Table of contents
1. About this document
2. Contact Information
6. Incident Reporting Forms
1. About this document
1.1 Date of Last Update
Version 1.0 was published 2003/09/30.
Version 1.1 was published 2006/06/28.
1.2 Distribution List for Notifications
Notifications of updates are submitted in this page.
1.3 Locations where this Document May Be Found
The current version of this CSIRT description document is available from the Hun-CERT WWW site; its URL ishttp://www.cert.hu/ -RFC2350-eng.
A magyar nyelvű verzió elérhető ezen a címen: http://www.cert.hu/a-hun-cert-alapokmanya/hun-cert-alapokmanya.html
Please make sure you are using the latest version.
1.4 Authenticating this Document
This document has been signed with the Hun-CERT's PGP key.
2. Contact Information
2.1 Name of the Team
"Hun-CERT": the Hungarian Computer Emergency Response Team for Council of Internet Service Providers.
Kende u. 13-17.
2.3 Time Zone
UTC+0100 in winter (MEWT) and UTC+0200 in summer (MEST)
2.4 Telephone Number
+36 1 279 6222
2.5 Facsimile Number
+36 1 209 5288 (this is *not* a secure fax)
2.6 Other Telecommunication
2.7 Electronic Mail Address
This is a mail alias that relays mail to the human(s) on duty for the Hun-CERT.
2.8 Public Keys and Other Encryption Information
The Hun-CERT has a PGP key, whose KeyID is 0x180A3665 and whose fingerprint is
03FA 70CE F603 3695 99AE 1CDC CA2E 2DB5 180A 3665.
The key can be found here.
2.9 Team Members
The Hun-CERT team members are listed in the Hun-CERT web pages.
Management, liaison and supervision are provided by the Supervisor of the Hun-CERT team.
2.10 Other Information
General information about the Hun-CERT, as well as links to various recommended security resources, can be found athttp://www.cert.hu/
2.11 Points of Customer Contact
The preferred method for contacting the Hun-CERT is via e-mail at . If you require urgent assistance, put "urgent" in your subject line.
If it is not possible (or not advisable for security reasons) to use e-mail, the Hun-CERT can be reached by telephone during regular office hours. Telephone messages are checked less often than e-mail.
The Hun-CERT's hours of operation are generally restricted to regular business hours (09:00-16:00 Monday to Friday except holidays).
If possible, when submitting your report, use the form mentioned in section 6.
3.1 Mission Statement
The mission of the Hun-CERT is to assist the Hungarian internet community and especially Hungarian Internet Service Providers in implementing proactive measures to manage the risks of computer network security incidents and in responding to such incidents should they occur.
The Hun-CERT's constituency is the Hungarian Internet Service Providers (HISP) community, especially members of the Council of Hungarian Service Providers (CHIP). More information is available on CHIP at http://www.iszt.hu. However, it is Hun-CERT intention that the whole Hungarian internet community makes use of public information on network security issues published at www.cert.hu.
3.3 Sponsorship and/or Affiliation
The Hun-CERT is sponsored by the Council of Hungarian Internet Providers (CHIP). Hun-CERT is a task force in the Computer and Automation Institute of the Hungarian Academy of Sciencies (MTA SZTAKI). Hun-CERT operates in public private partnership with the Ministry of Informatics and Communications (IHM) and the Communications Authority of Hungary (HIF).
It maintains affiliations with various CSIRTs throughout the country and other countries on an as needed basis.
The Hun-CERT operates under the auspices of, and with authority delegated by, the CHIP.
The Hun-CERT expects to work cooperatively with system administrators of Hungarian internet service providers, and, insofar as possible, to avoid authoritarian relationships. However, should circumstances warrant it, the Hun-CERT will appeal to CHIP to exert its authority, direct or indirect, as necessary.
Members of the CHIP community who wish to appeal the actions of the Hun-CERT should contact the Security Committee of CHIP. If this recourse is not satisfactory, the matter may be referred to the Board of CHIP.
4.1 Types of Incidents and Level of Support
The Hun-CERT is authorized to address all types of computer security incidents which occur, or threaten to occur, at Hungarian internet service providers.
The level of support given by Hun-CERT will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and the Hun-CERT's resources at the time, though in all cases some response will be made within one working day. Resources will be assigned according to the following priorities, listed in decreasing order:
- Root or system-level attacks on any Management Information System, or any part of the backbone network infrastructure.
- Root or system-level attacks on any large public service machine, either multi-user or dedicated-purpose.
- Compromise of restricted confidential service accounts or software installations, in particular those used for MIS applications containing confidential data, or those used for system administration.
- Denial of service attacks on any of the above three items.
- Any of the above at other sites, originating from Hungarian internet service provider's sites.
- Large-scale attacks of any kind, e.g. sniffing attacks, IRC "social engineering" attacks, password cracking attacks.
- Threats, harassment, and other criminal offenses involving individual user accounts.
