Do we have a CERT in Belgium?

A few weeks ago, there was some kind debate in Belgium about the need of a CERT (Computer Emergency Response Team). With the growing number of computers and networks incidents reported today, everybody agree to request the setup of a strong CERT infrastructure per country and managed by legal authorities! But what’s the status today? Here is a personal case.

As you probably know, during my free time (when I’ve some), I maintain a free UNIX shell account server. Last Wednesday, I received the following e-mail from the Belnet CERT:

Date: Wed, 08 Oct 2008 13:29:58 +0200
From: xxx xxx 
To: xxx@rootshell.be
Cc: "cert@belnet.be" 
Subject: [BELNET TT #xxxx] Compromised FTP account ...

Dear,

We are BELNET-CERT, the Computer Emergency Response Team for the
BELNET-constituency. As a CERT team we handle and coordinate
security  events (intrusions, hacking, ...) that occur in our
network, whether we are a victim or the source of an incident.

Our colleagues from CERT/CC forwarded us a list of log entries of
compromised FTP accounts. Unfortunately we do not have accurate
timestamps for the data, log entries within the data start as
far back as 2007-11-19, which would appear to be based on the
server system time which we can not confirm is set accurately.

We have attached a log file for a site for which you are,
according to our records, the site administrator. We forward you
this information to take appropriate actions.

My first impression was very positive! They are at least some control of what happend on the Belgian part of the Internet but… The Belnet CERT operational domain is not clear: they define them as a CERT team that can handle and coordinate security events (intrusions, hacking, …) that occur in THEIR networks. The incident report they created has no relation with the Belnet network! (my IP address belongs to a commercial ISP).

The Belnet CERT is accredited at Trusted Introducer and the guys @ Belnet achieve a great job. Keep up the good work! They provide useful information (mailing list, weekly newsletter) but on their website, it’s clearly stated that their business hours are 8h-18h Monday to Friday. Is there a followup (on-duty contact) outside of this period of time? How do they exchange information with other CERTs? (European or worldwide?)

About “my” own incident reported above, the logs they provided were received from the CERT/CC. They analyzed compromized hosts and discovered log entries with my (old) shell server which was re-installed more than one year ago! Case closed!

So, do we have a CERT in Belgium? My answer is yes. There is a structure and contacts with other worldwide CERTs and organization. They can already help you to investigate incidents or notify you. But they require a broaden scope of authority (not only the “Belnet” network), more money and human resources…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.