SI-CERT (Slovenian Computer Emergency Response Team) is the national cyber security incident response center. It coordinates incident resolution, technical consulting on intrusions, computer infections and other abuses and issues warnings on current threats in electronic networks for network operators and the general public. SI-CERT independently operates the Safe on the internet national awareness programme and participates in the SAFE-SI project. SI-CERT operates within the framework of the Arnes (Academic and Research Network of Slovenia) public institute.
Pursuant to resolution no 38600-3/2009/21 of the Government of the Republic of Slovenia dated 8 April 2010 and the agreement with the Ministry of Public Administration dated 31 May 2010, SI-CERT performs the duties of the government network incident response centre.
SI-CERT is a member of the world Forum of Incident Response and Security Teams (FIRST), the group of national response centres at CERT/CC and the European response centre working group (TF-CSIRT) and is accredited by the Trusted Introducer program. SI-CERT is the Slovenian contact point for the security department of the General Secretariat of the EU Council and the national focus point for the IMPACT program of the International Telecommunications Union (ITU).
The SI-CERT response centre’s services are available to the general public. SI-CERT is financed from the fund provided to the Arnes public institute by the Directorate for Information Society of theMinistry of Education, Science and Sport. In the event of an intrusion, computer infection or other incident of network abuse, you can send a message describing the incident to firstname.lastname@example.org (first read the instructions for reporting security incidents).
What is CERT?
The first CERT was established in the US in 1988 as a response to the first large internet incident – the spread of the first worm, which was later named simply “The Internet Worm” (more information is available in A Tour of the Worm and RFC 1135). CERT was established by ARPA (now called DARPA, Defense Advanced Research Projects Agency, US Department of Defense) and then came under the management of Carnegie Mellon University. With the global spread of the internet, similar organizations and services eventually also started appearing beyond the US – and the original CERT was renamed the CERT Coordination Center (CERT/CC). SI-CERT was established in 1995.
Instructions for reporting incidents
Measures to take after an incident
Upon becoming aware of an incident, you must decide how to act (which of course depends on the nature of the incident or abuse) as soon as possible.
- Make sure your suspicions are legitimate – there might be an error somewhere else (software or human error).
- Has any damage been sustained in the incident?
- What is the probability that there has been a modification to the system software (backdoor or Trojans)?
- Will you be following the progress of the incident to obtain further data or do you want to “clean” the system as soon as possible?
- What is the best way to protect the data? Could law enforcement action will be taken?
- Do the affected systems or parts of the network need to be brought back to normal operation as soon as possible?
- Would you like to notify anyone of the incident (within your organization or outside of it) or do you want to limit the information to as narrow a circle as possible?
- Is it possible the incident might be repeated?
Incident reporting to SI-CERT
The two most important pieces of information when reporting any network abuse or security incident are:
- the date and exact time of the incident;
- the IP number or address of the source.
The above information is usually always present in the system logs that record system activities (also known as “audit files”). This information is available in the message header of an email, which is not however shown fully in all e-mail clients, so you must work out how to display the complete message header (this option often appears in the program menu as “full headers” or “view as source”).
If you require assistance or advice regarding abuse or a security incident, you may send the relevant data together with a description of the event by email to email@example.com or post it to:
Tehnološki park 18,
or by fax to (01) 479 88 23.
Information sent by email can be encrypted using the PGP (Pretty Good Privacy) software by using the SI-CERT public PGP key.
Reporting criminal activity
If you suspect that criminal activity has occurred on the network or you think that judicial prosecution of the incident is necessary, we advise that you contact your local police station.
After a year of preparation, the Arnes public institute establishes SI-CERT, the Slovenian Computer Emergency Response Team, and starts handling reports of security incidents.
Young Slovenian hackers start breaking into systems abroad. In Maribor a group forms which starts meeting in a popular cybercafé; they are employed part-time as system administrators in local companies, where they also cannot resist hacking. As a result company owners and cybercafé managers have quite a few problems for several years.
A student breaks into the account of the dean of one of the departments of the University of Ljubljana and sends a threatening email in his name to the department’s senate.
