In this blog CERT.at's employees can post research and thoughts. This is done with least possible oversight, so opinions in blogposts are not necessary opinions of CERT.at

Alternatively you can receive CERT.at's blog as a feed.

May 14

Mac OS X tip: how to protect your mail client

Based on some background knowledge that we received (update 2018/5/14 14:00 UTC+1: we now know it's the efail.de bug. The researchers went forward with the public release today), I am taking the liberty to document a setup which protects an Apple Mail installation that I have.

The security measure ...

Read more
Feb 20

Successful MISP workshop

Last week, Alexandre and Andras from CIRCL.lu gave a MISP workshop to a packed crowed of ~ 60-70 people in Vienna.

Infosharing FTW!

MISP stands for "Malware Information Sharing Platform". See also misp-project.org. It allows us to synchronise IoCs with those who need the relevant information ...

Read more
Jan 27

Heartbleed: (Almost) three years later

Shodan recently published a report on the state of Heartbleed which was picked up by lots of media outlets.

I took this as an opportunity to have a look at our statistics. Shodan performs its scan based on IP-addresses and makes the results searchable. CERT.at also runs daily scans, but these are ...

Read more
Apr 11

DROWN update

As I wrote in our initial DROWN blogpost, we're scanning .at for mail- and web-servers which are still supporting SSLv2. We're notifying our constituency and we see a steady drop in the number of servers (as measured by IP-Addresses) that are vulnerable:

So it is slowly getting better.

Looking ...

Read more
Mar 11

One quick note on DNSSEC Validation failures

I wrote back in 2010 that ISPs should prepare for the inevitable backlash if their DNSSEC-aware resolvers black out an important domain.

We now had just such a case: the protagonists make it even juicier than I imagined: Comcast customers could not access the new HBO website where they could get ...

Read more
Nov 28

Lesestoff: Ron Deibert

Wir leben nicht nur in einer technisch interessanten Zeit, sondern auch die gesellschaftliche Diskussion rund um Geheimdienste, Privatsphäre, Verschlüsselung, 0-Days bis hin zu "Cyberwar" ist für die Zukunft des Internets sehr relevant.

Dazu wird viel geschrieben und publiziert, ich ...

Read more
Sep 30

Completed: Maintenance work on Tuesday, Sep. 30th, 2014

Because of required changes in our firewall infrastructure, all Internet-reachable services of CERT.at will be unavailable for some time on Tuesday, September 30th, 2014, starting at about 9am CEST. An "emergency" website with restricted functionality will be made available.

In urgent cases please ...

Read more
Aug 13

(Updated 2014/8/13) Syria offline - initial analysis of BGP (and explanation)

This blog post evolved over time - initially it was a mere scratchpad for notes during our initial research between 2012/11/29 and 11/30. Later, after Syria was back online again, I added a summary and some potential explanations of what might have happened at the end of this blog post.

UPDATE 2014/8/13: ...

Read more
Jul 09

Elastic Search being hacked automatically today

At the moment we are seeing a lot of automatic scanning and hacking of Elastic Search installations worldwide.  Please make sure that port 9200 is locked down in case you run ES.

IOCs:
* C&C IP address:   119.1.109.43  (China)
* C&C Port: 10991 ...

Read more
Jun 14

Transforming JSON to CSV

CERTs are all about processing information security notifications. Most of the time, these arrive in the form of CSV files. However, occasionally we do get some JSON data. While CSV is line oriented, JSON allows for more complex structures (arrays, objects, objects in objects, etc.)

So how to you ...

Read more