, which was hosted by JPCERT/CC. TSUBAME is a network monitoring system developed by JPCERT/CC. 15 people from TSUBAME member teams and also from potential member teams participated in this workshop. JPCERT/CC have organised TSUBAME Workshop at the APCERT AGM every year since 2010 – so this was the 5th workshop. Kaori from the Global Coordination Division and Shikapon from Watch and Warning Group presented the latest trends observed through the system and gave a hands-on session on the TSUBAME portal site. In addition, 2 participating teams gave a presentation sharing their activities and outcomes gained through TSUBAME project.

 

At TSUBAME Workshop (photo by Yuka)

 

SCANNING ACTIVITIES ON NTP, PORT 123/UDP

One of the topics covered in the workshop was DDoS attacks exploiting an NTP (Network Time Protocol) feature. Since the end of 2013, we have been observing lots of probes to Port 123/UDP, which is used for NTP through TSUBAME system.

 

We confirmed that some of the packets received by TSUBAME actually involved “monlist” command. The NTP service supports a monitoring tool that allows administrators to query the server for traffic counts of connected clients. This information is provided via the “monlist” command.

 

This feature has a potentiality to be abused in conducting a “Distributed Reflection Denial-of-Service (DRDoS) attack”. The basic attack technique consists of an attacker sending a "monlist" request to a vulnerable NTP server with the source address spoofed to be the victim’s address. By executing this command, a large-sized data including the traffic counts of recently connected clients is sent to the victim, which could delay its response or even suspend its system.

 

As it has been already announced by CSIRTs (including JPCERT/CC) and various security vendors, servers running the NTP based on implementations of ntpd (prior to version 4.2.7p26) that use the default unrestricted query configuration are vulnerable to this type of attack. Users of these versions are recommended to update it to a greater version to prevent the issue.

JPCERT/CC - Alert regarding DDoS attacks leveraging the monlist function in ntpd

https://www.jpcert.or.jp/english/at/2014/at140001.html

 

CERT/CC - NTP can be abused to amplify denial-of-service attack traffic http://www.kb.cert.org/vuls/id/348126

 

We have been constantly seeing the packet flow addressed at Port 123/UDP, and it has been even increasing lately as the graph indicates. It can be interpreted that the recommended measures have not been widely taken yet. (Please note that the trends described in the graph include exploring activities by security organisations. The peaks are not necessarily associated with serious attacks.)

Graph: Scan count per day observed at 123/UDP from November 2013 to April 2014

Source: JPCERT/CC

 

Through TSUBAME system, JPCERT/CC will keep a very big eye on such suspicious packet traffic and share indications of cyber incidents with relevant parties. We sincerely hope to be of help in early discovery and prevention of potential incidents.

 

Cheers!

-Yukako Uchida

Apr 04, 2014

APCERT DAY at APRICOT and Open Resolver Check Site Launched by JPCERT/CC

Hello, I am Yukako (Yuka) Uchida from APCERT Secretariat. I am a new Liaison Officer of the Global Coordination Division since last December.

 

From 18th to 28th February, APRICOT 2014 (https://2014.apricot.net/) had been held in Petaling Jaya, Malaysia. APRICOT, which stands for Asia Pacific Regional Internet Conference on Operational Technologies, is an annual meeting for internet engineers in the region. They have kindly offered APCERT a one-day slot on 26 February to hold the “APCERT DAY”, where speakers from some APCERT Teams (CERT Australia, ID-SIRTII/CC, JPCERT/CC, KrCERT/CC and MyCERT) delivered presentations on their efforts to help create a safe, clean and reliable cyber space in the Asia Pacific region.

 

The following presentations were given at the workshop. All the filmed contents are currently available on APRICOT program page. (https://2014.apricot.net/program)

 

Keynote Presentation: “Regional Cyber Security Risk Reduction Approach and Network Operators Network Clean-up Collaboration”

Yurie Ito (APCERT Chair, JPCERT)

 

“SCADA Security Assessment: The Malaysian Experience”

Ruhama Mohammed Zain (CyberSecurity Malaysia)

 

“Open DNS Resolver Check Site – Towards a Robust Cyber Space”

Takahiro Ishikawa (JPCERT/CC)

 

“Cleaning up the Internet – Case Study from Australia”

Scott Brown (CERT Australia)

 

“Major Internet Incidents and Response – Example from Korea”

Hongsoon Jung (KrCERT/CC)

 

“Network Metrics – Measuring Network Health”

Yurie Ito (JPCERT/CC)

 

Plenary Session and Closing: “Collaboration between Network Operators, Registry Services and CERTs on Cyber Risk Reduction and Measurement.”

- Moderator: Yurie Ito (APCERT Chair)

- Panellist: David Conrad (Virtualized), John Crain (ICANN), Yoshinobu Matsuzaki (IIJ)

 

 

Facing Open DNS Resolver – JPCERT/CC’s Project

 

My colleague, Takahiro Ishikawa from Incident Response Team, delivered a presentation about the “Open DNS Resolver Check Site”. It is an online tool released by JPCERT/CC last year, which allows the visitors to check if a DNS server configured on their PC/network device connecting to the site is running as an open DNS resolver or not.

 

An open DNS resolver, as many of the readers may well know, is a publicly accessible name server that provides a recursive name resolution for unspecified IP addresses. It has been reported that a number of open DNS resolvers are being exploited to participate in massive distributed denial of service (DDoS) attacks – the so called “DNS amplification attack”.