During the investigation of a breach of a system in Slovenia we discover a password database of users of a computer that belongs to the US Navy (navy.mil). We inform their “Information Warfare Center”.
Because SiOL bills calls to 0880 numbers to the registered user (and not the owner of the phone line), these user accounts become a subject of theft and resale, since they can be used to access the internet in someone else’s name (and at their expense). Lionheart finds a bug in SiOL’s system which allows him to intercept passwords in bulk and publish them; massive resale of passwords ensues. We start to investigate the matter together with the police and identify those involved.
We encounter the first denial-of-service attacks on targets in Slovenia.
Infections by the NetBus and BackOrifice Trojans released a year earlier erupt. They allow attacked to stealthily access a computer and take control of it. We set up a webpage which allows users to check if their computer is infected with a Trojan.
Tools for carrying out DDOS attacks become available on the internet: trin00, Tribal Flood Network and Stacheldraht.
The US military blocks access from Slovenia (among others) to the .mil domain before starting bombardment of the Federal Republic of Yugoslavia.
We are kept busy with address space scanning and numerous denial of service attacks in Slovenia and abroad.
SI-CERT becomes a member of FIRST (Forum of Incident Response and Security Teams). SI-CERT boss Gorazd Božič is named president of the European response centres working group TF-CSIRT, which he then heads for eight years.
Media attention is captured by the “I love you” worm spreading through email. The Y2K problem at the start of the new millennium turns out to be an unnecessary panic.
Throughout the year internet worms automatically spreading through networks and computers are born. The most widespread of these is the Chinese Code Red virus, followed by Nimda, Sircam, Klez and Frethem. We handle the first web page defacements using rootkits. In one incident we find several hundred beached systems abroad.
SI-CERT hosts colleagues from European response centres united in the TF-CSIRT working group.
Foreigners send massive quantities of spam emails through unsecured proxy and SOCKS servers. The poor security of the NetBIOS in Windows computers is leveraged for numerous intrusions and infections.
A bug in the PINE mail program enabled access to a list of usernames of Arnes’s guest.arnes.si users. Fortunately, these are only limited copies without names and passwords in a closed (chroot) environment.
Microsoft IIS web servers are attacked by the Code Red II virus.
IRC wars – skirmishes between Slovenian hacking groups – culminate in an attack on SiOL DNS servers in November 2004, seriously affecting all SiOL users. Telekom Slovenije ends its policy of silence regarding incident reports from SI-CERT and starts cooperating which will in the following years result in a dramatic decrease of the number of abuses and network attacks in Slovenia.
After infecting their targets “Dialler” viruses call expensive toll numbers abroad.
A new form of network abuse appears: phishing.
Dictionary attacks through the Secure Shell protocol proliferate as Slovenian hackers do their best to try to breach the largest number of computers abroad. After several months of collecting incident reports we send the data to the police which does around 20 house searches.
Payable game servers for the Call of Duty game in Slovenia cause a series of mutual denial of service attacks between individuals who try to push each other out of the “market”.
The first phishing site abroad targeting Slovenian banks’ clients.
In a series of denial of service attacks on websites of several US media houses some Slovenian computers also participate in the botnet. SI-CERT performs an analysis of the malware, which allows the FBI to arrest Bruce Raisley, who is convicted several years later in a US court.
Before the May first holidays in Estonia a monument to a soldier from Soviet times is removed, which results in massive network denial of service attacks on government infrastructure, banks and web media. The TF-CSIRT European response centre group establishes an ad-hoc assistance group jointly headed by the Finnish CERT-FI and Slovenian SI-CERT.
Slovenian assumes the EU presidency and thus becomes more interesting as a target for attacks on government employees. We analyse the viruses being used in these attacks and the tracks point to China.
Dan Kaminsky finds a serious bug in the workings of the Internet’s DNS infrastructure. We notify 82 network administrators that they have server vulnerabilities that enable so called “cache poisoning”.
We fight Conficker infections throughout the year. This advanced worm employs several distribution channels to spread and turns out to be a hardy opponent. Individual infections reappear even five years later.