- Compromise of individual user accounts on multi-user systems.
- Compromise of desktop systems.
- Forgery and misrepresentation, and other security-related violations of local rules and regulations, e.g. netnews and e-mail forgery, unauthorized use of IRC bots.
- Denial of service on individual user accounts, e.g. mailbombing.
Types of incidents other than those mentioned above will be prioritized according to their apparent severity and extent.
Note that no direct support will be given to end users; they are expected to contact their system administrator, network administrator, or department head for assistance. The Hun-CERT will support the latter people. End-users are advised to make use of information about network security published in the Hun-CERT web pages.
While the Hun-CERT understands that there exists great variation in the level of system administrator expertise, and while the Hun-CERT will endeavor to present information and assistance at a level appropriate to each person, the Hun-CERT cannot train system administrators on the fly, and it cannot perform system maintenance on their behalf. In most cases, the Hun-CERT will provide pointers to the information needed to implement appropriate measures.
4.2 Co-operation, Interaction and Disclosure of Information
While there are legal and ethical restrictions on the flow of information from Hun-CERT, the Hun-CERT acknowledges its indebtedness to, and declares its intention to contribute to, the spirit of cooperation that created the Internet. Therefore, while appropriate measures will be taken to protect the identity of members of our constituency and members of neighbouring sites where necessary, the Hun-CERT will otherwise share information freely when this will assist others in resolving or preventing security incidents.
In the paragraphs below, "affected parties" refers to the legitimate owners, operators, and users of the relevant computing facilities. It does not refer to unauthorized users, including otherwise authorized users making unauthorized use of a facility; such intruders may have no expectation of confidentiality from the Hun-CERT. They may or may not have legal rights to confidentiality; such rights will of course be respected where they exist.
Information being considered for release will be classified as follows:
Private user information is information about particular users, or in some cases, particular applications, which must be considered confidential for legal, contractual, and/or ethical reasons.
Private user information will not be released in identifiable form outside the Hun-CERT, except as provided for below. If the identity of the user is disguised, then the information can be released freely (for example to show a sample .cshrc file as modified by an intruder, or to demonstrate a particular social engineering attack).
Intruder information is similar to private user information, but concerns intruders.
While intruder information, and in particular identifying information, will not be released to the public (unless it becomes a matter of public record, for example because criminal charges have been laid), it will be exchanged freely with system administrators and CSIRTs tracking an incident.
Private site information is technical information about particular systems or sites.
It will not be released without the permission of the site in question, except as provided for below.
Vulnerability information is technical information about vulnerabilities or attacks, including fixes and workarounds if they are available.
Vulnerability information will be released freely, though every effort will be made to inform the relevant vendor before the general public is informed.
Embarrassing information includes the statement that an incident has occurred, and information about its extent or severity. Embarrassing information may concern a site or a particular user or group of users.
Embarrassing information will not be released without the permission of the site or users in question, except as provided for below.
Statistical information is embarrassing information with the identifying information stripped off.
Statistical information will be released and used in publications and other educational papers. The statistics are available for CHIP members out of turn.
Contact information explains how to reach system administrators and CSIRTs.
Contact information will be released freely, except where the contact person or entity has requested that this not be the case, or where Hun-CERT has reason to believe that the dissemination of this information would not be appreciated.
Potential recipients of information from the Hun-CERT will be classified as follows:
- Because of the nature of their responsibilities and consequent expectations of confidentiality, members of CHIP management are entitled to receive whatever information is necessary to facilitate the handling of computer security incidents which occur in their jurisdictions.
- Users at HISPs are entitled to information which pertains to the security of their own computer accounts, even if this means revealing "intruder information", or "embarrassing information" about another user. For example, if account aaaa is cracked and the intruder attacks account bbbb, user bbbb is entitled to know that aaaa was cracked, and how the attack on the bbbb account was executed. User bbbb is also entitled, if she or he requests it, to information about account aaaa which might enable bbbb to investigate the attack. For example, if bbbb was attacked by someone remotely connected to aaaa, bbbb should be told the provenance of the connections to aaaa, even though this information would ordinarily be considered private to aaaa. Users at HISPs are entitled to be notified if their account is believed to have been compromised.
- The HISP community will receive no restricted information, except where the affected parties have given permission for the information to be disseminated. Statistical information may be made available to the general HISP community. There is no obligation on the part of the Hun-CERT to report incidents to the community, though it may choose to do so; in particular, it is likely that the Hun-CERT will inform all affected parties of the ways in which they were affected, or will encourage the affected site to do so.
- The public at large will receive no restricted information. In fact, no particular effort will be made to communicate with the public at large, though the Hun-CERT recognizes that, for all intents and purposes, information made available to the HISP community is in effect made available to the community at large, and will tailor the information in consequence.
