In this blog CERT.at's employees can post research and thoughts. This is done with least possible oversight, so opinions in blogposts are not necessary opinions of CERT.at

Alternatively you can receive CERT.at's blog as a feed.


Nov 11

Testing the Koord2ool

How did our tool for “get situational awareness by asking the constituency questions” perform during the KSÖ exercise last week?

Written by: Otmar Lendl

Aug 20

Another round: Government malware & digital surveillance

Not just the seasons, or my attempts to appear in the office in an outfit other than holey conference shirts, shorts and Birkenstock slippers that are cyclical. The desire of politicians for a "government trojan" or surveillance of digital communication seemingly follows a constant rhythm as well - and apparently it's that time again. Federal Chancellor Karl Nehammer is making the surveillance of digital communication a fixed condition for a future political coalition.

Written by: Alexander Riepl

Jul 01

Roles in Cybersecurity: CSIRTs / LE / others

Back in January 2024, I was asked by the Belgian EU Presidency to moderate a panel during their high-level conference on cyber security in Brussels. The topic was the relationship between cyber security and law enforcement: how do CSIRTs and the police / public prosecutors cooperate, what works here and where are the fault lines in this collaboration. As the moderator, I wasn’t in the position to really present my own view on some of the issues, so I’m using this blogpost to document my thinking regarding the CSIRT/LE division of labour. From that starting point, this text kind of turned into a rant on what’s wrong with IT Security.

Written by: Otmar Lendl

Jun 10

How We Cover Your Back

As a national CERT, one of our extremely important tasks is to proactively inform network operators about potential or confirmed security issues that could affect Austrian companies. Initially, I intended to discuss the technical changes in our systems, but I believe it's better to start by explaining what we actually do and how we help you sleep well at night — though you should never rely solely on us!

Written by: Kamil Mankowski

Apr 22

Double Agents and User Agents: Navigating the Realm of Malicious Python Packages

Have you ever encountered the term "double agent"? Recently, we've had  the opportunity to revisit this concept in Austria. Setting aside  real-world affairs for prosecutors and journalists, let’s explore what  this term means in the digital world as I continue my journey tracking  malicious Python packages.

Written by: Kamil Mankowski

Apr 02

On Cybersecurity Alert Levels

Last week I was invited to provide input to a tabletop exercise for city-level crisis managers on cyber security risks and the role of CSIRTs. The organizers brought a color-coded threat-level sheet (based on the CISA Alert Levels) to the discussion and asked whether we also do color-coded alerts in Austria and what I think of these systems.

My answer was negative on both questions, and I think it might be useful if I explain my rationale here. The first was rather obvious and easy to explain, the second one needed a bit of thinking to be sure why my initial reaction to the document was so negative.

Written by: Otmar Lendl

Mar 28

Hobby hunter notes: PyPI under attack

When I wrap up at CERT.at, where I mostly work on our notification system (if you’re a network operator in Austria and got a misassigned notification about some security issues – I might have been involved in that), I sometimes change my hat and explore other “cyber”-security areas, especially looking for malicious packages in PyPI, a standard Python package repository. The short summary is: there are a lot of them – but also, don’t panic.

Written by: Kamil Mankowski

Sep 12

The European Cyber Shield

The EU has been pushing the concept of the "European Cyber Shield" within  the Digital Europe Programme as well as with the proposed "Cyber Solidarity Act".

I've written a paper on how I see this idea and how the Act could be improved.

Written by: Otmar Lendl

Sep 06

A classification of CTI Data feeds

We at CERT.at process and share a wide selection of cyber threat intelligence (CTI) as part of our core mission as Austria’s hub for IT security information. Right now, we are involved in two projects that involve the purchase of commercial CTI. I encountered some varying views on what CTI is and what one should do with the indicators of compromise (IoCs) that are part of a CTI feed.

This blog post describes my view on this topic.

Written by: Otmar Lendl

Aug 29

IntelMQ 3.2.1 bug fix released

IntelMQ, an open-source security feeds processing tools, has just got a new release to fix two recently discovered bugs.

Written by: Kamil Mankowski