Dns_amplification_attack

Diagram 1: DNS Amplification Attack Method

(Source: JPCERT/CC)

 

Here is the attack method. The attacker sends a DNS query - usually requests for as much zone information as possible to maximize the amplification effect - to DNS servers with open resolvers. The source address is spoofed to be the target’s (victim's) address - as in (1) in the diagram. When the DNS servers send the DNS responses (2), they are sent to the target (victim) system and make the victim overwhelmed by excessively large-sized packets in response to the small queries (3).

 

 

JPCERT/CC’s Motivation for the Check Site

 

Takahiro explains that the motivation for launching this tool was actually driven from the statistics published by a private company in early 2013 – that Japan had the largest number of open DNS resolver hosts in the Asia Pacific region at that time. His team was concerned that the open resolver issue is not widely recognised by many internet users and system administrators, and in many cases they are not even aware of running open DNS resolvers on their own. Sometimes it was difficult for the team to reach a contact person that can properly address the issue. They wish that this tool would be helpful in raising awareness towards the problem and in reducing the number of open DNS resolvers.

 

The Open DNS Resolver Check Site developed by JPCERT/CC offers an easy and simple method to check open DNS resolvers just by accessing the site and giving a few clicks. Please visit the following URL to give it a try:

http://www.openresolver.jp/en/

 

In addition, his team has also provided a command line tool for those who cannot check using a web browser (e.g. “wget” command). Try using command lines at the following URL:

http://www.openresolver.jp/cli/check.html

 

In case it turns out that you are running an open DNS resolver, you will be provided with some suggested solutions.

 

JPCERT/CC is willing to keep collaborating with any global partners to address this problem and make the cyber space cleaner and more secure.

 

Thank you!

-Yukako Uchida

Apr 11, 2013

APCERT Commemorates Its 10th Anniversary

G’day! This is Shiori Kubo from JPCERT/CC, serving as a member of the APCERT Secretariat. Today I would like to cover APCERT’s 10th anniversary, commemorated at the APCERT AGM & Conference 2013, held on 23rd - 27th March 2013 in Brisbane, Australia, very warmly and successfully hosted by CERT Australia.

About APCERT
For readers who are not familiar with APCERT, please let me briefly introduce – APCERT stands for Asia Pacific Computer Emergency Response Team, and as the name implies, it is a forum of CSIRTs/CERTs in the Asia Pacific region, currently consisting of 20 teams from 30 economies. APCERT maintains a trusted contact of computer security experts in the Asia Pacific region to improve the region’s awareness and competency in relation to computer security incidents.

APCERT’s History in Brief
The dawn of APCERT traces back to the late 1990s, when a vision was developed by the leading CSIRTs/CERTs in the Asia Pacific to establish a regional forum for cross border cooperation and Internet security incident handling. In March 2002, JPCERT/CC hosted the Asia Pacific Security Incident Response Coordination Conference (APSIRC) in Tokyo, aiming to improve working relationships among the CSIRTs/CERTs in the region. A key outcome was the decision to form APCERT as the vehicle for regional cross border cooperation and information sharing in mitigating cyber threats. In February 2003, all this becomes a reality – and APCERT was established consisting of 15 teams from 12 economies. Since then, APCERT has steadily broadened its membership and activities as represented by its annual cyber security drills, annual events (AGM & Conference) and outreach to various international and regional meetings. For further information, please visit the APCERT website.

“APCERT & Cyber Security: Then, Now and Beyond”
This was the theme of the 10th anniversary milestone event in Brisbane. During the past decade, the rapid development of the Internet has dramatically changed our surroundings and has increased our dependency on the Internet as seen in various business, government and critical infrastructure services online. Along this change, cyber attacks have also increased in frequency, sophistication and scale. Accordingly, Internet security has become a key issue to protect the economic and political stability of a nation and within the region. APCERT has taken a collaborative approach to fight against this growing threat, and will continue to strengthen its information sharing framework and incident response capabilities.

Apcert
Group Photo at APCERT AGM & Conference 2013

JPCERT/CC’s Involvement in APCERT
JPCERT/CC has had the privilege of serving as a Steering Committee member and Secretariat since APCERT’s establishment. Furthermore, JPCERT/CC currently serves as the APCERT Chair and takes a lead role in developing outreach activities in particular. Our commitment requires hard work, but we enjoy the chance to take part in leading and supporting the operations and directions of APCERT. And to our pleasant surprise, JPCERT/CC was awarded by APCERT during the APCERT AGM & Conference 2013 event for our contribution. The beautiful crystal plaque was generously prepared and presented by KrCERT/CC.

S_2
JPCERT/CC awarded by APCERT

We express our sincere gratitude for the award and reassure our commitment to do what we can in realizing APCERT’s vision: “APCERT will work to help create a Safe, Clean and Reliable cyber space in the Asia Pacific Region through global collaboration.”

I feel that the expertise that exists in each Team, and the trust relationship and friendship that reside among us, all brings our working experience a very inspiring one. I personally learn much from working in APCERT too, and this time I learned a new word from our host, CERT Australia – “Wheels Up party.” When an event is over and the visitors takeoff home on the plane (wheels up), the host throws a Wheels Up party for the “job well done!” So, as a final note, I would like to thank and wish CERT Australia a big Wheels Up party, and also a Wheels Up party to all APCERT members on this 10th anniversary milestone – and sincerely look forward to our continuous journey on board APCERT!

- Shiori Kubo