- The computer security community will be treated the same way the general public is treated. While members of Hun-CERT may participate in discussions within the computer security community, such as newsgroups, mailing lists (including the full-disclosure list "Bugtraq"), and conferences, they will treat such forums as though they were the public at large. While technical issues (including vulnerabilities) may be discussed to any level of detail, any examples taken from Hun-CERT experience will be disguised to avoid identifying the affected parties.
- The press will also be considered as part of the general public. The Hun-CERT will not interact directly with the Press concerning computer security incidents, except to point them toward information already released to the general public. The above does not affect the ability of members of Hun-CERT to grant interviews on general computer security topics; in fact, they are encouraged to do to, as a public service to the community. The same is the relation with presentations at security conferences and publications.
- Other sites and CSIRTs, when they are partners in the investigation of a computer security incident, will in some cases be trusted with confidential information. This will happen only if the foreign site's bona fide can be verified, and the information transmitted will be limited to that which is likely to be helpful in resolving the incident. Such information sharing is most likely to happen in the case of sites well known to Hun-CERT (for example, several other Hungarian communities have informal but well-established working relationships with CHIP in such matters).
- For the purposes of resolving a security incident, otherwise semi-private but relatively harmless user information such as the provenance of connections to user accounts will not be considered highly sensitive, and can be transmitted to a foreign site without excessive precautions. "Intruder information" will be transmitted freely to other system administrators and CSIRTs. "Embarrassing information" can be transmitted when there is reasonable assurance that it will remain confidential, and when it is necessary to resolve an incident.
- Vendors will be considered as foreign CSIRTs for most intents and purposes. The Hun-CERT wishes to encourage vendors of all kinds of networking and computer equipment, software, and services to improve the security of their products. In aid of this, a vulnerability discovered in such a product will be reported to its vendor, along with all technical details needed to identify and fix the problem. Identifying details will not be given to the vendor without the permission of the affected parties.
- Law enforcement officers will receive full cooperation from the Hun-CERT, including any information they require to pursue an investigation, in accordance with the law.
4.3 Communication and Authentication
In view of the types of information that the Hun-CERT will likely be dealing with, telephones will be considered sufficiently secure to be used even unencrypted. Unencrypted e-mail will not be considered particularly secure, but will be sufficient for the transmission of low-sensitivity data. If it is necessary to send highly sensitive data by e-mail, PGP will be used. Network file transfers will be considered to be similar to e-mail for these purposes: sensitive data should be encrypted for transmission or should be used encrypted chanels during the transfer (secure copy or secure FTP depending on the available clients for the existing operating system).
Where it is necessary to establish trust, for example before relying on information given to the Hun-CERT, or before disclosing confidential information, the identity and bona fide of the other party will be ascertained to a reasonable degree of trust. Within CHIP, and with known neighbor sites, referrals from known trusted people will suffice to identify someone. Otherwise, appropriate methods will be used, such as a search of FIRST members, the use of WHOIS and other Internet registration information, etc, along with telephone call-back or e-mail mail-back to ensure that the party is not an impostor. Incoming e-mail whose data must be trusted will be checked with the originator personally, or by means of digital signatures (PGP in particular is supported).
5.1 Incident Response
Hun-CERT will assist system administrators in handling the technical and organizational aspects of incidents. In particular, it will provide assistance or advice with respect to the following aspects of incident management:
5.1.1 Incident Triage
- Investigating whether indeed an incident occured.
- Determining the extent of the incident.
5.1.2 Incident Coordination
Determining the initial cause of the incident
- Facilitating contact with service providers and CHIP Security Committee, if necessary.
- Making reports.
- Composing announcements to users, if applicable.
5.1.3 Incident Resolution
- Analyzing and if possible removing the vulnerability.
- Securing the system from the effects of the incident.
- Collecting evidence where criminal prosecution, or community disciplinary action, is contemplated.
In addition, Hun-CERT will collect statistics concerning incidents which occur within or involve the HISP community, and will notify the community as necessary to assist it in protecting against known attacks.
To make use of Hun-CERT's incident response services, please send e-mail as per section 2.11 above. Please remember that the amount of assistance available will vary according to the parameters described in section 4.1.
5.2 Proactive Activities
The Hun-CERT coordinates and maintains the following services to the extent possible depending on its resources:
- List of team members with their responsibility and availability.
Mailing lists to inform security contacts of new information relevant to their computing environments.
These lists will be available only to HISP system administrators.
Records of security incidents handled will be kept. While the records will remain confidential, periodic statistical reports will be made available to the CHIP community.
Detailed descriptions of the above services, along with instructions for joining mailing lists, downloading information, or participating in certain services such as the central logging and file integrity checking services, are available on the Hun-CERT web site, as per section 2.10 above.
6. Incident Reporting Forms
We advise to use the Incident Reporting Form on this page.
While every precaution will be taken in the preparation of information, notifications and alerts, Hun-CERT assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.
In all cases, where there is a difference between the English and Hungarian versions, the Hungarian version will prevail.