The European Consumer Centre requests our assistance in the case of specialphones.eu which fraudulently attempts the fictitious sale of iPhones at half price. With the help of the Estonian CERT-EE, the site is quickly removed. In retrospect, 2009 turns out to be a turning point in the growth of internet fraud.
SI-CERT signs an agreement with the Ministry of Public Administration to take over the coordination of security incident handling in the public administrations’ network and assist in establishing an independent government response centre for government infrastructure.
Spring sees the spread of a virus authored by a Slovenian among Slovenian Facebook users. In Maribor the police arrest Matjaž Škorjanc - Iserd, who is the author of the Butterfly bot (the Mariposa case).
We start the Safe on the internet national awareness programme in the field of information security. The public response is excellent and the programme is awarded several accolades over the next few years.
We determine that one of Slovenia’s electricity generating plants has a publicly accessible server through the web and an embedded backdoor which could enable unauthorised entry and monitoring of the plant’s control systems. Numerous heating stations use default passwords on their web interfaces which also allow unauthorised modification of settings.
Recordings of closed sessions of the government of the Republic of Slovenia appear on YouTube. Google ignores our removal requests until we devise an alternative approach: the owner of the recordings is the government, so this represents a violation of its copyright. We send a DMCA request to a US layer and the issue is quickly resolved.
Because of the signing of ACTA Anonymous announces attacks on government infrastructure and other targets. We take over coordination, set up barriers to DOS attacks and alert providers to the expected attack types. Attacks on gov.si are unsuccessful, several other sites are defaced, but the Anonymous campaign is very prominent in the media.
A group of Middle Eastern hackers attacks banks in the USA and, among others, uses 63 servers in Slovenia. DNS-reflection attacks use vulnerable DNS servers. There are nearly 9,000 of them in Slovenia. We start notifying administrators on a regular basis.
Slovenia participates in the pan-European Cyber Europe 2012 exercise - the scenario includes attacks on e-banks and network infrastructure; response centres have a key role in the exercise.
The number of handled incidents passes 1000.
Over 1500 servers belonging to small companies, schools and other institutions using the Joomla content management system are defaced. Along with continued notification of administrators we also prepare the “ABC of Security for Website Owners” brochure.
Together with the police and the RS Office for money laundering prevention we spend 6 months investigating attacks on small companies which have resulted in the theft of EUR 1.8 million. Analysis of the malware code by SI-CERT leads the police to its author, Sebastijan Mihelčič.
The “police virus” also holds Slovenian users to ransom, but fortunately a quick unlock is available with which we help 300 individuals. At the POMP 2013 festival of content marketing we receive the award for the best annual report and unexpectedly also the grand prize for the project of the year in the field of content marketing.
The year is marked by the Heartbleed vulnerability in an OpenSSL library. Around 3% of web servers in Slovenian are vulnerable. Amplification attacks start on the NTP protocol. Ransomware becomes stronger and encrypts user data. They spread through fake accounts in German over email.
We participate at Cyber Europe 2014 and the NATO Cyber Coalition 14 exercise. We start training members of the Slovenian military on how to respond to cyber threats and incidents. We pass 2000 handled incidents.
In January, the longest so-called “phishing” attack is launched, targeting the customers of six Slovenian banks. We estimate that approximately 100,000 false messages were sent and around 40 fake bank websites were set up. We fight the attackers for a week, before they give up and focus their efforts on other countries.
This autumn marks 20 years since the first incident was reported to SI-CERT.
Contact and incident reporting
Tehnološki park 18
Telephone: +386 1 479 88 22
Telefax: +386 1 479 88 23
SI-CERT is the Slovenian national CERT. SI-CERT is the main contact point for reporting network security incidents involving systems and networks located in Slovenia.
SI-CERT is a service of ARNES (Academic and Research Network of Slovenia).
For detailed information please refer to the RFC 2350-compliant specification.
#hackers.si is documentary film that depicts one aspect of the hacking scene in Slovenia and its evolution in the last 20 years. Who are hackers and what drives them? The film was produced for the 20-year anniversary of SI-CERT (Slovenian Computer Emergency Response Team) in cooperation with Sever & Sever Production and Slovenian National TV.